Havij: Advanced SQL Injection Tool Tutorial

Database Management System (DBMS) has a very important role in developing a system. It basically control the creation, maintenance, and use of a database. Social networking websites are a best examples of websites that uses Database Management System (DBMS), every information of social networking website users will be stored in the database including name, age, address, sex and location.

Most developer tends to use SQL as Database Management System (DBMS) because of its  high performance, high reliability and ease of use. Many organization rely on SQL to save time and money which is the reason why it became the standard application to included in open source server packaged application like LAMP. This are some of the reasons why SQL is one of application that is prone to social engineering which is known as SQL injection.



SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
- Microsoft





There are many websites that are vulnerable to SQL Injection and it can be exploited by injecting it manually or by using an SQL automated injection tool application.

Havij  is an automated injection tool application which is designed to exploit the vulnerabilities of the website using  SQL injection.

Tutorial

Note: Some important data of the vulnerable site is hidden to protect its privacy.

2. Use Google by using the keywords "inurl:index.php?id=" or here to search for a website that is still vulnerable in SQL Injection.
Note: There are many keywords available in finding vulnerable site but we will use this as an example

3. Open any one of website in Google results and put  ' after the link.

4. Website is vulnerable to SQL injection attack if the site displays the same error like the image below.
 5. Open Havij: Advanced SQL Injection Tool and paste the vulnerable website link and click  "Analyze".
Note: The tool successfully retrieve the database name if the "Status" is "I'm IDLE" and "Current DB" show the database name of the vulnerable website.
6. Click the "Tables" then "Get Tables".
Note: The tool successfully retrieve the table  name if the "Status" is "I'm IDLE" and "Tables Found" show the tables  name of the vulnerable website.
7. Choose "Table Name" then click "Get Columns".
Note: The tool successfully retrieve the columns   name if the "Status" is "I'm IDLE" and "Columns Found" show the columns  name of the vulnerable website.
7. Choose "Column Name" then click "Get Data" .
Note: The tool successfully retrieve the data if the "Status" is "I'm IDLE" and "Data Found" show the data of the vulnerable website.

VIDEO TUTORIAL
0