Hacking Websites Using SQL Injection Tool Havij: Step-by-Step Guide

Hacking Websites Using SQL Injection Tool Havij

According to a survey the most common technique of hacking a website is SQL Injection. SQL Injection is a technique in which hacker insert SQL codes into web Forum to get Sensitive Information like (User Name , Passwords) to access the site and Deface it. The traditional SQL injection method is quite difficult, but now a days there are many tools available online through which any script kiddie can use SQL Injection to deface a website, because of these tools websites have became more vulnerable to these types of attacks.

In this article we are gonna learn about SQL injection tool which is Havij. Havij is an automated SQL injection tool which helps pen-testers to find and exploit vulnerabilities on a web page. you can perform back-end database finger printing, retrieve DBMS login names and password in the shape of hashes. you can also dump tables and columns, can fetch data from the database, can execute SQL statements against the server and much more.

Hacking Websites Using SQL Injection Tool Havij

This article is only for education purposes, By reading this article you agree that We are not responsible in any way for any kind of damage caused by the information provided in this article.

Things We Need:

  • Havij Tool – (Search in Google and Download cracked version.)
  • SQLI Vulnerable Website. – use Google Dorks to search vulnerable website.

Steps to Hack Website Using SQL Injection Tool Havij

Open Havij and after that type vulnerable website inside it and hit analyze button.

Now click on Tables tab and then hit Get DBs button.

Get DBs

Now you have got all Databases in result. Tick Databases and hit Get Tables button.

Get Tables

You have got Tables from the Databases you ticked in previous step. Now tick related Tables and hit get Columns button.

Get Columns

You have got columns from ticked Table. Tick related Columns and press Get Data button.

I am going to choose Username, Password, UserGroup Columns. There should be stored Data related to Admin’s Username, Password etc.


Bingo! You have got Username and Password of Admin.

Got Username And Password Of Admin

How To Crack Hash?

As you can see, We have received all information of Admin. Like Username, Password and UserGroup. But we have received password in the shape of Hash. In order to see the real Password. We have to crack this Code. For cracking this Code. We will make use of Havij tool again. Follow me to crack this Hash.

You can see a button of MD5 in buttons list of Havij. Hit that button and Paste your Hash Code inside it and press Start button.

Hash Code

You can see Password in plain text in result now. See picture below.

Password In Plain Text

Find Admin Page

We have got everything. Like Username, Password. But where to use them and Get admin rights? You need to find the admin login page of target site. For finding admin page of target site. We will use Havij again.

In buttons list, press find admin button. Type homepage url of target site. Press Start button.

Find Admin

You will get result same like Hash cracking. You will be able to see the page. Which admin of your target site use to login.


Here are some of the countermeasures you can take to reduce the risk of SQL Injection

  • Renaming the admin page will make it difficult for a hacker to locate it
  • Use a Intrusion detection system and compose the signatures for popular SQL injection strings
  • One of the best method to protect your website against SQL Injection attacks is to disallow special characters in the admin form, though this will make your passwords more vulnerable to bruteforce attacks but you can implement a capcha to prevent these types of attack.

This article is all about SQL injection tool Havij. I hope you like this article, If you have any query you can comment bellow and Do share with your friends on social media and Off course sharing is caring.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top