According to a survey the
most common technique of hacking a website is SQL Injection. SQL Injection is a technique in which hacker insert SQL
codes into web Forum to get Sensitive Information like (User Name , Passwords) to access the site and Deface it. The traditional SQL
injection method is quite difficult, but now a days there are many tools
available online through which any script kiddie can use SQL Injection to
deface a webite, because of these tools websites have became more vulnerable to
these types of attacks.
One of the popular tools is
Havij, Havij is an advanced SQL injection tool which makes SQL Injection very
easy for you, Along with SQL injection it has a built in admin page finder
which makes it very effective.
Warning - This article
is only for education purposes, By reading this article you agree that XtremeHackz is not responsible in any way for any kind of damage caused by the
information provided in this article.
Supported Databases With
Havij
- MsSQL 2000/2005 with error
- MsSQL 2000/2005 no error union based
- MsSQL Blind
- MySQL time based
- MySQL union based
- MySQL Blind
- MySQL error based
- MySQL time based
- Oracle union based
- Oracle error based
- PostgreSQL union based
- MsAccess union based
- MsAccess Blind
- Sybase (ASE)
- Sybase (ASE) Blind
First download Havij here
Demonstration
Now I will Show you step by step the process of SQL injection.
Step1: Find SQL injection Vulnerability in tour site and insert the string (like http://www.target.com/index.asp?id=123) of it in Havij as show below.
Now I will Show you step by step the process of SQL injection.
Step1: Find SQL injection Vulnerability in tour site and insert the string (like http://www.target.com/index.asp?id=123) of it in Havij as show below.
Step2: Now click on the Analyze button as shown below.
Now if your Server is
Vulnerable the information about the target will appear and the columns will
appear like shown higlighted in picture below:
Step3: Now click on the Tables button and then click Get
Tables button from below column as shown below:
Step4: Now select the Tables with sensitive information
and click Get Columns button.After that select the Username and Password
Column to get the Username and Password and click on the Get Table button.
Countermeasures:
Here are some of the countermeasures you can take to reduce the risk of SQL Injection
Here are some of the countermeasures you can take to reduce the risk of SQL Injection
- Renaming the admin page will make it difficult for a hacker to locate it
- Use a Intrusion detection system and compose the signatures for popular SQL injection strings
- One of the best method to protect your website against SQL Injection attacks is to disallow special characters in the admin form, though this will make your passwords more vulnerable to brute-force attacks but you can implement a captcha to prevent these types of attack.
LAST WORDS:Finding an SQLi Vulnerable website is not so easy.That's why I have uploaded my own collection of SQLi Vulnerable Sites.
download it here and try all sites..they might work for you.
HAPPY HACKING
Post a Comment