Hack Websites Using Havij [SQL Injection Tutorial]

Warning - This article is only for education purposes, By reading this article you agree to Aletheia that is not responsible in any way for any kind of damage caused by the information provided in this article.

SQL Injection Is Most Widely Used Common Method In Web Hacking. Most Websites Are Being Hacked Using SQL Injection These Days. In This Post We Are Going To Learn About A Tool Called Havij. Havij Is An Automated SQL Injection Tool. It Helps Pen-Testers To Find And Exploit Vulnerabilities On A Web Page. You Can Perform Back-End Database Finger Printing, Retrieve DBMS Login Names And Password In The Shape Of Hashes. You Can Also Dump Tables And Columns, Can Fetch Data From The Database, Can Execute SQL Statements Against The Server And Much More. As We Know, That There Are Many Tools Available On Internet, By Using Which Anyone Can Hack Vulnerable Websites. Because Of The Availability Of Hacking Tools. Hacking Websites Is Becomming Easy And The Number Of Hacking Websites Is Also Increasing. Everyone Can Use Havij For Hacking Websites And For Testing Vulnerabilities. Because Of GUI(Graphical User Interface) And Automated Configuration. In This Post I Am Going To Share Tutorial Of Havij. How To Use It And How Can A Person Hack SQLI Vulnerable Website By Using This Tool.


 Requirements for SQL Injection:

1. Havij SQL injection Tool: There is a free version HERE, but your probably want to look around and see if you can get your hands on the full-version.
2. A SQL vulnerable site, Here is the example site:
   • http://toyonorte.com.co/catalogo_nuevos_detalle.php?id=2
3. A very important thing you will need: your mind.

 
Checking for vulnerable sites
 
Now to check is this site vulnerable to SQL, a hacker will simply add ‘ (apostrophe) after the site url like this:
http://toyonorte.com.co/catalogo_nuevos_detalle.php?id=2′
and the hacker will get this error on the site
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1
It means that site is vulnerable to SQL injection.

1. Open Havij.
2. Type Vulnerable Website Inside It And Hit Analyze Button.

3. Now Click On Tables Tab And Then Hit Get DBs Button.

4. Now You Have Got All Databases In Result. Tick Databases And Hit Get Tables Button.

5. You Have Got Tables From The Databases You Ticked In Previous Step. Now Tick Related Tables And Hit Get Columns Button.

6. You Have Got Columns From Ticked Table. Tick Related Columns And Press Get Data Button.

I Am Going To Choose Username, Password, UserGroup Columns. There Should Be Stored Data Related To Admin's Username, Password Etc.

7. Bingo! You Have Got Username And Password Of Admin.

How To Crack Hash?

As You Can See, We Have Received All Information Of Admin. Like Username, Password And UserGroup. But We Have Received Password In The Shape Of Hash. In Order To See The Real Password. We Have To Crack This Code. For Cracking This Code. We Will Make Use Of Havij Tool Again. Follow Me To Crack This Hash.

1. You Can See A Button Of MD5 In Buttons List Of Havij. Hit That Button And Paste Your Hash Code Inside It And Press Start Button.

2. You Can See Password In Plain Text In Result Now. See Picture Below.

Find Admin Page

We Have Got Everything. Like Username, Password. But Where To Use Them And Get Admin Rights? You Need To Find The Admin Login Page Of Target Site. For Finding Admin Page Of Target Site. We Will Use Havij Again.

1. In Buttons List, Press Find Admin Button. Type Homepage Url Of Target Site. Press Start Button.

You Will Get Result Same Like Hash Cracking. You Will Be Able To See The Page. Which Admin Of Your Target Site Use To Login.
 Warning - This article is only for education purposes, By reading this article you agree to Aletheia that is not responsible in any way for any kind of damage caused by the information provided in this article.