After downloading and installing Havij SQL tool,. you have to find an SQL vulnerable site. This can be done by the use of google dorks like
- inurl:index.php?id=sql under''
Read this tutorial on manual sql under '' searching for the vulnerability '' here ...
but for an easy go, you can just use another automated program known as sql poison . you can download here. The main aim of sql poison scanner is to help you find a vulnerable web page by performing an automated blind search onto a search engine like google. Havij will only hack a website through a specific webpage which you know is vulnerable to sql injection.
-----------------------------------------------------------------------------------------------------------------
Now lets say that you have found a vulnerable weblink url which looks like this one:
- http://www.hackyourdad.com/hisoffice.php?id=282
1. Open havij, then copy and paste the vulnerable weblink as shown in figure
2. Now click in the "Analyze" button
4. After u click Analize, wait for it to find it's vulernable, type of injection, if db server is mysql and it will find database name. Then after get it's database is name like xxxx_xxxx
5. Then go to the next operation of finding tables by clicking "tables" . A sub menu will appear where you will click "Get tables" as shown in the figure below. Your may need to wait for a while before it shows you the tables
2. Now click in the "Analyze" button
4. After u click Analize, wait for it to find it's vulernable, type of injection, if db server is mysql and it will find database name. Then after get it's database is name like xxxx_xxxx
5. Then go to the next operation of finding tables by clicking "tables" . A sub menu will appear where you will click "Get tables" as shown in the figure below. Your may need to wait for a while before it shows you the tables
6. After you get the tables ,there will be a check box for "users" Put mark on it and click on the " get columns " tab as shown in figure
7. Under ''Get columns'' list,.. just check on username and password and click on "Get data"
8. Bingo!!! Now you have the Username and password that may be for the admin...The pass that you will get will be in form of an md5 hash which you will have to decrypt it by using the MD5 decryptor tool as shown below
After you have got the Username & the password ready,.. You now need to find the Admin page which will give you access to the control panel (cpanel) of the website.
To find the Admin page, Go to ''Find Admin'' , then enter the site url on ''Path to search'' and click on ''Start'' as shown in the image below
8. Bingo!!! Now you have the Username and password that may be for the admin...The pass that you will get will be in form of an md5 hash which you will have to decrypt it by using the MD5 decryptor tool as shown below
After you have got the Username & the password ready,.. You now need to find the Admin page which will give you access to the control panel (cpanel) of the website.
To find the Admin page, Go to ''Find Admin'' , then enter the site url on ''Path to search'' and click on ''Start'' as shown in the image below
Now get the admin page url and open it in your internet browser,.. it will take you to a page which will request for the username and password,.. Enter these details & its Game Over!!!
You will find yourself in the control panel (cpanel) where you will have complete control of the website, you can do whatever the hell you want, you can even deface the website if you are realy in a bad mood :P
0 comments:
Post a Comment