In my previous article i have given all the basic stuff regarding sql, today i will be directly getting into injection parts. If you have not read the previous part SQL injection Part 1 . Kindly go through it before reading this one.
Finding Out A Vulnerable Website
We can use google dorks to find vulnerable sites.If you want to find SQLi vulnerability on a particular website, then also you can use google dorks. All you need is a basic knowledge of advanced google searching.
Here are some google dorks.
Now we have to check for the vulnerability. To do this add a single quote(‘) at the end of the URL. If you get an error or blank page, the site is vulnerable to SQL injection.
Here i found a vulnerable link of a website.
When i add single quote at the end of the URL, some data of the page is missing. Hence we can determine that it is vulnerable to SQl injection.
Finding Out The Number Of Columns
Now our job is to find out the number of columns in the sites database in order to access it. We can find this by simply adding “order by “ query at the end as shown below.
Now add one more column to the above query. It looks like
In my example i got an error at the following query.
Finding Out The Most Vulnerable Volumn
When we are done with number of columns, we need to find the most vulnerable column. For this we use the following query.
Then the above query looks like
If you observe, i got 2 as the most vulnerable column.The most interesting part of our attack starts here. We need to extract the data from the database here.
Finding Out The Table Names
First we will find out the table names from database. Just add the following query to find the table names.
It gives us a list of tables.
Now search for the tables you are interested in. It means, a hacker generally looks for the tables that contain usernames and passwords. So select a table you want.
Finding Out The Column Names
Now we need to extract the column names from the tables inorder to extract the data. We can find the column names using the following query.
In my example the query becomes
it displays all the column names from the table ‘wp_users’
Now we have to extract the information such as usernames, passwords etc.
We can do this as shown in the following query.
Many websites store passwords using MD5 encryption. So we have to crack it using any MD5 cracker. www.md5cracker.co.uk is an online service to crack MD5 hashes. Then find out the admin page, and login to the website.
For more about MD5 kindly read the tutorial hashes and salts from here.
Hope you enjoyed this tutorial. Please leave your comments for further doubts and clarifications.