Ethical Hacking Institute Course in Pune-India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Today I am gonna show you how to test for an SQL injection within a practice website with the Havij tool.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

Things you will need

  1. Havij SQL injection Tool: There is a free version HERE
  2. A SQL vulnerable test site (we recommend something like DVWA)
  3. A very important thing you will need: your mind

Checking for SQL vulnerability

Now to check is this site vulnerable to a verbose SQL injection, a hacker will simply add ‘ (apostrophe) after the site url like this:

http://site.com/products.php?id=2′

and the hacker will get this error on the site

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1

It means that site is vulnerable to SQL injection.

Exploiting the vulnerable site

  1. Open Havij and paste site url in target field and hit enter.
  2. Now wait for Havij to get all the databases of the website.
  3. Now the hacker clicks on available database of site and click on Get Tables. Here, they select 535480_toyonorte for this site like in this image:

ff

  1. By clicking Get Tables Havij will look after the tables available in the database.
  2. Now after the scanning Havij will get all tables, now the main work will start , they must  check if there table available with a name that has something to do with admin, users and something similar. Here, we have a table called usuario in this website. It is selected and then click on Get Columns.

dfg

  1. Now after clicking Get Columns havij will get all the columns available in users table.
  2. In this case, the hacker found different columns like id, login, pass and many more.
  3. Now select the columns and click on Get Data like in pic given below.

vv

Now havij will look after the data available in columns login and password i.e admin username and password like i getusername –> adminpassword–> 21232f297a57a5a743894a0e4a801fc3 (in encrypted form)Such as in the image below

dz

  1. Now after they have found the username and password there is a problem. The password is encrypted in md5 language , so the hacker must crack it .
  2. To crack encrypted password the hacker copies the password click on MD5 tab in havij and paste the encrypted password in MD5 hash field and hit start. Now havij will try to crack the password.

dd

  1. Now they get the Password cracked for admin.
  2. The hacker will check for admin panel where they will login with username and password.
  3. To find admin panel click Find Admin tab in Havij and click start. Now havij will check the admin panel of website.

In this case, they found http://site.com.co/admin/ as admin panel and open it in a web browser. They login with username and password and now they have control of the website.

www.extremehacking.org
Cyber Suraksha AbhiyanCEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNECertified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-IndiaEthical Hacking Course in Pune-India