Welcome Guest! To enable all features please try to register or login.
[Day 1][Tutorial]Manual SQL injection: Happy Hunting
Share
Options
Go to last post Go to first unread
Previous Topic Next Topic
Offline ABDK  
#1 Posted : Monday, July 14, 2014 3:46:05 AM(UTC)
Retweet
ABDK


Rank: Administrator
Reputation:
Medals: Medal of Appreciation: The owner of this Medal has shown great participation in learning, helping and contributing ...

Joined: 1/26/2011(UTC)
Posts: 238

Thanks: 36 times
Was thanked: 10 time(s) in 9 post(s)
UserPostedImage
Welcome Everyone,

Let’s first talk about what SQL Injection is. SQL Injection is a process of injecting malicious code to attack web application. SQL Injection is one of the well known vulnerabilities found in web applications, in a SQL Injection attack we inject SQL query via user input to dump admin username and password from the database or even extract the whole database the possibilities are limitless. Vulnerabilities can be in a search box, login form, gallery etc and it is present because user input is incorrectly filtered for string escape characters or user input is not strongly sanitized.

Let’s Start,

Step 1: Checking If Site Is Vulnerable:

To check whether a site is vulnerable or not, we need to look for websites which use GET command to send parameters, and find the URL like:

Code:
http://www.site.com/view.php?id=


Here "id" is the parameter which is taking user input and queries the database.

Another method for finding vulnerable sites is by using Google Dorks, Google is great in helping hackers, sad but true. Google Dorks are also known as Google Hack. In simple words Google dorks are strings (keywords or combination) to find vulnerable sites or even valuable or secret data on Internet.

You can find a huge list of Google dorks by some googling, here I am sharing some with which you can play.

Code:
inurl:index.php?id=
inurl:news.php?id=
inurl:article.php?Id=
 inurl:gallery.php?id=


This is an interactive tutorial, that’s why we made it 5 day tutorial. Here is Day 1 task, you have to do it to clearly understand the SQL Injection.

Find at least 10 Sites which are vulnerable to SQL Injection and save the links in word/notepad for following the 2nd day tutorial

Follow the tutorial below to find a vulnerable site:

Search for Google dorks or Pick any dork from above and paste it in Google, now you have to check every site for SQLi Vulnerability, open link one by one and add single quote
Code:
(‘)
at the end of URL and hit Enter

For example:

The link is:
[codee]http://www.site.com/view.php?id=2[/code]
putting Single Quote:
Code:
http://www.site.com/view.php?id=2’

Now if the page remains the same page then it is not vulnerable and Webmaster is smart enough to protect his site from SQL Injection attack, go and try another site,

And If you got an error message like:
Code:
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line *any number*”

Then you are lucky, you found a site that is vulnerable Big Grin and Webmaster is lazy enough that he don’t know anything about SQL Injection. Go ahead and find another 9 sites that are vulnerable and complete the task.
Good Luck! Happy Hunting

Continue Reading:
[Day 2][Tutorial]Manual SQL injection: Access To Database
[Day 3][Tutorial]Manual SQL injection: Admin 0day
[Day 4][Tutorial]Manual SQL injection: Your Day
[Day 5][Tutorial]Manual SQL injection: Securing Site
Back to top
Sponsor
Back to top  
Offline Sher Muhammad  
#2 Posted : Monday, July 14, 2014 6:39:05 AM(UTC)
Retweet
Sher Muhammad


Rank: Hackology Applicant
Reputation:
Joined: 7/14/2014(UTC)
Posts: 11
Excellent, I found 4 sites and now searching for more, waiting for next update..
Back to top
Offline Dr-Hack  
#3 Posted : Monday, July 14, 2014 3:50:34 PM(UTC)
Retweet
Dr-Hack


Rank: Administrator
Reputation:
Medals: Hackology Founder: This medal is earned by the Founders of Hackogy

Joined: 1/15/2005(UTC)
Posts: 1,318

Thanks: 22 times
Was thanked: 73 time(s) in 57 post(s)
Originally Posted by: Sher Muhammad Go to Quoted Post
Excellent, I found 4 sites and now searching for more, waiting for next update..

have to find 10 tongue :p

Originally Posted by: abid khan Go to Quoted Post
Find at least 10 Sites which are vulnerable to SQL Injection and save the links in word/notepad for following the 2nd day tutorial

Done .. tongue :p
UserPostedImage
Back to top
WWW
Offline ABDK  
#4 Posted : Monday, July 14, 2014 4:41:00 PM(UTC)
Retweet
ABDK


Rank: Administrator
Reputation:
Medals: Medal of Appreciation: The owner of this Medal has shown great participation in learning, helping and contributing ...

Joined: 1/26/2011(UTC)
Posts: 238

Thanks: 36 times
Was thanked: 10 time(s) in 9 post(s)
Originally Posted by: Sher Muhammad Go to Quoted Post
Excellent, I found 4 sites and now searching for more, waiting for next update..


Good Work Sher, But you need to find minimum 10 site to follow the tomorrow tutorial.

Hope you will do it till tomorrow. Big Grin
Back to top
Offline Sher Muhammad  
#5 Posted : Tuesday, July 15, 2014 2:37:47 AM(UTC)
Retweet
Sher Muhammad


Rank: Hackology Applicant
Reputation:
Joined: 7/14/2014(UTC)
Posts: 11
I am ready for next task Smile
Back to top
Rss Feed  Atom Feed
Users browsing this topic
Guest
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Notification

Icon
Error