Professional Documents
Culture Documents
VOILA! What you’re looking at right now the “admin” username and the password in following
format.
username : password.
admin:admRIvuxHahkQ
FYI: Wherever you see “%20″ in the URL, that means a SPACE in the address bar.
So you have the password now, you can use it the way you want!.
So this the way to perform an SQL Injection attack. You may try your own stuffs with the google
dorks i posted in the beginning. Use it the way you want, just keep in mind that if u know
80/100, there are people out there who know 90/100. So better secure yourself first, and try
these attacks with the permission of the site owners.
Thank you all for reading this tutorial, I am sure it helped. If there are any more questions feel
free to revert back to the same post.
1.
Ashwin
Apr 8th, 2009
Thank you very much.
2.
rAX
Apr 9th, 2009
Thank you so much for the effort, it’s really educative !
I want to ask you though, what do I need to learn to be a penetration expert? (for good
purpose).
3.
tez2fast
Apr 9th, 2009
Thats Nice 1 Man,… keep On Such Thing,..
4.
irad
Apr 9th, 2009
thank you….thank you very much
5.
Nishant.Soni
Apr 9th, 2009
@ rAX,
Penetration is a field where you need to gain the knowledge first and then the practical
experience, more you explore better you learn. This is the ONLY field which is never
gonna die.
There are different types of ETHICAL HACKERS, some of for APPLICATION BASED
TESTING, some work for WEB TESTING, so it depends where do you want to
expertise.
6.
Tejas Dave
Apr 9th, 2009
lol…..Nishant no offence but im sure u cannot hack sites using sql injection anymore &
the passwords u get in sql are in md5 formats or salted md5 so u cant use dem
directly.plus direct xml parsing is now old & can b used for hacking small sites which r
not even worth a single $.
7.
Tejas Dave
Apr 9th, 2009
& yes new ways of hacking sites are by rooting servers.thats called real hacking & if u
8.
Nishant.Soni
Apr 9th, 2009
@Tejas Dave:
We are talking about ETHICAL HACKING In here, and if you are saying that we can not
hack the site with SQL Injections, then I am sorry but you’re completely wrong.
1. MD5: Use Cain & Able to decrypt the md5 hashes, its decrypted with the help of
bruteforcing attack.
2. I am soon gonna write another article about “uploading shells” with sql injection, so
that will basically grant u access to the entire http://ftp.
3. You can easily manipulate config.php with the sql injection, and u can make it
vulnerable to RFI or LFI [if u know about them]
4. As far as rooting is concerned, i thought not to post it since I wasn’t sure if the readers
are good enough to understand it in just one go.
9.
Nishant.Soni
Apr 9th, 2009
Yea one more thing, for the MD5 hash cracking, you can have a look at this video.
http://techmafias.com/forum/Thread-decrypting-md5-hashes
10.
john clay
Apr 9th, 2009
well , a nice read material.
will love to have more of this to read…simple and straight to the point.
1love Bro.
11.
tejas dave
Apr 9th, 2009
dude ur telling me that using cain & able u can crack all md5?r u joking.u can crack
normal md5 but not salted hashes.
12.
Sharad
Apr 9th, 2009
I just looking for this.
Thanks
13.
Randheer Singh
Apr 10th, 2009
Thanks very much. I was building a website now I can think on these attacks.
14.
Nishant.Soni
Apr 10th, 2009
@tejas_dave:
Most of the hashes are normal MD5s and if the website is using some specific software
like some forum through SMF, phpBB,myBb or a blog like wordpress then the hashes are
converted into respective flavors. As far as decrypting the SALTED and the SHVA hashes
are concerned, i will write an article soon about that.
Please ask your questions out of curiosity, your question are more about agression and
offense rather then confusion, objection or dbout. We are here to share the knowledge, if
you think you something on top of this, then try to write an article, don’t try to create a
chaos.
P.S.: Please remember, i try to teach ETHICAL, i wudn’t suggest any one to missuse it.
15.
