Forum
»
.:: Hackology ::.
»
Misc Tricks and Methods
»
[Day 1][Tutorial]Manual SQL injection: Happy Hunting
Rank: Administrator
Medals:
Joined: 1/26/2011(UTC) Posts: 238
Thanks: 36 times Was thanked: 10 time(s) in 9 post(s)
|
Welcome Everyone,
Let’s first talk about what SQL Injection is. SQL Injection is a process of injecting malicious code to attack web application. SQL Injection is one of the well known vulnerabilities found in web applications, in a SQL Injection attack we inject SQL query via user input to dump admin username and password from the database or even extract the whole database the possibilities are limitless. Vulnerabilities can be in a search box, login form, gallery etc and it is present because user input is incorrectly filtered for string escape characters or user input is not strongly sanitized.
Let’s Start,
Step 1: Checking If Site Is Vulnerable:
To check whether a site is vulnerable or not, we need to look for websites which use GET command to send parameters, and find the URL like:
Code:http://www.site.com/view.php?id=
Here "id" is the parameter which is taking user input and queries the database.
Another method for finding vulnerable sites is by using Google Dorks, Google is great in helping hackers, sad but true. Google Dorks are also known as Google Hack. In simple words Google dorks are strings (keywords or combination) to find vulnerable sites or even valuable or secret data on Internet.
You can find a huge list of Google dorks by some googling, here I am sharing some with which you can play.
Code:inurl:index.php?id=
inurl:news.php?id=
inurl:article.php?Id=
inurl:gallery.php?id=
This is an interactive tutorial, that’s why we made it 5 day tutorial. Here is Day 1 task, you have to do it to clearly understand the SQL Injection.
Find at least 10 Sites which are vulnerable to SQL Injection and save the links in word/notepad for following the 2nd day tutorial
Follow the tutorial below to find a vulnerable site:
Search for Google dorks or Pick any dork from above and paste it in Google, now you have to check every site for SQLi Vulnerability, open link one by one and add single quote at the end of URL and hit Enter
For example:
The link is: [codee]http://www.site.com/view.php?id=2[/code] putting Single Quote:
Code:http://www.site.com/view.php?id=2’
Now if the page remains the same page then it is not vulnerable and Webmaster is smart enough to protect his site from SQL Injection attack, go and try another site,
And If you got an error message like:
Code:“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line *any number*”
Then you are lucky, you found a site that is vulnerable and Webmaster is lazy enough that he don’t know anything about SQL Injection. Go ahead and find another 9 sites that are vulnerable and complete the task. Good Luck! Happy Hunting
Continue Reading: [Day 2][Tutorial]Manual SQL injection: Access To Database [Day 3][Tutorial]Manual SQL injection: Admin 0day [Day 4][Tutorial]Manual SQL injection: Your Day [Day 5][Tutorial]Manual SQL injection: Securing Site
|
|
|
|
Rank: Hackology Applicant
Joined: 7/14/2014(UTC) Posts: 11
|
Excellent, I found 4 sites and now searching for more, waiting for next update..
|
|
|
|
Rank: Administrator
Medals:
Joined: 1/15/2005(UTC) Posts: 1,318
Thanks: 22 times Was thanked: 73 time(s) in 57 post(s)
|
Originally Posted by: Sher Muhammad Excellent, I found 4 sites and now searching for more, waiting for next update.. have to find 10 Originally Posted by: abid khan Find at least 10 Sites which are vulnerable to SQL Injection and save the links in word/notepad for following the 2nd day tutorial Done .. |
|
|
|
|
Rank: Administrator
Medals:
Joined: 1/26/2011(UTC) Posts: 238
Thanks: 36 times Was thanked: 10 time(s) in 9 post(s)
|
Originally Posted by: Sher Muhammad Excellent, I found 4 sites and now searching for more, waiting for next update.. Good Work Sher, But you need to find minimum 10 site to follow the tomorrow tutorial. Hope you will do it till tomorrow.
|
|
|
|
Rank: Hackology Applicant
Joined: 7/14/2014(UTC) Posts: 11
|
I am ready for next task
|
|
|
|
Forum
»
.:: Hackology ::.
»
Misc Tricks and Methods
»
[Day 1][Tutorial]Manual SQL injection: Happy Hunting
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.