Run the downloaded file by double clicking (you need to have virtual machine ).

3. Anonymity when checking the site for SQL injections

Setting up Tor and Privoxy in Kali Linux

[Section under development]

Setting up Tor and Privoxy on Windows

[Section under development]

jSQL Injection proxy settings

[Section under development]

4. Checking the site for SQL injection with jSQL Injection

Working with the program is extremely simple. Just enter the site address and press ENTER.

The following screenshot shows that the site is vulnerable to three types of SQL injections at once (information about them is indicated in the lower right corner). By clicking on the names of the injections, you can switch the method used:

Also, we have already displayed the existing databases.

You can see the contents of each table:

Usually, the most interesting part of the tables is the administrator credentials.

If you are lucky and you found the administrator's data, then it's too early to rejoice. You also need to find the admin panel, where to enter these data.

5. Search for admins with jSQL Injection

To do this, go to the next tab. Here we are met by a list of possible addresses. You can select one or more pages to check:

The convenience is that you do not need to use other programs.

Unfortunately, there are not very many careless programmers who store passwords in clear text. Quite often in the password string we see something like

8743b52063cd84097a65d1633f5c74f5

This is a hash. You can decrypt it with brute force. And… jSQL Injection has a built-in brute-forcer.

6. Brute-forcing hashes with jSQL Injection

Undoubted convenience is that you do not need to look for other programs. There is support for many of the most popular hashes.

This is not the best option. In order to become a guru in deciphering hashes, the book "" in Russian is recommended.

But, of course, when there is no other program at hand or there is no time to study, jSQL Injection with a built-in brute-force function will come in handy.

There are settings: you can set which characters are included in the password, the password length range.

7. File operations after SQL injection detection

In addition to operations with databases - reading and modifying them, if SQL injections are detected, the following file operations can be performed:

• reading files on the server
• uploading new files to the server
• uploading shells to the server

And all this is implemented in jSQL Injection!

There are limitations - the SQL server must have file privileges. Reasonable system administrators they are disabled and access to file system cannot be obtained.

The presence of file privileges is easy enough to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the indicated operations.

Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.

Look at the following screenshot:

Any attempt to operate on a file is answered by: No FILE privilege(no file privileges). And nothing can be done here.

If instead you have another error:

Problem writing into [directory_name]

This means that you incorrectly specified the absolute path where you want to write the file.

In order to assume an absolute path, one must at least know operating system on which the server is running. To do this, switch to the Network tab.

Such an entry (string Win64) gives us reason to assume that we are dealing with Windows OS:

Keep-Alive: timeout=5, max=99 Server: Apache/2.4.17 (Win64) PHP/7.0.0RC6 Connection: Keep-Alive Method: HTTP/1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP/7.0.0RC6 Content-Type: text/html; charset=UTF-8

Here we have some Unix (*BSD, Linux):

Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP/1.1 200 OK Keep-Alive: timeout=3, max=100 Connection: keep-alive Content-Type: text/html X- Powered-By: PHP/5.3.29 Server: Apache/2.2.31 (Unix)

And here we have CentOS:

Method: HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=9p60gtunrv7g41iurr814h9rd0; path=/ Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=WINDOWS-1251

On Windows, a typical site folder is C:\Server\data\htdocs\. But, in fact, if someone "thought" of making a server on Windows, then, very likely, this person has not heard anything about privileges. Therefore, you should start trying directly from the C: / Windows / directory:

As you can see, everything went perfectly the first time.

But the jSQL Injection shells themselves raise my doubts. If you have file privileges, then you may well upload something with a web interface.

8. Bulk checking sites for SQL injections

And even jSQL Injection has this feature. Everything is extremely simple - upload a list of sites (can be imported from a file), select those that you want to check and click the appropriate button to start the operation.

Output by jSQL Injection

jSQL Injection is a good, powerful tool for finding and then using SQL injections found on sites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.

Of the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all tools with a graphical interface, the inability to use in scripts can be attributed to the disadvantages of this program. Nevertheless, some automation is possible in this program too - thanks to the built-in mass site check function.

jSQL Injection is much more convenient to use than sqlmap . But sqlmap supports more kinds of SQL injection, has file firewall options, and some other features.