Nishant.Soni
Apr 10th, 2009
Here is a list of SQL Injection commands / queries which you may try to understand it
better.
ABORT — abort the current transaction
ALTER DATABASE — change a database
ALTER GROUP — add users to a group or remove users from a group
ALTER TABLE — change the definition of a table
ALTER TRIGGER — change the definition of a trigger
ALTER USER — change a database user account
ANALYZE — collect statistics about a database
BEGIN — start a transaction block
CHECKPOINT — force a transaction log checkpoint
CLOSE — close a cursor
CLUSTER — cluster a table according to an index
COMMENT — define or change the comment of an object
COMMIT — commit the current transaction
COPY — copy data between files and tables
CREATE AGGREGATE — define a new aggregate function
CREATE CAST — define a user-defined cast
CREATE CONSTRAINT TRIGGER — define a new constraint trigger
CREATE CONVERSION — define a user-defined conversion
CREATE DATABASE — create a new database
CREATE DOMAIN — define a new domain
CREATE FUNCTION — define a new function
CREATE GROUP — define a new user group
CREATE INDEX — define a new index
CREATE LANGUAGE — define a new procedural language
CREATE OPERATOR — define a new operator
CREATE OPERATOR CLASS — define a new operator class for indexes
CREATE RULE — define a new rewrite rule
CREATE SCHEMA — define a new schema
CREATE SEQUENCE — define a new sequence generator
CREATE TABLE — define a new table
CREATE TABLE AS — create a new table from the results of a query
CREATE TRIGGER — define a new trigger
CREATE TYPE — define a new data type
CREATE USER — define a new database user account
CREATE VIEW — define a new view
DEALLOCATE — remove a prepared query
DECLARE — define a cursor
DELETE — delete rows of a table
DROP AGGREGATE — remove a user-defined aggregate function
DROP CAST — remove a user-defined cast
DROP CONVERSION — remove a user-defined conversion
DROP DATABASE — remove a database
DROP DOMAIN — remove a user-defined domain
DROP FUNCTION — remove a user-defined function
DROP GROUP — remove a user group
DROP INDEX — remove an index
DROP LANGUAGE — remove a user-defined procedural language
DROP OPERATOR — remove a user-defined operator
DROP OPERATOR CLASS — remove a user-defined operator class
DROP RULE — remove a rewrite rule
DROP SCHEMA — remove a schema
DROP SEQUENCE — remove a sequence
DROP TABLE — remove a table
DROP TRIGGER — remove a trigger
DROP TYPE — remove a user-defined data type
DROP USER — remove a database user account
DROP VIEW — remove a view
END — commit the current transaction
EXECUTE — execute a prepared query
EXPLAIN — show the execution plan of a statement
FETCH — retrieve rows from a table using a cursor
GRANT — define access privileges
INSERT — create new rows in a table
LISTEN — listen for a notification
LOAD — load or reload a shared library file
LOCK — explicitly lock a table
MOVE — position a cursor on a specified row of a table
NOTIFY — generate a notification
PREPARE — create a prepared query
REINDEX — rebuild corrupted indexes
RESET — restore the value of a run-time parameter to a default value
REVOKE — remove access privileges
ROLLBACK — abort the current transaction
SELECT — retrieve rows from a table or view
SELECT INTO — create a new table from the results of a query
SET — change a run-time parameter
SET CONSTRAINTS — set the constraint mode of the current transaction
SET SESSION AUTHORIZATION — set the session user identifier and the current user
identifier of the current session
SET TRANSACTION — set the characteristics of the current transaction
SHOW — show the value of a run-time parameter
START TRANSACTION — start a transaction block
TRUNCATE — empty a table
UNLISTEN — stop listening for a notification
UPDATE — update rows of a table
VACUUM — garbage-collect and optionally analyze a database
16.
XERO
Apr 11th, 2009
HI
Excellent tutorial and it cleared my doubts. However I would like to ask if there are ways
to hack PHP pages with similar encoding like SQL injections ? I would like to ask if there
are similar techniques involved in hacking PHP based username pass forms or websites ?
