Havij- SQL Injection For Script Kiddies

Today I am going to be talking about a very awesome SQL injection tool, Havij. I will be honest, this tool is insanely script kiddie, as in the only thing I have to worry about is whether my index finger hurts from clicking a few times. But seriously, this tool is no joke. Besides being able to extract data from MySQL databases with ease, it will also find administrator login pages, crack MD5 hashes, and even give you a command shell on Microsoft SQL Databases. It has Error Base, Time Based, and Blind database settings, and uses GET and POST methods with Integer and String injection. It's very useful for penetration testing, and even if it doesn't actually do the work for you, well, you can do it manually, right?

So, to follow this tutorial, you will need a Windows machine, Havij (duh), and access to the Internet. Do you have all of that? Good. Let the hacking begin!

So fire up Havij. You should see something like this (click on the image to enlarge)-

Looks pretty script kiddie, doesn't it? Now for our target URL. I am going to be using a great site for web app pentesting, which you can find here-


http://www.webscantest.com/

The vulnerable page we will be using is here-


http://webscantest.com/datastore/search_get_by_id.php?id=3

Copy the above URL and paste it into the Target field of Havij. Now click Analyze. You will see something like this-

In the bottom scroll box of Havij, you can see the Injection Type, the database server version, the current database, and whether the target is vulnerable or not (in this case, it is). =)

 
Now click on the Tables button. You will see this-

Now click on the Get DB's button. In the left list box, you should see another database appear, called information_schema. You do not need to toggle this database unless you want to, because more likely than not, all the important tables, columns, and rows of data are in the scanme database.

Now you will need to click the Get Tables button (make sure you have the scanme database checked off). You will then get some output like this-

Now, as you can see in the left list box, we have extracted two tables from the scanme database- inventory and accounts. I don't care what they're selling, I just want privileges! So check off the accounts table (you can also check off the inventory table if you want to).

Now we want to extract columns from our table. After you have checked off the accounts table, click Get Columns. You will then see this-

Cool! We can see 5 columns we extracted from the accounts table. The names of these are-

--> lname
--> fname
--> passwd
--> uname
--> id


From this point on, we can now extract the data from all of these columns. Check off the ones you want to extract data from (I will just check them all off), and now we can get some account credentials!

As you can see, we have administrator credentials. But wait! An MD5 hash! Well, there is an MD5 cracking utility built into Havij.....

Yeah, lets use it. You see, the MD5 cracker in Havij is not actually implemented into Havij. Havij simply passes the MD5 hash to a bunch of different online MD5 crackers. The way to do this is simple- scroll your mouse over the MD5 hash you see in the output of the data dump we did from the passwd column (we are cracking the admin hash), and double click. The hash should be highlighted, so right-click and copy it (Ctrl-C). Then click on the MD5 button. Simply paste the hash you copied earlier into the MD5 hash text box, and click Start. Havij will then pass our MD5 hash to a bunch of MD5 cracking websites. When all is said and done, you will see this-

According to the output, the plain text of our MD5 hash is admin. Now navigate to the login page of our vulnerable site-


http://www.webscantest.com/login.php

In the Login: field, we will use our uname, which is admin. And for the Password: field, we will use our password, which is admin.

Happy Hacking!