SQL Injection Using Havij

Friday, 3 February 2012

SQL Injection Using Havij

SQL injection is a code injection technique that exploits a security vulnerability in a website's software. It is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and  password hashes, dump tables and columns, fetching data from the database, running SQL  statements and even accessing the underlying file. The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

Finding the SQL Vulnerable Websites :
  • We will use Google dorks to find the vulnerable websites, Most common dorks for sql injection vulnerable site are:-

    inurl:index.php?id=
    inurl:trainers.php?id=
    inurl:buy.php?category=
    inurl:article.php?ID=


  • Just search google using one of the dork and you will see a lot of vulnerable websites. Look like below,
    Example : http://lodge4hacker.com/news.php?id=129

  • Now simply add an apostrophe( ' )to the end of url and press enter. If the website replies with an error then it shows that the website is vulnerable to SQL injection.
SQL Injection Using Havij Tool :
  • Start Havij and copy the url in target address.( The same url which we used to test for sql injection vulnerability but without ' ).


  • Click on the analyses button and wait for Havij to discover the database files for you.

  • At the bottom of the Havij terminal you will see the search progress in detail.



  • Once a database is found, you can click on tables tab to view the available tables. All the tables that are available in the database of the website are now shown.

  • Select that table and click on get columns. You will be listed with various columns that are present in the table.

  • Now select those columns whose data you want to retrieve. After selecting the various columns, click on get data to get the values stored in the columns. 

Now the website full database with you, Can do whatever you want !!

Finding Admin Page Using Havij Tool :
  • To find admin page in website, Click Find Admin tab

  • Now type the website link in Path to search and link start

  • Now, You will get admin page listed below

Decrypt MD5 Hash Using Havij :
  • To Decrypt MD5 hash , Click MD5 in Havij tool

  • Now paste your hash into MD5 hash input box and click start

  • Now you will get the decrypted hash in table from various online decryption website



DOWNLOAD :

Havij - Mirror1

Havij Full Version - Mirror2 ( Lodge4 Hacker )

Downlaod Havij Tool Help (PDFs format)

Home