Hello friends. This is my third post on SQL injection and for the first time I am using a tool for explaining it. Here I will be using a popular and my personal favourite SQLi tool Havij. To download Havij visit the following link - DOWNLOAD HAVIJ.
Let us now understand how this tool works. The tutorial can be used for any SQLi tool as the basic functioning is same for all. First thing you need to do is find a vulnerable site.
You can find a detailed SQL injection tutorial - HERE.
You can use blind SQL injection technique to figure out weather a site is vulnerable or not.
To check a website for vulnerability, you will first have to reach to a page that accesses the database and is of the form : www.site.com/product.php?id=23
Now simply add an apostrophe( ' )to the end of url and press enter. If the website replies with an error then it shows that the website is vulnerable to SQL injection. Look at the url in the following image( sorry for the over editing of image but it was really needed) . Notice the ' at the end of url and also the error responded from the database.
The error will look something like this : Warning: mysql_num_rows(): supplied argument is not a valid MySQL
So now that we have a vulnerable site for testing, we will now move ahead with using Havij and try to discover admin details of the website. In fact we can dig out every detail from the database using havij. Let us see how.
1. Start Havij and copy the url in TARGET address.( the same url which we used to test for sql injection vulnerability but without ' ).
2. Click on the ANALYZE button and wait for Havij to discover the database files for you.
3. At the bottom of the Havij terminal you will see the search progress.
4. Once a database is found, you can click on TABLES tab to view the available tables.
You will be presented with all the tables that are available in the database of the website. It contains all the information that is displayed on the webpage. The next target can be to look for a table that contains some information about admin login details. .
5. In our example the table tbl_admin looks like a table that may contain admin details. Select that table and click on GET COLUMNS.
6. You will be listed with various columns that are present in the table.
7. Now select those columns whose data you want to retrieve.
8. After selecting the various columns, click on GET DATA to get the values stored in the columns.
You can see in the figure how Havij has successfully retrieved the admin login details for us.
This technique can also be used to dig out the other user details of the website. Keep experimenting.
Well I will leave you with a question . What to do with this admin details now ??
wait for the next post for answer. In case you have an answer then add it in comments below.