How to hack a Website or websites database


 Hello friends , welcome back to hacking class, today i will explain all the methods that are being used to hack a website or websites database. This is the first part of the class “How to hack a website or Websites database” and in this i will introduce all website hacking methods. Today I will give you the overview and in later classes we will discuss them one by one with practical examples. So guys get ready for first part of Hacking websites class…. Don’t worry i will also tell you how to protect your websites from these attacks and other methods like hardening of SQL and hardening of web servers and key knowledge about CHMOD rights that what thing should be give what rights…


Note : This post is only for Educational Purpose only.

What are basic things you should know before website hacking?

1. Basics of HTML, SQL, PHP.

2. Basic knowledge of Javascript.

3. Basic knowledge of servers that how servers work.

4. And most important expertize in removing traces otherwise u have to suffer consequences.

Now First two things you can learn from a very famous website for basics of Website design with basics of HTML,SQL,PHP and javascript. http://www.w3schools.com/
And for the fourth point that you should be expert in removing traces . For this you can refer to first 5 hacking classes and specially read these two…

1. Hiding Yourself from being traced.

2. Removing your Traces 


As we know traces are very important. Please don’t ignore them otherwise you can be in big trouble for simply doing nothing. so please take care of this step. 


METHODS OF HACKING WEBSITE:

1. SQL INJECTION

2. CROSS SITE SCRIPTING

3. REMOTE FILE INCLUSION

4. LOCAL FILE INCLUSION

5. DDOS ATTACK 

6. EXPLOITING VULNERABILITY.

Hacking website database for passwords - YouTube


1. SQL INJECTION  First of all what is SQL injection? SQL injection is a type of security exploit or loophole in which a attacker “injects” SQL code through a web form or manipulate the URL’s based on SQL parameters.  It exploits web applications that use client supplied SQL queries.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

For more basic knowledge about SQL injection visit: 

The above tutorial consists of both types of SQL injection i.e. Manual and automatic through softwares. I will explain SQL injection in more detail with practical example in Next class.


2. CROSS SITE SCRIPTING

  Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended to do.  XSS attacks are very popular and some of the biggest websites have been affected by them including the FBI, CNN, Ebay, Apple, Microsft, and AOL. 
Some website features commonly vulnerable to XSS attacks are:
•  Search Engines
•  Login Forms
•  Comment Fields 

Cross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

 I will explain this in detail in later hacking classes. So keep reading..

3. REMOTE FILE INCLUSION
Remote file inclusion is the most often found vulnerability on the website.
Remote File Inclusion (RFI) occurs when a remote file, usually a shell (a graphical interface for browsing remote files and running your own code on a server), is included into a website which allows the hacker to execute server side commands as the current logged on user, and have access to files on the server. With this power the hacker can continue on to use local
exploits to escalate his privileges and take over the whole system. 
RFI can lead to following serious things on website :

  • Code execution on the web server
  • Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
  • Denial of Service (DoS)
  • Data Theft/Manipulation

 4. LOCAL FILE INCLUSION
  Local File Inclusion (LFI) is when you have the ability to browse through the server by means of directory transversal. One of the most common uses of LFI is to discover the /etc/passwd file. This file contains the user information of a Linux system. Hackers find sites vulnerable to LFI the same way I discussed for RFI’s.
Let’s say a hacker found a vulnerable site, www.target-site.com/index.php?p=about, by means of directory transversal he would try to browse to the /etc/passwd file: 

   www.target-site.com/index.php?p= ../../../../../../../etc/passwd

I will explain it in detail with practical websites example in latter sequential classes on Website Hacking.

HIRE VERIFIED DATABASE PENETRATION EXPERTS

5. DDOS ATTACK

Simply called distributed denial of service attack. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. In DDOS attack we consumes the bandwidth and resources of any website and make it unavailable to its legitimate users.
 For more detailed hack on DDOS visit:

6.EXPLOTING VULNERABILITY

Its not a new category it comprises of above five categories but i mentioned it separately because there are several exploits which cannot be covered in the above five categories. So i will explain them individually with examples. The basic idea behind this is that find the vulnerability in the website and exploit it to get the admin or moderator privileges so that you can manipulate the things easily.

I hope you all now have a overview of that what is Website Hacking. In consecutive future  classes i will explain all of these techniques in details. So guys keep reading..

IF YOU HAVE ANY QUERIES ASK IN COMMENTS…

12 thoughts on “How to hack a Website or websites database

  1. SQL is a language invented for querying and manipulating relational databases. What hackers would do is figure out how to send SQL commands the owners of the database didn’t intend.

    This can be done sometimes by entering SQL commands into forms on websites that were written with the assumption that only non executable data would be entered.

  2. If you are referring to SQL injection then i must tell you that in current software industry nobody uses direct one if else condition to login inside a website .

    This is how previous logins used to be

    User : xyz Password : 124

    if i am logging with correct pass then server side code code does this :

    select * from loginTable where User = xyz

    If this matches with the current then login success .

    Now to break this code simple change is needed .

    just change like this

    Password = (1=1)

    This will be true in every case and hence SQL injection will break the security .

    Now a days LDAP mechanisms are used for login . It’s highly secure and reliable

  3. There is a common misconception based on the fact that one form of hacking is called an SQL injection attack. That seems to imply that somehow SQL is used to attack databases. This is not the case. SQL is used to create, modify, delete, and query databases, not to hack them. SQL is the doorkeeper that grants access to a database. That means that any hack attempt must fool the SQL doorkeeper into letting it through. When you enter data into a data entry field, it is an SQL statement that receives that entry and decides what to do with it. If the entry is not well-formed, as it would purposely not be in a deliberate attack, it’s possible for the SQL guarding the door to mishandle it. This could lead to the unintended revealing of system information, and ultimately to the hacker taking over not just the database, but the entire database server. This whole disaster can be averted by having the doorkeeper respond properly to illegal data entries.

  4. Look, Computer Security is a serious business, as our current world situation shows. If you’re trying to defend your database, this isn’t the forum to find an exhaustive list in.

    That being said, you will have to check for attacks on your session, authentication cookies, XSS, CSRF, etc. Now, especially if you’re on a PHP website, do your homework thoroughly, because remote code execution from SQLi is NOT impossible.

    In short:

    Sanitize all your inputs (but you should already know this);
    Authenticate every request (ditto);
    Prepare for DoS or DDoS attacks (maybe get a CDN?).

  5. since SQL is a database language and all the data are stored in sql.

    And every website has its own database management system that is controlled by its admin.Each and every detail you write in the internet that is saved in databases. Everything literally.

    So hacker’s what do is do SQL-INJECTION in website’s to find vulnerability and flaws . After sql injection hacker’s got everything

  6. great tutorial buddy i hope you make new tutorials as soon as possibile xDDD … if you know Zend Amf server how to do it … pse make a tutorial for me 🙂 thnx

  7. Great post. I was checking continuously this blog and I am impressed!

    Extremely helpful information specially the last part :
    ) I care for such info much. I was looking for this certain info for a
    long time. Thank you and good luck.

  8. With a single piece of malware, vladimir can pinpoint who is behind a cyber-attack, what the specific threat group is, the nation from which the attack is being launched, as well as techniques they used. As such, these professionals are in high demand;

Leave a Reply

Your email address will not be published. Required fields are marked *