0% found this document useful (0 votes)
1K views15 pages

SQL Exploiter Pro v2.15 Manual

SQL Exploiter Pro v2.15 is a tool that automates the process of exploiting SQL injection vulnerabilities on websites to access their underlying databases. It has five main parts: 1) an URL extractor to find potentially vulnerable websites, 2) an attacker to test sites for errors and access databases, 3) a database to save successfully hacked sites, 4) syntax error exploitation, and 5) MySQL exploitation. The tool extracts URLs from Google searches, tests them for SQL injection vulnerabilities, and allows accessing tables, columns and data from vulnerable databases.

Uploaded by

jounsnow
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
1K views15 pages

SQL Exploiter Pro v2.15 Manual

SQL Exploiter Pro v2.15 is a tool that automates the process of exploiting SQL injection vulnerabilities on websites to access their underlying databases. It has five main parts: 1) an URL extractor to find potentially vulnerable websites, 2) an attacker to test sites for errors and access databases, 3) a database to save successfully hacked sites, 4) syntax error exploitation, and 5) MySQL exploitation. The tool extracts URLs from Google searches, tests them for SQL injection vulnerabilities, and allows accessing tables, columns and data from vulnerable databases.

Uploaded by

jounsnow
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

SQL Exploiter Pro v2.

15 -- Developed by SQL Dare Devil

SQL Exploiter Pro v2.15


Developed by:

SQL Dare Devil


([email protected])

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Overview
SQL Exploiter Pro v2.15 is a SQL Injection tool to exploit ASP, CFM and PHP website with errors. We can
get information from those websites databases. With SQL Exploiter Pro v2.15, hacking websites is totally
automated and as easy as 1-2-3.
Please note that this tutorial just gives superficial and brief details. There are lots of other commands and
functions hidden and many tricks and techniques to use the SQL Exploiter Pro V2.15 the best way. All that
which is not covered in this tutorial is taught in the training session which starts after you purchase it.
SQL Exploiter Pro v2.15 has 5 main parts. The first part URL Extractor for Hackable Sites is for extracting
URLs of possible exploitable shopping sites. The second part is the Attacker for the Hackable Sites which
tests the extracted URLs to find out the exploitable sites errors. The third part is the Database of Successful
Hits where all the found hackable sites are saved for later use. The fourth part is the Syntax Error Hacks
which is used for sites with Syntax error. The Syntax error has a different way of getting the database
records. The fifth part MySQL and PHP Hacks deals with sites with MySQL error. See the image below:

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

URL Extractor for Hackable Sites


The first part is URL Extractor for Hackable Sites which searches google for the query you enter and gets a
list of URLs of shopping websites. The URLs extracted can be as many as over a 1000 URLs. Then it checks
them all to see which of them are hackable. SQL Exploiter Pro v2.15 does not directly use google but uses a
search engine which is linked to google which is why the google is not queried directly thus the IP is not
blocked by google no matter how many queries you send. The SQL Exploiter Pro v2.15 then marks the URLs
not exploitable as ((Bad)) and the URLs which are exploitable in the following way:
1.
2.
3.
4.

((Success)) << Syntax error >>


((Success)) << Unclosed quotation >>
((Success)) << Incorrect syntax >>
((Success)) << MySQL Error >>

The image below shows URL Extractor for Hackable Sites in action. The above are 4 different errors
hackable with SQL Exploiter Pro v2.15 and have different method and techniques for exploiting these errors.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Google Dork
This is the text box where you enter your google dork query. As shown in the picture, I searched for the
google dork query allinurl:"default.asp?catID="

Number of Results
This is a dropdown box where you define the number of URL links you want to get from google. As shown in
the picture, I have search for 150 number of results. You can search as many as 1000 results.

Search Dork
Put your google dork query in the Google Dork textbox and press Search Dork to get the results from google.

Remove Tested Sites


You use this button to remove tested sites you have already checked for exploits.

Save URLs
After getting the URL Links from google you can also save that list and load it later on. This way you dont
have to search google again and again because google blocks your IP if you send search queries a lot of
times.

