Hi, all....
Today we'r going to learn how to hack a website with sql injection. Sql injection is a mostly used method to gain access to a website's admin panel and the detabase.
There are other methods to hack websites too but sql is so far famous. here are few methods to hack a website:
1 : SQL injection
2 : XSS also called css (cross site scripting)
3 : CLICKJACKING
4 : Broken authentication and session management atack
5 : Cross Site Request Forgery Attack
NOTE : THIS BLOG IS FOR EDUCATIONAL PURPOSE ONLY .
So now let's get started...
1:) firstly we have to find a website to attack which is vulnerable to injection
you can use google dorks for this here are few
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:ogl_inet.php?ogl_id=
Just copy one of the above and paste in google search it will bring up many website that may be vulnerable to sql injection
to check if the website is vulnerable or not all you have to do is to add a ( ' ) after the url in address bar
if the website results into an sql syntex error something like following
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
then BiNgo!!!! we're on!!!
if not u better switch to other websites...
now after finding a targate lets try exploiting it
There are several ways to get our job done manually but i prefer using havij
the tool named havij is an sql injecter one could find it on google easily.. any version will do..
now when you've got what it takes bigens the interesting part
a havij windows would look close to the following
now paste the url where is says targate.. and click analyze
and sit back.. let it exploit vulnerabilities
after the scanning is completed the status will display idle again in front of it..
now click to tables tab -} now click on get tables... and be patient..
it will now collect all the tables present in the website it'll look like below
Now select the tables in which u think the deta like user id and passwards may be stored..
generally it is something like usr_id,user,admin , administrator, id_pwd etc..
and after selecting the desired table click on Get columns..
like i found following
and now u got the juicy stuff...!!!!!
select the columns like admin, password, user id etc and click on get data....
and it will show u something like this.....
and now we've got the password but it's encrypted... lets crack that key.. there is a tool inbuilt in havij but most of the time it doesn't decrypt hash so i prefer online decryption here
now when we have id and password lets find out the admin page of this website
just click on the find admin tab in havij and start...
congo! u've just hacked a website to ground..... well there is a manual way too i'll explain how to do all this process manually in my next artical... till then stay tuned....
Today we'r going to learn how to hack a website with sql injection. Sql injection is a mostly used method to gain access to a website's admin panel and the detabase.
There are other methods to hack websites too but sql is so far famous. here are few methods to hack a website:
1 : SQL injection
2 : XSS also called css (cross site scripting)
3 : CLICKJACKING
4 : Broken authentication and session management atack
5 : Cross Site Request Forgery Attack
NOTE : THIS BLOG IS FOR EDUCATIONAL PURPOSE ONLY .
So now let's get started...
1:) firstly we have to find a website to attack which is vulnerable to injection
you can use google dorks for this here are few
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=inurl:ogl_inet.php?ogl_id=
Just copy one of the above and paste in google search it will bring up many website that may be vulnerable to sql injection
to check if the website is vulnerable or not all you have to do is to add a ( ' ) after the url in address bar
if the website results into an sql syntex error something like following
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
then BiNgo!!!! we're on!!!
if not u better switch to other websites...
now after finding a targate lets try exploiting it
There are several ways to get our job done manually but i prefer using havij
the tool named havij is an sql injecter one could find it on google easily.. any version will do..
now when you've got what it takes bigens the interesting part
a havij windows would look close to the following
now paste the url where is says targate.. and click analyze
and sit back.. let it exploit vulnerabilities
after the scanning is completed the status will display idle again in front of it..
now click to tables tab -} now click on get tables... and be patient..
it will now collect all the tables present in the website it'll look like below
Now select the tables in which u think the deta like user id and passwards may be stored..
generally it is something like usr_id,user,admin , administrator, id_pwd etc..
and after selecting the desired table click on Get columns..
like i found following
select the columns like admin, password, user id etc and click on get data....
and it will show u something like this.....
now when we have id and password lets find out the admin page of this website
just click on the find admin tab in havij and start...
congo! u've just hacked a website to ground..... well there is a manual way too i'll explain how to do all this process manually in my next artical... till then stay tuned....
No comments:
Post a Comment