Bottom line: jSQL Injection - best friend novice hacker.

You can find help for this program in the Kali Linux Encyclopedia on this page: http://kali.tools/?p=706

This time I will try to tell you what dorks should not be. Since you often have to work with clients whose dorks look completely crazy. And after talking a little, it turns out that they also paid for these dorks. Infuriates, in general) I myself, out of my own stupidity, bought Dorks, both for 300 rubles and for 20 rubles. But I have not yet met a competent person who will make dorks that will be good and the search engine will give out what I need from them. Not trying to offend anyone, and then just a personal opinion. First, before buying, always ask for 10-15 roads to check, just visually evaluate them. I hope after this guide you will be able to identify more or less sharpened dorks for your request from those that cannot even be called public. Go! It's easier for me to work with examples, so I'll try to jot down a list of "game" roads that sometimes come across, and tell you what to look for:
Code: mistake.php?gta_5= frame

Parsing the dork into parts: mistake.php - here, it is assumed that this word should be present in the link. In fact, it's a little different. In order for a word to be present in the link, it must be applied to the inurl: or allinurl operator:

Suppose we come across some links with this word. But, it is this part (judging by the dork) that should refer to the title of the page. I don't know what coder would make the mistake.php page on their gaming site. Certainly, there will be. But it will be a very small percentage.

As for me, the page should be more or less with a popular name used by php coders. A couple more pages that are not desirable in dorks (often dork sellers use random words): Code: gta5.php - no one will call the page farcry_primal.php farcry_primal.cfm - the .cfm extension is used in ASP.NET, yes, on it they write, but not as often as in php. And to run into a page with this name, it's a great success kramble.php how_to_work.php catch "in.php - special characters should not be in the page name jzooo.php - in general, understand what the hell is this page game_of_trone.php - a rare page , + does not apply to games, but most likely to the title of the movie I hope you understand the approximate logic.

The page should have a logical title, this is the main thing. It doesn't really matter if the title has something related to the gaming theme or not. Which pages are mainly used by coders, and in general the more popular ones that can be used in dorks:

Index.php
private.php
pm.php
user.php
members.php
area.php
config.php
search.php
redirect.php
r.php (same redirect)
s.php (same search)
mail.php forum.php
post.php account.php
exit.php
query.php
q.php (same query), etc.

More or less like this.

The name of the page in the dork (if any) should be monosyllabic, convenient for use on the site, and carry some kind of logical connotation. It's not scary that we don't have names like steam.php or steam_keys.php or roulette.php here, it's important for us to find more links. And the more often a query word is used on websites, the better. More or less necessary for us on the subject, we will select with the help of the rest of the dork We figured out the names of the pages, but this is not the most important thing.

Let's move on to the second part.

Meet this GET request: ?gta_5 - I must say right away that there are no such requests. (I remind you that this is my personal opinion) GET request, ideally, which we need, should contact the database, and in the case SQL injection, cause an output error from the database. This is what we need. However, finding a request that would be called gta_5 - again, great luck. And if we find him, we need to make him vulnerable. This again discards most of the links we are interested in. A couple more examples of bad, not good requests:

Groove=
?paypal=
?qiwi_wallet=
?my_money=
?dai_webmoney=
?skdoooze=
?sadlkjadlkjswq=
?213123=
?777=

Why is paypal a bad request? Because it is assumed that with this request we want to access the database with a paypal selection. No one keeps the paypal database, except perhaps for the company itself. Again, I'm cheating.

Examples of good queries, good ones that everyone loves to use because they are short, convenient, easy to remember, and have at least some logic:
?id=
?cat=
?cat_id=
?get=
?post=
?frame=
?r=
?redirect= (you get the idea)
?banner=
?go=
?leave=
?login=
?pass=
?password=
?username=
?user=
?search=
?s=
?wallet=
?acc=
?balance=
?do=
?page=
?page_id=
?topic=
?forum=
?thread=
?download=
?free=
?message=
Of course, you can continue indefinitely.
But these are universal requests that can perfectly suit mix dorks, gaming, cash, and any other. We will come across forums, torrent sites, and everything else. For example, a couple of queries that may come in handy, let's say for game queries:
?game=
?game_id=
?battle=
?log=
?team=
?weapon=
?inv= (inventory)
?gamedata=
?player=
?players=
?play= (came across sites with video clips)
?playtag=
?match=

