Disclaimer This guide should be used for educational and completely legal purposes only. I am not responsible for anything that will happen to you due to this guide. Sorry kung ma-nosebleed kayo sa english haha :P What is SQL? To put it in simple matters, SQL or MySQL is software used to manage your database. Now if you can access this database you can do some pretty cool stuff like get login credentials for banking or getting the admin account for defacing. You can do pretty much anything you want once you have accessed the admin panel.
SQL manages data in columns, rows, tables and of the such so we will be taking a look at them. What you will need A computer or laptop Access to the internet Something to protect you like VPN or TOR Patience Even More Patience The ability to try again without giving up
You should be good if you have these. Oh and I forgot a keyboard. Getting Started Before we can hack, we need to find a target. That we can do with google and google dorks. Google dorks are little codes that help you look for a site with the vulnerability. Here is a few but there are quite a few google dorks out there. inurl:newsone.php?id= inurl:sw_comment.php?id= inurl:news.php?id= inurl:avd_start.php?avd= inurl:event.php?id= inurl:product-item.php?id= inurl:sql.php?id= inurl:news_view.php?id= inurl:select_biblio.php?id= Enter only one of these in google search
Once you find a target, we need to know if its vulnerable to a MySql injection. Here is a sample URL: http://testsite.org/article.php?id=291 Now we add a apostrophe to the end of the URL like this http://testsite.org/article.php?id=291 then press enter. If an error message like You have an error in your SQL syntax appears on the website then it is vulnerable! Now we need to find the number of column the site has. This is also easy. First remove the apostrophe from the url then press space and type in order by 1- without the quotation marks so it will look like: http://testsite.org/article.php?id=291 order by 1
Continue incrementing the number 1 until you see an error that looks like this: The site should look normal on other numbers that are in the column range.
This is how it should look like
Remember that it will not always be 10 since the number varies from site to site. For now we will use the example 10. Since the error occurred when we put order by 10 that means that there is no 10 th
column and there are only 9 columns, take note of the number of columns. Remember this number changes from site to site. Now do this. We need to know what column is vulnerable to an injection. http://testsite.org/article.php?id=-291 union all select 1,2,3,4,5,6,7,8,9 Do exactly what I did including the dash between the number and equals sign. Change the 1-9 with the number of columns you have. For example you have 6 columns then you do union all select 1,2,3,4,5,6. By doing this numbers should pop out on the web page. Take note of all the numbers that you see. In my case the numbers that showed up are 3 and 4 but they might differ with you. Now we need to find the SQL database version. If it is above 5 then we can continue. Do this by replacing ONE of the numbers that you see with this code @@version. So your URL will look like this: http://testsite.org/article.php?id=-291 union all select 1,2,@@version,4,5,6,7,8,9 So if you have 5 columns and the numbers that pop out are 1 and 2 you can choose either union all select @@version,2,3,4,5 or union all select 1,@@version,3,4,5. As long as you replace it with one of the numbers that pop out. It should look like this:
In my case that is the version. As long as it is above 5 you are good to go. Now we need to find the main database. To do this replace the @@version code to concat(database()). It should look like this: In my case the main database name is flasin_sparkms. Take note of whatever database name you got. This is vital for completing SQL injection. Now we need to show the tables the database has. We can do this by replacing concat(database()) with group_concat(table_name) but dont press enter yet, we still need to add some black magic to the url by doing this. At the end of the URL remove the and insert this text from information_schema.tables where table_schema=database() your url should look like this: http://testsite.org/article.php?id=-291 union all select 1,2,group_concat(table_name),4,5,6,7,8,9 from information_scema.tables where table_schema=database() Press enter then it should look like this:
Now most the these tables are useless but 1 catches the eye. That is the users table. We want to access that. Sometimes its not always called users it might be user or userinfo or any similar name. Now we want to enter the table. But first you need to do something. We need the hexadecimal of the chosen table. You can google TextToHex and enter your text for hexing. Users in hex form is 7573657273 but if users is not the table name then just get it yourself. Now change group_concat(table_name) to group_concat(column_name) change information_schema.tables to information_schema.columns and change table_schema to table_name and change database() to 0x(your hex here) without the parentheses. Then hit enter and it should look like this:
Again whatever you see differs from website to website. Now you would see 2 very interesting things, that is username and password. We want these info. Now remember we have 3 key information by this point. Database name which is flashin_sparkms for me, main table which is users, and 2 table contents which is username and password. union all select group_concat(contentName),2,3,4,5,6,7,8,9 from databaseName.mainTable Now where the red text is replace it with your own data that you have. You will receive the username list with contentName = username and password list when contentName = password. Username list should look like this.
Now you might find passwords like these:
That means they are hashed. The passwords are hashed in md-5 and can only be recovered if you can decrypt this. There is a VERY SMALL chance that you will be able to decrypt this using online decryptors and I have not much knowledge in decryption. If you see this then GG move on to the next site. But if you do get their passwords, then NICE! You can now login to the admin panel! Finding the Admin Panel This can sometimes be very easy or very hard. Usually the login panel is the home pages URL with /admin or /login or them with .php. An easier method would be using an Admin Page Finder or a scanner of sorts. If you have logged in feel free to mess around with the site . Maraming Salamat! Next tutorial I will be talking about XSS (Cross Site Scripting) and CSRF (Cross Site Request Forgery). Paki pin post to para lahat ng members makakakita . Please support by liking and giving comments and recommendations! I love hearing feedback. If you have any questions, dont hesitate asking me on the group or adding me on FB. Happy hacking!