Thanks
-XERO
17.
prashanth
Apr 11th, 2009
i need to make a fake login page for hotmail…
Can you help me with it??
if you can then mail me to “prashanth_s@live.com”
18.
Nishant.Soni
Apr 12th, 2009
@XERO.
It really depends if there are some vulnerabilities in that php page. If you can give an
example of the page you’re talking about, it would be easier for me to help you.
19.
Syed.atif
Apr 13th, 2009
Hello
Nishant.Soni
i am just a network guy, this artical came across me so Just want to request that as an
expert of Penetration can u also provide tips and suggestion to secure the sites for this
sort of attacks.
regards
20.
Ajaykumar
Apr 14th, 2009
hiiiiiii i’m new to SQL but i unerstood the concept of ur injection.but i dont know what to
do that ADMIN username and password.
where shal i use them???
21.
Ajaykumar
Apr 14th, 2009
at the last of the ur injection we get only admin username only but not the password but u
r showing it
22.
Nishant.Soni
Apr 14th, 2009
@ Syed.atif :- To secure the website from this kind of attack, you have to make sure that
your website doesnt follow every path. I mean it should be redirected to the index page if
some unknown page is attempted to access.
@Ajay kumar: With the admin username and password, you can login to “admin control
panel”. Thats ur job to find it. Because i wudn’t prefer to show the admin control panel
on that site in here.
23.
Drexler
Apr 17th, 2009
Thanks for this leason hummm so interesting,…am new here dough but while going
through the process, most of the link displayed error. from the step 2 down. Anyway keep
it up…you good…cheer
24.
Ajaykumar
Apr 17th, 2009
But how can i know the admin page who is providing data base to the site.I’m in initial
stages plss help me
25.
Ajaykumar
Apr 17th, 2009
@Drexler:: hey they are working links from step 2 u have to remove “-” at the end of the
links .
ru getting me
26.
Vinayak
Apr 18th, 2009
Thanks Nishant A Very Useful Tutorial I Have Found The Admin Login Page But To
Login Do I Need To Use Any Proxy ???
27.
Nishant.Soni
Apr 19th, 2009
@Vinayak:
1. I don’t support un-ethical stuffs
2. Everyone can track the login logs in admin control panel
3. Rather then trying to mess with the site, i will suggest you to contact the website owner
and let them know about the vulnerability.
28.
Parag
Apr 19th, 2009
Dude the link at the end which leads to username and password
does not work.
29.
Nishant.Soni
Apr 19th, 2009
@Parag:
Since i’ve copy pasted the links, the format has been disordered. So, you will have to
30.
askoppal
Apr 19th, 2009
@Nishant.Soni
MD5(Message-Digest algorithm 5) is an irreversible hash which cannot be ‘decrypted’.If
anybody said it can be decrypted its just NONSENSE.
Now you may be thinking how Cain & Able and other sites decrypt those MD5 hashes,its
done by a simple technique.
Just type in text and produce a MD5 encryption of that text. The text and the MD5 hash is
then inserted into a table. To ‘decrypt’, cain and able just search in that table for similar
hashes, known as an MD5 rainbow table.
If I have a password “genius” or “hacker”.You can find it easily on that table because its
common words.That’s the reason you shouldn’t use common words as passwords.
But if I have a password like “278askoppal345″ chance of being in the database, and is
unlikely anyone in the world has the same password. Therefore, it has very “little chance”
of ending up in a database.
If you want to make it even more secured against decryption (for covering those “little
chances”)we use a common technique called salt the password thats what Tejas Dave
have mentioned.I will just explain one method of it i.e. adding characters along with
password before its being hashed.Even if my password is in the rainbow table the hacker
cannot decrypt my password because he doesn’t know my salting technique.
Secondly,
You cannot have an article on “decrypting salted md5 and SHA” . Because its pointless
like making coffee and asking to “decrypt” the milk from it.
