Website Hacking Archives - Page 5 of 5

Posted on February 14, 2014June 15, 2024 by kanishka10 — 2 Comments

Complete guide to sqlmap

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what SQL injection is, different types of sql injection attacks etc. In this blogpost, how to perform SQL injection with a tool named sqlmap. Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. For this tutorial I am using Vulnerawa as target.

sqlmap is pre-installed in Kali Linux. Open sqlmap from the path as shown below.

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

The result will be as shown below. It will reveal the website technology and the scripting language used.

1. Grab the banner of the target:

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

You can see the banner as shown below.

2. Find the current user of the website:

To see the current user of the website, type the following command.

The current user can be seen as below.

3. List the current database:

Now let us see the current database used by the website. Type the following command.

We can see that the current database is “Vulneraw”.

4. List all the tables in a specific database:

Now let us see all the tables present in the database “Vulneraw” by using following command.

We see that we have only one table in the current database. The table is “users”.

5. List the number of columns in a specific table:

Now lets see the number of columns in the table “users”. Type the following command.

We see there are four columns in table “users”.

6. Dump the values of specific columns in a table:

Now let’s dump the values of two columns username and password by typing the following command.

The result is as below. we got the username and passwords.

7. Dump all values of a table:

If we want to dump all the entries of the table, type the following command.

Here are the entries.

8. Grab a shell on the target:

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for Wamp server. Hit on “Enter”.

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents of the root directory. It works as shown below.

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or similar dorks. That’s all in this tutorial.

Posted on August 23, 2013June 15, 2024 by kanishka10 — 20 Comments

Havij SQL injection tool: Complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what SQL injection is and different types of SQL injection attacks. In this blogpost, you will learn about Havij, an automated SQL injection tool. Havij is a SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can be used to perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands.

Let me give you a complete guide on Havij in this article. First download Havij and install it.

1. Specifying the target:

Then open it and enter the vulnerable URL in the target field (for this tutorial I am using my own vulnerable webpage).

2. List the current database:

Set the database option to ‘auto detect‘ and hit analyze. This should show you the current database name as shown below.

3. Get Host information:

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

4. List all tables of the current database:

Click on the “Tables” tab.

5. List all databases from the target:

Click on “Get DBs” option. This will list all the databases as shown below.

7. List tables in a certain database:

To get tables in a specific database, select the database and click on “Get Tables”. This will list all the tables present in the selected database. I selected database “shunya”here.

8. List all columns from a particular table:

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

This will list all the columns in the table. We can see that we have five columns in the table ‘users’. It’s time to dump the values of columns.

9. Dump data from the columns:

Select the columns whose data we want to dump and click on “Get data”. Here I selected all the columns.

10. Crack password hashes:

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on “MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

11. Find admin page:

Having passwords is not enough. You also need to know where to login with these passwords. Havij can do that too. Click on “Find admin”. This option finds the admin page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

Posted on August 9, 2013June 24, 2024 by kanishka10 — 12 Comments

Beginners guide to login bypass

Hello, aspiring ethical hackers. In this blogpost, you will learn about login bypass.

What is Login bypass?

Many resources like websites Routers, Gateways, file messengers use authentication to ensure security of the resources what if this login in bypass. The process of Login bypass refers to any action on current which allows a user to directly access the resources without the use of credentials. Many techniques can be used to bypass login of a page. Some of the techniques are,

SQL injection
Forced browsing
URL parameters manipulation.

Let’s learn about each of them in detail.

1. SQL Injection:

Acunetix describes this as ” the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

In this article, I am going to show you how login bypass attack can be done on websites using SQL injection. For this I am going to use Vulnerawa and WAMP server. You can download Vulnerawa from here. To see what is Vulnerawa, go here. To learn how to setup Vulnerawa in Wamp Server, go here. When you finish successfully setting up Vulnerawa, it should be as below. The first page of a website is the “index.php” which is as shown below.

Now click on the “Login” button. You should see a login form as below.

Now insert a single quote character( ‘ ) into the form as shown below.

Click on “Submit”. You should get the error as shown below. This shows that the webpage is vulnerable to SQL injection. Notice that the URL has changed to a page “process.php”. Remember this for now.

Now enter the query

1′ or ‘1’=’1

as shown below in both username and password fields.

Click on “Submit”. If you got the below webpage, then you have successfully bypassed the login screen.

The query we entered above validates the user even without checking the password. There are some other queries which can work similarly. Two of them are here.

‘ or ‘1’=’1;
‘ or ‘1’=’1”

When a hacker enters these two queries, the username field becomes

” or ‘1’=’1;

which transforms to validate the user if username is empty or 1=1. Now whatever may happen, one will always be equal to one. We can find many more using trial and error. This vulnerability exists because we are supplying raw data to our application.

Now let’s go to the page “process.php” to understand how this sql injection worked. Go to the root directory of Vulnerawa. That would be “C://Wamp/www/vulnerawa1.0.2“. You should see the list of below pages. These are all the webpages which make the webapp vulnerawa1.0.2.

But we are interested in the page process.php. Right click on the page and select “edit” option to view the file. To put simply, open the process.php file with notepad. You should see it as below. We are interested in the two lines of code, $myusername=$_POST[‘username’] and $mypassword=$_POST[‘password’].These are the two queries to take username and password from the user. You can observe that they are taking input directly aka without sanitization.

Now just below these two lines, we have two lines commented. These are

$myusername = mysqli_real_escape_string($connect, $myusername);

$mypassword = mysqli_real_escape_string($connect, $mypassword);

Now, uncomment those two lines by removing the two backward slashes as shown below.

Save the file and restart the WAMP server. Now try to bypass the login screen as explained above. You should get something as shown below.

The “mysqli_real_escape_string” escapes any escapes any special characters entered in the input fields thus rendering injection harmless.

2. Forced browsing:

The page that is accessed after your login into any resource is also part of all the web pages that belong to that website. Sometimes, login can be bypassed by directly going to this page on browser. This is known as forced browsing and this page can be searched using web directory busting or fuzzing.

3. URL parameter tampering:

The login screen can also be bypassed by tampering with the URL parameter.

Category: Website Hacking

Complete guide to sqlmap

Havij SQL injection tool: Complete guide

Categories