Run the downloaded file by double clicking (you need to have a virtual machine).

3. Anonymity when checking the site for SQL injections

Setting up Tor and Privoxy in Kali Linux

[Section under development]

Setting up Tor and Privoxy on Windows

[Section under development]

jSQL Injection proxy settings

[Section under development]

4. Checking the site for SQL injection with jSQL Injection

Working with the program is extremely simple. Just enter the site address and press ENTER.

The following screenshot shows that the site is vulnerable to three types of SQL injections at once (information about them is indicated in the lower right corner). By clicking on the names of the injections, you can switch the method used:

Also, we have already displayed the existing databases.

You can see the contents of each table:

Usually, the most interesting part of the tables is the administrator credentials.

If you are lucky and you found the administrator's data, then it's too early to rejoice. You also need to find the admin panel, where to enter these data.

5. Search for admins with jSQL Injection

To do this, go to the next tab. Here we are met by a list of possible addresses. You can select one or more pages to check:

The convenience is that you do not need to use other programs.

Unfortunately, there are not very many careless programmers who store passwords in clear text. Quite often in the password string we see something like

8743b52063cd84097a65d1633f5c74f5

This is a hash. You can decrypt it with brute force. And… jSQL Injection has a built-in brute-forcer.

6. Brute-forcing hashes with jSQL Injection

Undoubted convenience is that you do not need to look for other programs. There is support for many of the most popular hashes.

This is not the best option. In order to become a guru in deciphering hashes, the book "" in Russian is recommended.

But, of course, when there is no other program at hand or there is no time to study, jSQL Injection with a built-in brute-force function will come in handy.

There are settings: you can set which characters are included in the password, the password length range.

7. File operations after SQL injection detection

In addition to operations with databases - reading and modifying them, if SQL injections are detected, the following file operations can be performed:

• reading files on the server
• uploading new files to the server
• uploading shells to the server

And all this is implemented in jSQL Injection!

There are limitations - the SQL server must have file privileges. With reasonable system administrators, they are disabled and access to the file system cannot be obtained.

The presence of file privileges is easy enough to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the indicated operations.

Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.

Look at the following screenshot:

Any attempt to operate on a file is answered by: No FILE privilege(no file privileges). And nothing can be done here.

If instead you have another error:

Problem writing into [directory_name]

This means that you incorrectly specified the absolute path where you want to write the file.

In order to assume an absolute path, one must at least know the operating system the server is running on. To do this, switch to the Network tab.

Such an entry (string Win64) gives us reason to assume that we are dealing with Windows OS:

Keep-Alive: timeout=5, max=99 Server: Apache/2.4.17 (Win64) PHP/7.0.0RC6 Connection: Keep-Alive Method: HTTP/1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP/7.0.0RC6 Content-Type: text/html; charset=UTF-8

Here we have some Unix (*BSD, Linux):

Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP/1.1 200 OK Keep-Alive: timeout=3, max=100 Connection: keep-alive Content-Type: text/html X- Powered-By: PHP/5.3.29 Server: Apache/2.2.31 (Unix)

And here we have CentOS:

Method: HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=9p60gtunrv7g41iurr814h9rd0; path=/ Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=WINDOWS-1251

On Windows, a typical site folder is C:\Server\data\htdocs\. But, in fact, if someone "thought" of making a server on Windows, then, very likely, this person has not heard anything about privileges. Therefore, you should start trying directly from the C: / Windows / directory:

As you can see, everything went perfectly the first time.

But the jSQL Injection shells themselves raise my doubts. If you have file privileges, then you may well upload something with a web interface.

8. Bulk checking sites for SQL injections

And even jSQL Injection has this feature. Everything is extremely simple - upload a list of sites (can be imported from a file), select those that you want to check and click the appropriate button to start the operation.

Output by jSQL Injection

jSQL Injection is a good, powerful tool for finding and then using SQL injections found on sites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.

Of the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all tools with a graphical interface, the inability to use in scripts can be attributed to the disadvantages of this program. Nevertheless, some automation is possible in this program too - thanks to the built-in mass site check function.

established sample and certificate. Special discount for any faculties and courses!

