Wednesday, January 15, 2014

Hack Websites Using Havij [SQL Injection Tutorial]

According to a survey the most common technique of hacking a website is SQL Injection. SQL Injection is a technique in which hacker insert SQL codes into web Forum to get Sensitive Information like (User Name , Passwords) to access the site and Deface it. The traditional SQL injection method is quite difficult, but now a days there are many tools available online through which any script kiddie can use SQL Injection to deface a webite, because of these tools websites have became more vulnerable to these types of attacks.

One of the popular tools is Havij, Havij is an advanced SQL injection tool which makes SQL Injection very easy for you, Along with SQL injection it has a built in admin page finder which makes it very effective.


Warning - This article is only for education purposes, By reading this article you agree that Hacky Shacky is not responsible in any way for any kind of damage caused by the information provided in this article.


Supported Databases With Havij

  • MsSQL 2000/2005 with error.
  • MsSQL 2000/2005 no error union based
  • MySQL union based
  • MySQL Blind
  • MySQL error based
  • MySQL time based
  • Oracle union based
  • MsAccess union based
  • Sybase (ASE)

Demonstration

Now i will Show you step by step the process of SQL injection.

Step1: Find SQL injection Vulnerability in tour site and insert the string (like http://www.target.com/index.asp?id=123) of it in Havij as show below.



Step3: Now click on the Analyse button as shown below.



Now if the your Server is Vulnerable the information about the target will appear and the columns will appear like shown in picture below:


Step4: Now click on the Tables button and then click Get Tables button from below column as shown below:


Step5: Now select the Tables with sensitive information and click Get Columns button.After that select the Username and Password Column to get the Username and Password and click on the Get Table button.

Countermeasures: 

Here are some of the countermeasures you can take to reduce the risk of SQL Injection

  1. Renaming the admin page will make it difficult for a hacker to locate it
  2. Use a Intrusion detection system and compose the signatures for popular SQL injection strings
  3. One of the best method to protect your website against SQL Injection attacks is to disallow special characters in the admin form, though this will make your passwords more vulnerable to bruteforce attacks but you can implement a capcha to prevent these types of attack.
Posted by at

4 comments:

  1. AnonymousMarch 11, 2018 at 3:13 PM

    Hello. Are you in need of a Hacker .I recommend (Gadgethacksolution@gmail.com) via Email. I have used them and they are the best. They render services such as:

    -Facebook hack 
    -Gmail hack
    -Twitter hack
    -WhatsApp hack
    -Mobile phone hack
    -Database Hack
    -Retrival of lost files
    -Viber hack 
    -Untraceable IP 
    -University grades changing 
    -Bank account hack 
    -Bypassing of Icloud 
    -Verified Paypal account.

    ReplyDelete
  2. Bradley CopperDecember 8, 2018 at 7:10 PM

    I suspected my wife of cheating on me but I never had any proof. This went on for months, I didn't know what to do. i was so paranoid and decided to find a solution, i saw a recommendation about a private investigator and decided to contact him. I explained the situation about my wife to him and he said he was going to help me.I gave him all the informations he required and afterwards i received all my wife’s phones Text messages whatsApp messages and calls, I was hurt when i saw a picture of my wife and her lover. I feel so bad about infidelity. but i am glad Mr james was able to help me get all this information, you can contact him via email(worldcyberhackers@gmail.com) or Text/call : +12317945543

    ReplyDelete
  3. AnonymousDecember 24, 2018 at 2:07 AM

    My wife was so smooth at hiding her infidelity and I had no proof for months, I saw a recommendation about a Private investigator and decided to give him a try.. the result was incredible because all my cheating wife’s text messages, whatsapp, facebook and her phone conversations was sent directly to my Personal computer. Mr James helped me put a round-the-clock monitoring on her and I got concrete evidence and gave it to my lawyer..I feel so bad about infidelity,if your wife is an expert at hiding her cheating adventures contact him through Gmail he will help you(Worldcyberhackers) or WhatsApp : +12678773020

    ReplyDelete
  4. Adams JoanSeptember 20, 2019 at 3:29 PM

    I want to testify about United blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how United hackers send them the atm blank card and use it to collect money in any atm machine and become rich. I email them also and they sent me the blank atm card. I have use it to get 90,000 dollars. withdraw the maximum of 5,000 USD daily. United hackers  is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.

    Email: unitedblankatmhackcard@gmail.com

    ReplyDelete

Subscribe to: Post Comments (Atom)