SQL Injection Website Hacking Tutorial [Exclusive] [2014]
SQL Injection
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
Code
You can put anything else instead of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites but if you have your own may than go ahead :
Best way to find vulnerable site is by using Google. We use these dorks to find sites but if you have your own may than go ahead :
Code
3) Site vulnerability check:
There are 2 ways to check if site is vulnerable so here are the ways.
There are 2 ways to check if site is vulnerable so here are the ways.
1st way, we got link:
Code
we are gonna add only ‘ at end of link so we get this link:
Code
2nd way, we got link:
Code
we are going to add +and+1=2– at end of link so we get:
Code
If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link :
We can do it by using function order by, on link :
Code
adding +order+by+5–
Code
If page is opens normal there is more then 5 columns. Lets try with 10.
Code
Now some part of site disappeared, which means that there’s more then 5 and less then 10 columns. Lets try 7.
Code
Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
Code
on column 8 part of site disappear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function union select all on link (in this case) we are going to add+union+select+all+1,2,3,4,5,6,7–
Code
It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version
Direct Download Links
Code
on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we don’t have to guess name of table and column.
7) Finding table names
If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:
Names of some possible tables:
Code
Names of some possible columns:
Code
If database version is 5 we can take name of table by doing next step: instead of number 2 we going to putgroup_concat(table_name) and after number of last column+from+information_schema.tables+where+table_schema=database()–
So we get this link:
Code
Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead ofgroup_concat(table_name) we are going to put group_concat(column_name) and instead of+from+information_schema.tables+where+table_schema=database()– we are going to put+from+information_schema.columns+where+table_name=hex– instead of hex we have to encrypt in hex name of table.
Go to:
Code
write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns:
Code
9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273– we put +from+users–
and we have link:
Code
and result e.g.:
Code
which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says “not accessible” then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:
Code
No comments:
Post a Comment