SQL Injection Using Havij Tools

SQL injection is a code injection technique that exploits a security vulnerability in a website's software. It is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.


Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and  password hashes, dump tables and columns, fetching data from the database, running SQL  statements and even accessing the underlying file. The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

Finding the SQL Vulnerable Websites :
  • We will use Google dorks to find the vulnerable websites, Most common dorks for sql injection vulnerable site are:-

    inurl:index.php?id=
    inurl:trainers.php?id=
    inurl:buy.php?category=
    inurl:article.php?ID=

  • Just search google using one of the dork and you will see a lot of vulnerable websites. Look like below,
    Example : http://lodge4hacker.com/news.php?id=129

  • Now simply add an apostrophe( ' )to the end of url and press enter. If the website replies with an error then it shows that the website is vulnerable to SQL injection.
SQL Injection Using Havij Tool :
  • Start Havij and copy the url in target address.( The same url which we used to test for sql injection vulnerability but without ' ).


  • Click on the analyses button and wait for Havij to discover the database files for you.

  • At the bottom of the Havij terminal you will see the search progress in detail.



  • Once a database is found, you can click on tables tab to view the available tables. All the tables that are available in the database of the website are now shown.

  • Select that table and click on get columns. You will be listed with various columns that are present in the table.

  • Now select those columns whose data you want to retrieve. After selecting the various columns, click on get data to get the values stored in the columns. 

Now the website full database with you, Can do whatever you want !!

Finding Admin Page Using Havij Tool :
  • To find admin page in website, Click Find Admin tab

  • Now type the website link in Path to search and link start

  • Now, You will get admin page listed below

Decrypt MD5 Hash Using Havij :
  • To Decrypt MD5 hash , Click MD5 in Havij tool

  • Now paste your hash into MD5 hash input box and click start

  • Now you will get the decrypted hash in table from various online decryption website



DOWNLOAD :

Havij - Mirror1

Comments

Post a Comment

Popular posts from this blog

How to Install Android OS in Your Computer?

Image
We all know about Google Android operating system which comes installed in almost all latest smartphones whether its Samsung Galaxy S5 or Google Nexus. You'll find Android OS in almost all latest touch-enabled mobile phones. It has become the most popular operating system for mobile phones and tablets. Did you know you can install or test Google Android OS in your PC? People who don't have an Android mobile phone but want to test Android OS in their Desktop computer or laptop, will definitely find this article useful. If you remember, we have shared a software " BlueStacks " in past which works like an Android emulator and allows you to install and run almost all Google Android apps on your Windows PC. But it doesn't provide a full experience of Google Android OS. Today in this topic, we are going to share a fully functional Google Android OS copy which can be installed in your PC and can be used as a primary operating system. And if you don'
Read more

Google Dork For "Remote File Inclusion"

Image
Google dork s are the center of the Google Hacking. Many hackers use google to find vulnerable webpages and later use these vulnerabilities for hacking. Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. List Of Google Dork For Remote File Inclusion: inurl:rte/my_documents/my_files inurl:/my_documents/my_files/ inurl:/shoutbox/expanded.php?conf= inurl:/main.php?x= inurl:/myPHPCalendar/admin.php?cal_dir= inurl:/index.php/main.php?x= inurl:/index.php?include= inurl:/index.php?x= inurl:/index.php?open= inurl:/index.php?visualizar= inurl:/template.php?pagina= inurl:/index.php?pagina= inurl:/index.php?inc= inurl:"index.php?page=contact.php" inurl:"template.php?goto=" inurl:"video.php?content=" inurl:"pages.php?p
Read more

Colasoft MAC Scanner (hack tools)

Image
 Colasoft MAC Scanner allows to scan the network and get a list of MAC addresses along with IP address, machine name, and manufacturer's information. It can automatically detect all subnets according to the IP addresses configured on multiple NICs of a machine. It supports multi-threaded scanning.  Click to download
Read more