Pretty simple and straight forward hack.
Like I explained before, if you get your hands onto an administrator account, its possible to do this hack.
Check out my other blog on changing java script cookies to get an admin access, or you can check out my other blog post on GET methods, so that you can apply an admin id (usually equal to zero) on the URL.
If you're lucky enough to get an admin account, usually they'll have an SQL(or SQL lite) query where they can add commands.
Interestingly enough, its actually possible to see all the tables stored on the database by using the sql_master keyword.
In your prompt hit "SELECT * FROM sqlite_master;"
Now in SQL lite, sqlite_master allows you to see all the tables within a database. Now this really comes in handy when you're hacked into an admin account, but have no idea on what tables exist in the database.
Once this command is entered, it'll display the names of all the tables existing on that database. Now simply hit SELECT * FROM "that table name", to view the contents of that table.
So wait, can I use this command to view other databases on the site?
Well if you're lucky enough you can.
If you know the directory of another database on the site (using the ls command which i've explained on a previous blog post), you can view it.
Simply hit "inspect element" on the SQL query, and change the path of the database that's currently in view to that path of the database you found.
Eg:
<input type="hidden" name="sql_db" value="pra.dbase">
So this means that, you're actually viewing a databse called pra.
If you found a database in a parent directory called "arp" simply replace "pra.dbase" to "../arp"
(Remember ../ means parent directory)
Once thats changed, repeat the sql_lite command to view the tables within that database.
If you liked what you read, please share and give it a+1.
Like I explained before, if you get your hands onto an administrator account, its possible to do this hack.
Check out my other blog on changing java script cookies to get an admin access, or you can check out my other blog post on GET methods, so that you can apply an admin id (usually equal to zero) on the URL.
If you're lucky enough to get an admin account, usually they'll have an SQL(or SQL lite) query where they can add commands.
Interestingly enough, its actually possible to see all the tables stored on the database by using the sql_master keyword.
In your prompt hit "SELECT * FROM sqlite_master;"
Now in SQL lite, sqlite_master allows you to see all the tables within a database. Now this really comes in handy when you're hacked into an admin account, but have no idea on what tables exist in the database.
Once this command is entered, it'll display the names of all the tables existing on that database. Now simply hit SELECT * FROM "that table name", to view the contents of that table.
So wait, can I use this command to view other databases on the site?
Well if you're lucky enough you can.
If you know the directory of another database on the site (using the ls command which i've explained on a previous blog post), you can view it.
Simply hit "inspect element" on the SQL query, and change the path of the database that's currently in view to that path of the database you found.
Eg:
<input type="hidden" name="sql_db" value="pra.dbase">
So this means that, you're actually viewing a databse called pra.
If you found a database in a parent directory called "arp" simply replace "pra.dbase" to "../arp"
(Remember ../ means parent directory)
Once thats changed, repeat the sql_lite command to view the tables within that database.
If you liked what you read, please share and give it a
No comments:
Post a Comment