How to search using google.com

Everyone probably knows how to use a search engine like Google =) But not everyone knows that if you correctly compose a search query using special structures, you can achieve the results of what you are looking for much more efficiently and faster =) In this article I will try to show that and how you need to do to search correctly

Google supports several advanced search operators that have special meaning when searching on google.com. Typically, these operators modify the search, or even tell Google to do completely different types of searches. For example, the construction link: is a special operator, and the query link:www.google.com will not give you a normal search, but will instead find all web pages that have links to google.com.
alternative request types

cache: If you include other words in the query, Google will highlight those included words within the cached document.
For example, cache:www.web site will show cached content with the word "web" highlighted.

link: the above search query will show web pages that contain links to the specified query.
For example: link:www.website will display all pages that have a link to http://www.site

related: Displays web pages that are "related" to the specified web page.
For example, related: www.google.com will list web pages that are similar to the Google home page.

info: Request Information: will provide some information that Google has about the requested web page.
For example, info:website will show information about our forum =) (Armada - Forum of adult webmasters).

Other information requests

define: The define: query will provide a definition of the words you type after this, compiled from various online sources. The definition will be for the entire phrase entered (that is, it will include all words in the exact query).

stocks: If you start a query with stocks: Google will treat the rest of the query terms as stock tickers, and link to a page showing the prepared information for those characters.
For example, stocks: intel yahoo will show information about Intel and Yahoo. (Note that you must print breaking news characters, not the company name)

Request Modifiers

site: If you include site: in your query, Google will limit the results to the websites it finds in that domain.
You can also search for individual zones, such as ru, org, com, etc ( site:com site:ru)

allintitle: If you run a query with allintitle:, Google will limit results with all the query words in the title.
For example, allintitle: google search will return all Google search pages like images, Blog, etc

title: If you include intitle: in your query, Google will restrict results to documents containing that word in the title.
For example, title:Business

allinurl: If you run a query with allinurl: Google will limit the results with all the query words in the URL.
For example, allinurl: google search will return documents with google and search in the title. Also, as an option, you can separate words with a slash (/) then the words on both sides of the slash will be searched within the same page: Example allinurl: foo/bar

inurl: If you include inurl: in your query, Google will limit the results to documents containing that word in the URL.
For example, Animation inurl:website

intext: searches only in the text of the page for the specified word, ignoring the title and texts of links, and other things not related to. There is also a derivative of this modifier - allintext: those. further, all words in the query will be searched only in the text, which is also important, ignoring frequently used words in links
For example, intext:forum

daterange: searches in time frames (daterange:2452389-2452389), dates for time are specified in Julian format.

Well, and all sorts of interesting examples of requests

Examples of compiling queries for Google. For spammers

inurl:control.guest?a=sign

Site:books.dreambook.com “Homepage URL” “Sign my” inurl:sign

Site:www.freegb.net Homepage

Inurl:sign.asp "Character Count"

"Message:" inurl:sign.cfm "Sender:"

inurl:register.php “User Registration” “Website”

Inurl:edu/guestbook “Sign the Guestbook”

Inurl:post "Post Comment" "URL"

Inurl:/archives/ “Comments:” “Remember info?”

“Script and Guestbook Created by:” “URL:” “Comments:”

inurl:?action=add “phpBook” “URL”

Intitle:"Submit New Story"

Magazines

inurl:www.livejournal.com/users/mode=reply

inurl greatestjournal.com/mode=reply

Inurl:fastbb.ru/re.pl?

Inurl:fastbb.ru /re.pl? "Guest book"

Blogs

Inurl:blogger.com/comment.g?”postID”"anonymous"

Inurl:typepad.com/ “Post a comment” “Remember personal info?”

Inurl:greatestjournal.com/community/ “Post comment” “addresses of anonymous posters”

“Post comment” “addresses of anonymous posters” -

Intitle:"Post comment"

Inurl:pirillo.com “Post comment”

Forums

Inurl:gate.html?”name=Forums” “mode=reply”

inurl:”forum/posting.php?mode=reply”

inurl:”mes.php?”

inurl:”members.html”

inurl:forum/memberlist.php?”

