As we had discussed earlier about the SQL Injection, it is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. We discussed there about the login screen bypassing, that might have been beneficial to the so called script kiddies, who approach hacking just through available scripts and codes on the web, without particular interest in the field. Anyways, you came to know, who exactly are the script kiddies.
We learnt the basics about what is SQL Injection but how can you find out if a website you are testing on, is vulnerable to SQL injection or not? Fine!! Some might be knowing, but for those who don’t know, I am going to quantify the whole process.
1. Use google dorks to find out the vulnerable sites, putting the following queries on google search engine:
Now you get a list displayed on the result page. Select one by one. Suppose we select the first result.Click on it.
2. Put ‘ (single quote) at the extreme end of the link displayed on the address bar and press ‘enter’.
3. Now if a page opens up saying there is an SQL Error, that means the website is 110% vulnerable to SQL Injection.
Now that we dont want to dig our brains, we let the Havij tool work out for us. To download it, click here.
4. Remove the ‘ (single quote) we added at the end of the web link, copy it and paste it to Havij as shown:
5. When you click on the analyse button, the scanning begins, and you get to see a lot more database retrieval options, as shown below. An attacker can even play with the database tables, dumping them at their wish.
Note: The live testing is strictly prohibited. This is only for educational purpose by CYBERSAVIOURS. Keep enjoying!!