Welcome to XnonymouX Blog

Wednesday, 25 July 2012

HOW TO HACK A WEBSITE BY SQL INJECTION USING HAVIJ | TUTORIAL

By on 07:57

HOW TO HACK A WEBSITE BY SQL INJECTION USING HAVIJ | TUTORIAL

You can download Havij here

After downloading and installing Havij SQL tool,. you have to find an SQL vulnerable site. This can be done by the use of google dorks like
  • inurl:index.php?id=sql under''
Read this tutorial on manual sql under   '' searching for the vulnerability ''   here ...

but for an easy go, you can just use another automated program known as sql poison . you can download  here. The main aim of sql poison scanner is to help you find a vulnerable web page by performing an automated blind search onto a search engine like google. Havij will only hack a website through a specific webpage which you know is vulnerable to sql injection.
-----------------------------------------------------------------------------------------------------------------
Now lets say that you have found a vulnerable weblink url which looks like this one:
  • http://www.hackyourdad.com/hisoffice.php?id=282
1. Open havij, then copy and paste the vulnerable weblink as shown in figure


2. Now click in the "Analyze" button


4. After u click Analize, wait for it to find it's vulernable, type of injection, if db server is mysql and it will find database name. Then after get it's database is name like xxxx_xxxx


5. Then go to the next operation of finding tables by clicking "tables" . A sub menu will appear  where you         will click "Get tables"  as shown in the figure below. Your may need to wait for a while before it shows         you the tables



6. After you get the tables ,there will be a check box for "users" Put mark on it and click on the " get columns " tab as shown in figure


7. Under ''Get columns'' list,.. just check on username and password and click on "Get data"

8. Bingo!!! Now you have the Username and password that may be for the admin...The pass that you will get     will be in form of an md5 hash which you will have to decrypt it by using the MD5decryptor tool as shown below

After you have got the Username & the password ready,.. You now need to find the Admin page which will give you access to the control panel (cpanel) of the website.
To find the Admin page, Go to ''Find Admin'' , then enter the site url on ''Path to search'' and click on ''Start'' as shown in the image below

Now get the admin page url and open it in your internet browser,.. it will take you to a page which will request for the username and password,.. Enter these details & its Game Over!!! 
You will find yourself in the control panel (cpanel) where you will have complete control of the website, you can do whatever the hell you want, you can even deface the website if you are realy in a bad mood :P

0 comments:

Post a Comment