Approximately the same query logic should be applied to other topics, ideally. At least you need to understand English a little, and realize what dorks you buy. In general, it is enough to look at 10-20 doors and it will immediately become clear what kind of mega privat you bought, and whether it is worth contacting this seller in the future. Or in general, to make a refund through black, if you see that your dorks contain sex.php? or? photo= and you ordered dorks for shops. Hands under the train to such figures

And so, finally, the most important part of the dork (which is sometimes absent altogether). If we have just considered the name of the GET request (not the request itself), now we are just moving on to the request, which can help us find exactly what we need. From our test dork, this is the part - frame

I won’t say that this is a bad request, but given that we are looking for gaming sites, the effectiveness of such a request is about 15-20%. For a mix of roads, or just for the number of links (just to merge something), it will do. The name of the request can include, as many dork tutorials and manuals correctly say, any words related to our topic. We will not deviate from game requests, so I will give an example of good, suitable requests for games:
game
gaming
exp
player
level
players
dota
counter-strike
AWP | Aziimov
M19
NAVI
play free
free games
download game
game forum
about game
screenshot game
game guide

It should be clear what the theme of your roads is. If you have something like the following in the purchased dorks (and we bought game dorks): Code: watch freedom text dsadaswe 213123321 ledy gaga fuck america bla bla girl tits free XXX porn futurama s01e13 Then again, feel free to send the seller's nafik and throw out your dorks. You can’t see gaming sites :) One more thing, with these requests you can use the operators - intitle: , allintitle: , intext: , allintext: Where, after the colon, there will be the game request itself from the list a little higher (intitle: game, allintext: play free )

It seems to be everything that I wanted to convey. Basically, I hope the article will be useful at least somehow for beginners (it would be useful for me and help save a few hundred rubles, and help put in place dishonest sellers dorok). Well, if you more or less understood how to make dorks yourself, I will only be happy. Train, fill your eye / hand, there is nothing particularly complicated in the dorks. And lastly, I don’t know how in the dumper, but the a-parser calmly eats and looks for many links with requests in Russian. Why not, I thought. Tested, the effect pleased me. You can laugh))

Frame.php?name= free games
get.php?query= download cs
search.php?ok= game servers

Any search for vulnerabilities on web resources begins with reconnaissance and information gathering.
Intelligence can be either active - brute force of files and directories of the site, launching vulnerability scanners, manually viewing the site, or passive - searching for information in different search engines. Sometimes it happens that a vulnerability becomes known even before the opening of the first page of the site.

How is this possible?
Search robots, constantly roaming the Internet, in addition to information useful to an ordinary user, often fix what can be used by attackers when attacking a web resource. For example, script errors and files with sensitive information (from configuration files and logs to files with authentication data and database backups).
From the point of view of a search robot, an sql query execution error message is plain text, inseparable, for example, from the description of the goods on the page. If suddenly the search robot stumbled upon a file with the .sql extension, which for some reason ended up in working folder site, it will be treated as part of the content of the site and will also be indexed (including, possibly, the passwords specified in it).

Such information can be found by knowing strong, often unique, keywords that help separate "vulnerable pages" from pages that do not contain vulnerabilities.
Huge database of special requests using keywords(so-called dorks) exists at exploit-db.com and is known as the Google Hack Database.

Why google?
Dorks are targeted primarily at google for two reasons:
− the most flexible syntax for keywords (given in Table 1) and special characters (given in Table 2);
- the google index is still more complete than that of other search engines;

Table 1 - Key google keywords

Keyword	Meaning	Example
site	Search only on the specified site. Considers only url	site:somesite.ru - finds all pages on the given domain and subdomains
inurl	Search by words present in uri. Unlike cl. words “site”, searches for matches after the site name	inurl:news - finds all pages where the given word occurs in the uri
intext	Search in the body of the page	intext:"traffic" - completely similar to the usual query "traffic"
title	Search in the title of the page. Text between tags