Slito

Hi all guys!
I want to say right away that I am not a deep profile specialist - there are people who are smarter and with deeper knowledge. For me personally, it's a hobby. But there are people who know less than me - first of all, the material is not designed for complete fools, but you don’t need to be super pro to understand it.
Many of us are used to thinking that dork is a vulnerability, alas, you were mistaken - in essence, dork is a search query sent to a search engine.
That is the word index.php?id= dork
but the word Shop is also a dork.
In order to understand what you want, you must be clearly aware of what your requirements for the search engine are. The usual kind of dork index.php?id= can be divided into
index - key
.php? - a code indicating that you need a site based on Php
id= ID of something on the site
id=2 in our case 2 is an indication with which parameter the identifier should be parsed.
If you write index.php?id=2, then there will be sites only where id=2, in case of a mismatch, the site will be filtered out. For this reason, writing an exact indication of the identifier does not make sense - since it can be 1,2,3,4,5 and ad infinitum.
If you decide to create an exact dork, let's say under steam, then it makes sense to give it this look
inurl:game* +intext:"csgo"
it will parse the word game* in the site URL (where * is an arbitrary number of characters after the word game - after all, it can be games and the like)
It is also worth using an operator such as intitle:
If you see a good gaming site or have a list of vulnerable gaming sites
it makes sense to use the related operator for parsing:
For related: a value in the form of a link to the site is suitable
related: ***
- it will find all sites from the point of view of the search engine similar to the specified one
Remember - a dork is a parsing - it's not a hole.
A hole, it is a vulnerability that is detected by a scanner based on what you have parsed.
I personally do not advise using a large number of prefixes (search operators) when you work without proxies.
I'll tell you about the method of creating private roads for the country
In order to create a dork like index.php? id = we have to parse it
index - we will replace with an arbitrary word
.php?id= will be our dork code
There is no point in inventing a new code - because many sites are stable on the same codes and engines and will continue to be. List of codes:

