Thursday 8 March 2012

ATTACK A WEBSITE USING SQL INJECTION



Hi folks...
Ever you guys try to change the homepage or any other page of any website or you ever upload your images on a website seems like a fun na! ok guys today in this post i'm going to tell you how to inject a SQL injection on a sql vulnerable website and put your data on that website. For this we use a tool named as Havij.Firstly i am going to introduce the term havij.

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injecting vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.


Download havij 1.15

First Find a sqli infected site 
  • We will use google dorks to find the vulnerable websites, there is a big list of google dorks  which I will post in my future articles but at this time we will only use the following:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
  • Just search google using one of the dork and you will see a lot of vulnerable websites.
  • Open any one of the website than put  ‘ after the link look:
  • If you get the following SQL error, that means the website is vulnerable to SQL-injection attack.

  • Now open Havij and paste the link without  and click on analyze
  • Now we have to find the columns of the database.
  • After this you will be able to find the admin id or password but remember normally web server uses MD5 encryption technique, you have to decrypt this password use havij option MD5 or you may read our tutorial on Cracking MD5.
  • After decrypting the password, you have to find the admin login page of the website. To do that use Havij options.
  • Now you may login as the admin user and control the website as you want.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)