MySQL Injection with SQLHelper. (For noobs)

Nefarious · 05-21-2013, 06:22 AM

If you use this tool you will probably get called a skid, faggot, or other mean things.

First download SQLHelper.
Download

Unpack the zip and run the exe.

Now once you have a vulnerable site copy and paste the link into SQLHelper, then click inject.

Spoiler:

Now click get database.

Spoiler:

Now you should see the databases, choose one and click get tables.

Spoiler:

Once that is done pick a table and get the columns.

Spoiler:

Choose one and click dump now.

Spoiler:

Once you have the info you need we will find the admin panel.

Go here and enter the website name.
It should find the admin page.

Spoiler:

Once logged in we can deface or shell the server.

Spoiler:

I was warned not to make this because I would be insulted for it, I'm making it anyway because there are a lot of members here that don't post because they feel like they can't contribute.
If I am able to teach them things why wouldn't I?

Lain · 05-21-2013, 06:38 AM

Awesome tutorial, thanks Biggrin

ErroraBorealis · 05-21-2013, 06:45 AM

Thanks. I'm glad you posted this. Yeah, I could do it manually...but why do it when this is faster? Anyway, I'll be trying to get some DoSing shells up.

Loli · 05-21-2013, 06:49 AM

Nice tutorial for the newbies, however I recommend anyone new to SQLi to do it manually and learn how to do it that way. After you know how to do it, and can do it efficiently manually you can use a automated software. By doing it manually first you will have the knowledge to fix any hiccups the software encounters, and if it can't get through, you can always go back and do it manually to figure out the issue. Smile

Dismas · 05-21-2013, 06:51 AM

(05-21-2013, 06:49 AM)Silica Wrote: Nice tutorial for the newbies, however I recommend anyone new to SQLi to do it manually and learn how to do it that way. After you know how to do it, and can do it efficiently manually you can use a automated software. By doing it manually first you will have the knowledge to fix any hiccups the software encounters, and if it can't get through, you can always go back and do it manually to figure out the issue.

Agreed. You probably stated it in the most respectful way possible.

Nefarious · 05-21-2013, 06:57 AM

(05-21-2013, 06:49 AM)Silica Wrote: Nice tutorial for the newbies, however I recommend anyone new to SQLi to do it manually and learn how to do it that way. After you know how to do it, and can do it efficiently manually you can use a automated software. By doing it manually first you will have the knowledge to fix any hiccups the software encounters, and if it can't get through, you can always go back and do it manually to figure out the issue.

I agree with this, when I first started I used a tool, so I had trouble learning it manually.
After taking the time to try again it was well worth it.
Manual is better.

Unmasked · 05-21-2013, 08:26 AM

I use SQL Map (if not doing manual) because you can spawn shell rather quickly using it.

ErroraBorealis · 05-21-2013, 06:39 PM

(05-21-2013, 08:26 AM)Unmasked Wrote: I use SQL Map (if not doing manual) because you can spawn shell rather quickly using it.

I don't think sqlmap is for windows is it though? I just use backtrack in a vm if I need linux for something like this.

Sapientia · 05-21-2013, 06:50 PM

(05-21-2013, 06:39 PM)Sinisterkid Wrote: I don't think sqlmap is for windows is it though? I just use backtrack in a vm if I need linux for something like this.

Theres a way to use it on windows

[Image: zaEk.png]

Unmasked · 05-21-2013, 07:13 PM

(05-21-2013, 06:39 PM)Sinisterkid Wrote: I don't think sqlmap is for windows is it though? I just use backtrack in a vm if I need linux for something like this.

You can use it on windows it's just a python script.