Spoiler: Dorks

php?ts=
.php?topic=
.php?t=
.php?ch=
.php?_nkw=
.php?id=
.php?option=
.php?view=
.php?lang=
.php?page=
.php?p=
.php?q=
.php?gdjkgd=
.php?son=
.php?search=
.php?uid=
.php?title=
.php?id_q=
.php?prid=
.php?tag=
.php?letter=
.php?prid=
.php?catid=
.php?ID=
.php?iWine=
.php?productID=
.php?products_id=
.php?topic_id=
.php?pg=
.php?clan=
.php?fid=
.php?url=
.php?show=
.php?inf=
.php?event_id=
.php?term=
.php?TegID=
.php?cid=
.php?prjid=
.php?pageid=
.php?name=
.php?id_n=
.php?th_id=
.php?category=
.php?book_id=
.php?isbn=
.php?item_id=
.php?sSearchword=
.php?CatID=
.php?art=
.html?ts=
.html?topic=
.html?t=
.html?ch=
.html?_nkw=
.html?id=
.html?option=
.html?view=
.html?lang=
.html?page=
.html?p=
.html?q=
.html?gdjkgd=
.html?son=
.html?search=
.html?uid=
.html?title=
.html?id_q=
.html?prId=
.html?tag=
.html?letter=
.html?prid=
.html?catid=
.html?ID=
.html?iWine=
.html?productID=
.html?products_id=
.html?topic_id=
.html?pg=
.html?clan=
.html?fid=
.html?url=
.html?show=
.html?inf=
.html?event_id=
.html?term=
.html?TegID=
.html?cid=
.html?prjid=
.html?pageid=
.html?name=
.html?id_n=
.html?th_id=
.html?category=
.html?book_id=
.html?isbn=
.html?item_id=
.html?sSearchword=
.html?CatID=
.html?art=
.aspx?ts=
.aspx?topic=
.aspx?t=
.aspx?ch=
.aspx?_nkw=
.aspx?id=
.aspx?option=
.aspx?view=
.aspx?lang=
.aspx?page=
.aspx?p=
.aspx?q=
.aspx?gdjkgd=
.aspx?son=
.aspx?search=
.aspx?uid=
.aspx?title=
.aspx?id_q=
.aspx?prId=
.aspx?tag=
.aspx?letter=
.aspx?prid=
.aspx?catid=
.aspx?ID=
.aspx?iWine=
.aspx?productID=
.aspx?products_id=
.aspx?topic_id=
.aspx?pg=
.aspx?clan=
.aspx?fid=
.aspx?url=
.aspx?show=
.aspx?inf=
.aspx?event_id=
.aspx?term=
.aspx?TegID=
.aspx?cid=
.aspx?prjid=
.aspx?pageid=
.aspx?name=
.aspx?id_n=
.aspx?th_id=
.aspx?category=
.aspx?book_id=
.aspx?isbn=
.aspx?item_id=
.aspx?sSearchword=
.aspx?CatID=
.aspx?art=
.asp?ts=
.asp?topic=
.asp?t=
.asp?ch=
.asp?_nkw=
.asp?id=
.asp?option=
.asp?view=
.asp?lang=
.asp?page=
.asp?p=
.asp?q=
.asp?gdjkgd=
.asp?son=
.asp?search=
.asp?uid=
.asp?title=
.asp?id_q=
.asp?prId=
.asp?tag=
.asp?letter=
.asp?prid=
.asp?catid=
.asp?ID=
.asp?iWine=
.asp?productID=
.asp?products_id=
.asp?topic_id=
.asp?pg=
.asp?clan=
.asp?fid=
.asp?url=
.asp?show=
.asp?inf=
.asp?event_id=
.asp?term=
.asp?TegID=
.asp?cid=
.asp?prjid=
.asp?pageid=
.asp?name=
.asp?id_n=
.asp?th_id=
.asp?category=
.asp?book_id=
.asp?isbn=
.asp?item_id=
.asp?sSearchword=
.asp?CatID= .asp?art=
.htm?ts= .htm?topic=
.htm?t= .htm?ch=
.htm?_nkw=
.htm?id=
.htm?option=
.htm?view=
.htm?lang=
.htm?page=
.htm?p=
.htm?q=
.htm?gdjkgd=
.htm?son=
.htm?search=
.htm?uid=
.htm?title=
.htm?id_q=
.htm?prId=
.htm?tag=
.htm?letter=
.htm?prid=
.htm?catid=
.htm?ID=
.htm?iWine=
.htm?productID=
.htm?products_id=
.htm?topic_id=
.htm?pg=
.htm?clan=
.htm?fid=
.htm?url=
.htm?show=
.htm?inf=
.htm?event_id=
.htm?term=
.htm?TegID=
.htm?cid=
.htm?prjid=
.htm?pageid=
.htm?name=
.htm?id_n=
.htm?th_id=
.htm?category=
.htm?book_id=
.htm?isbn=
.htm?item_id=
.htm?sSearchword=
.htm?CatID=
.htm?art=
.cgi?ts=
.cgi?topic=
.cgi?t=
.cgi?ch=
.cgi?_nkw=
.cgi?id=
.cgi?option=
.cgi?view=
.cgi?lang=
.cgi?page=
.cgi?p=
.cgi?q=
.cgi?gdjkgd=
.cgi?son=
.cgi?search=
.cgi?uid=
.cgi?title=
.cgi?id_q=
.cgi?prId=
.cgi?tag=
.cgi?letter=
.cgi?prid=
.cgi?catid=
.cgi?ID=
.cgi?iWine=
.cgi?productID=
.cgi?products_id=
.cgi?topic_id=
.cgi?pg=
.cgi?clan=
.cgi?fid=
.cgi?url=
.cgi?show=
.cgi?inf=
.cgi?event_id=
.cgi?term=
.cgi?TegID=
.cgi?cid=
.cgi?prjid=
.cgi?pageid=
.cgi?name=
.cgi?id_n=
.cgi?th_id=
.cgi?category=
.cgi?book_id=
.cgi?isbn=
.cgi?item_id=
.cgi?sSearchword=
.cgi?CatID=
.cgi?art=
.jsp?ts=
.jsp?topic=
.jsp?t=
.jsp?ch=
.jsp?_nkw=
.jsp?id=
.jsp?option=
.jsp?view=
.jsp?lang=
.jsp?page=
.jsp?p=
.jsp?q=
.jsp?gdjkgd=
.jsp?son=
.jsp?search=
.jsp?uid=
.jsp?title=
.jsp?id_q=
.jsp?prId=
.jsp?tag=
.jsp?letter=
.jsp?prid=
.jsp?catid=
.jsp?ID=
.jsp?iWine=
.jsp?productID=
.jsp?products_id=
.jsp?topic_id=
.jsp?pg=
.jsp?clan=
.jsp?fid=
.jsp?url=
.jsp?show=
.jsp?inf=
.jsp?event_id=
.jsp?term=
.jsp?TegID=
.jsp?cid=
.jsp?prjid=
.jsp?pageid=
.jsp?name=
.jsp?id_n=
.jsp?th_id=
.jsp?category=
.jsp?book_id=
.jsp?isbn=
.jsp?item_id=
.jsp?sSearchword=
.jsp?CatID=
.jsp?art=