-askoppal.com
“My ignorance always amuses me”
31.
Nishant.Soni
Apr 20th, 2009
@ askoppal.
1. I like you, because ur the best person who knows how to divert minds from actual
topic.
2. What you’re talking about is just CRACKING, what i referred to was “Brute forcing”
MD5s.
3. Nice example of coffee and milk, i know u cant decrypt milk out of coffee, but yes you
can understand that coffee has, milk, sugar etc..
4. Y i don’t see any of your articles “mate”!?
32.
Nishant.Soni
Apr 20th, 2009
@ Askoppal:
Sorry i forgot to add.
1. When we talk about MD5, we dont say “hack”, we say “crack”. So it should come to
your mind that, the word “crack” means a possibility not certainty.
2. Thats why people release their “dictionaries” so they can be used for “dictionaries
cracking attempts”
3. and atlast i ‘ve already wrote about brute forcing above.
33.
askoppal
Apr 20th, 2009
@Nishant.Soni
NISHANT: I like you, because ur the best person who knows how to divert minds from
actual topic.
ASKOPPAL:I am just questioning the statements you made.
NISHANT: What you’re talking about is just CRACKING, what i referred to was “Brute
forcing” MD5s.
taste it
NISHANT: Y i don’t see any of your articles “mate”!?
ASKOPPAL: I blog at http://45k.me sponsored by Sathish
NISHANT:When we talk about MD5, we dont say “hack”, we say “crack”. So it should
come to your mind that, the word “crack” means a possibility not certainty.Thats why
people release their “dictionaries” so they can be used for “dictionaries cracking
attempts” and atlast i ‘ve already wrote about brute forcing above.
ASKOPPAL: You are proving yourself to be a jackass or an english mentor or something
else.The above statement is just nonsense.
-askoppal.com
“My ignorance always amuses me”
34.
askoppal
Apr 22nd, 2009
The hash value fedd0876f12728f8ef6890fbfed25edd which I gave to Nishant is decrypted
to N.i.s.h.a.n.t S.o.n.i
You can confirm the accuracy of the hash using an on-line hash generator created by me
http://45k.me/blog/2009/04/md5-sha1-sha256-hashing/
If we use a Bruteforce method it would took around 262800 hrs. i.e. 30 years in a 3 Ghz ,
2Gb RAM equipped system to decrypt the above hash even if i know the keyspace of the
password.So Brute force ain’t a good technique to crack admin’s password.
-askoppal
35.
Nishant.Soni
Apr 23rd, 2009
@askoppal:
That is the only reason i said it isnt 100%. MD5 is a nice algorithm. It may work it may
not. OR u may have to wait for a long time.
36.
raaghav
Apr 23rd, 2009
nice totorial , i ll try it on other sites too
37.
Panwar
Apr 27th, 2009
Thanks for nice article everything is clear but i am stuck at two points.
1-How to find sites where we can put sql injections as you described it well but if you plz
put some more light on it then it will be very usefull.
2-Last url is not working to get username and password as i have also added code
manually in second last url, i mean i add admin_username & admin_password and put
ru_Admin but no work.
Also from where we have to start learning from newbie to expert, so we can safe our sites
?
38.
junaid
Apr 28th, 2009
thanks, it really helping
39.
xXXh4Ck3rXXx
Apr 28th, 2009
hey dude the tuts if u make a video becomes more user friendly
and try and teach others advanced thing this is t00 n00bish
40.
Neo_Warez
May 1st, 2009
Dude!
I love this post, i think this is the first time i’m posting here on Genius Hackers…..I love
ur post!!
41.
des
May 5th, 2009
Hello Nishant,
I wonder what is your nick name on techm forum, I would like to have your opinion on
the topic, which I recently open there.
thx.
42.
Kalpana
Jun 2nd, 2009
hi Nishant
Thanks its a good article. My question is can we login in to a web page without userid
and pwd???
i read an article by viewing web page source we can login
ex: ‘ or 1=1– using these types