We will use these codes for the dork generator.
We go to Google translator - we translate into Italian - the list of the most frequently used words.
We parse a list of words in Italian - insert dorks into the first column of the generator - put codes into the second, usually php is a variety of sites, cfm shops, jsp - games.
We generate - we remove gaps. Private dorks for Italy are ready.
It also makes sense to insert phrases in the same language into the right column in the style of "remember me, forgot password" instead of site:it
They will parse cool, they will be private if you parse something unique and replace the dork key.
And add remember me in the same language - then the sites will fly only with bases.
It's all about thinking. Dorks will be of the form name.php?uid= all their token will be in a unique key. They will be mixed, the Inurl: operator does not need to be applied - since parsing will go without it both in the url, and in the text, and in the title.
After all, the meaning of the dork is all in the fact that it can be anything - and steam, and a stick, and a netteler - or maybe not. Here you need to take the quantity.
There is also the so-called vulnerability parsing.

Spoiler: Dorks

intext:"java.lang.NumberFormatException: null"
intext:"error in your SQL syntax"
intext:"mysql_num_rows()"
intext:"mysql_fetch_array()"
intext:"Error Occurred While Processing Request"
intext:"Server Error in "/"Application"
intext:"Microsoft OLE DB Provider for ODBC Drivers error"
intext:"Invalid Querystring"
intext:"OLE DB Provider for ODBC"
intext:"VBScript Runtime"
intext:"ADODB.Field"
text:"BOF or EOF"
intext:"ADODB.Command"
intext:"JET Database"
intext:"mysql_fetch_row()"
intext:"Syntax error"
intext:"include()"
intext:"mysql_fetch_assoc()"
intext:"mysql_fetch_object()"
intext:"mysql_numrows()"
intext:"GetArray()"
intext:"FetchRow()"

Any search for vulnerabilities on web resources begins with reconnaissance and information gathering.
Intelligence can be either active - brute force of files and directories of the site, launching vulnerability scanners, manually viewing the site, or passive - searching for information in different search engines. Sometimes it happens that a vulnerability becomes known even before the opening of the first page of the site.

How is this possible?
Search robots, constantly roaming the Internet, in addition to information useful to the average user, often fix what can be used by attackers when attacking a web resource. For example, script errors and files with sensitive information (from configuration files and logs to files with authentication data and database backups).
From the point of view of a search robot, an sql query execution error message is a plain text, inseparable, for example, from the description of the goods on the page. If suddenly the search robot stumbles upon a file with the .sql extension, which for some reason ended up in the working folder of the site, then it will be perceived as part of the site's content and will also be indexed (including, possibly, the passwords specified in it).

Such information can be found by knowing strong, often unique, keywords that help separate "vulnerable pages" from pages that do not contain vulnerabilities.
A huge database of special queries using keywords (so-called dorks) exists at exploit-db.com and is known as the Google Hack Database.

Why google?
Dorks are targeted primarily at google for two reasons:
− the most flexible syntax for keywords (given in Table 1) and special characters (given in Table 2);
- the google index is still more complete than that of other search engines;

Table 1 - Key google keywords