Load URLs
Load your saved URLs list as explained above.

Minimize to Tray
You can also minimize SQL Exploiter Pro v2.15 to your system tray. Let us suppose you have got 900 URLs
from google and check all of them for SQL injection then you can start checking process and minimize the
SQL Exploiter Pro v2.15 to system tray. It will then keep working in the background and an icon will display in
the system tray. As soon as there is any hackable site found, the icon in the system tray will start moving so
that you will know that SQL Exploiter Pro v2.15 has found hackable sites. To restore SQL Exploiter Pro v2.15,
simply double click on the icon in the system tray. As shown in the picture above, the icon for SQL Exploiter
Pro v2.15 is the pendulum type clock in yellow color.

Check URL List


After you have got URL Links from google by searching for your query then you press Check URL List to
start checking all the URLs in the list marking them ((Bad)) or ((Success)) accordingly. When any website is
marked ((Success)) with the error type, that website is automatically add to the appropriate attacker. In the
attacker is where you can get the tables, columns and data of the websites. If you have already checked a
site and it is stored in the database then the website is marked as ((Already)). That means you have
already checked that site and it is present in the database.

Check Single URL


In case you want to check a single URL from the list then you select that URL in the list and Press Check
Single URL to check only that URL.

Stop Scan
Use this to stop the checking of URLs in the list. If you want to resume checking the rest of the URLs in the
list then put the cursor on the URL where you stopped scanning and press Check URL List to continue
checking URLs in the list.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Debug
Use this to debug the query and see the results in the browser window to get more information about the
hackable site.

Add Site Manually


Just in case you have found a hackable site and can not find that by searching google dorks in SQL Exploiter
Pro v2.15 then you can add that site manually in the list. Press Add Site Manually and an input box will
popup. Enter the URL in that box and press ok. The site will show in the list.

New Google Dorks


Use this to see a long list of new google dorks that you can use to find millions of sites that can be hacked.
Press New Google Dorks and a window to come up as shown in the picture. It will have a long list of google
dorks. Select the google dork you want to search and press Search for the Select Google Dork and the
google dork will be inserted in the Google Dork text box and start searching.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Attacker for the Hackable Sites


As explained in the beginning of the tutorial, Attacker for the Hackable Sites is the part of SQL Exploiter Pro
v2.15 to be used to get the websites databases with Unclosed quotation and Incorrect Syntax Errors
messages. All the sites that were marked as ((Success)) with Unclosed quotation and Incorrect Syntax
errors in the URL Extractor for Hackable Sites are added here in the List of Hackable Sites shown below
in the picture.

Site Info
You can get all the crucial information about the hackable website with this function. You can get the Server
Name, System User, Database Name and SQL Version information which is important for some specific
commands.

Debug
Some times even the ((Success)) marked sites are not hackable. By using the Debug function, you can find
out as why you can hack it. Sometimes you need to add a few more parameters to hack the site.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Add Site Manually


As you have already learned that all the sites that were marked as ((Success)) with Unclosed quotation
and Incorrect Syntax Errors are shown here in the List of Hackable Sites. Just in case you want to add a
site that you already have which is hacked then you add it manually in the list.

Stop Current Process


At any time you want to stop any process like getting the tables or columns or data, just use this function.

Save Tables
Use this function to save the tables names in a text file. When click this function, it asks you to browse to the
path where you want to save the table names file.

Load Tables
Use this function to load the table names you have saved before in a text file.

^
Use this uploads arrow function to move the table names up to arrange them anyway you want.

Get Tables
Use this to get the tables of the hacked sites database. As shown in the picture above.

Save Columns
Use this function to save the column names in a text file. When click this function, it asks you to browse to
the path where you want to save the columns names file.

Load Tables
Use this function to load the column names you have saved before in a text file.

^
Use this uploads arrow function to move the column names up to arrange them anyway you want.

Get Tables
Use this to get the tables of the hacked sites database. As shown in the picture above.

Get Columns
Use this to get the columns of the selected table of the hacked Sites database. As shown in the picture
above. I got columns of Stored_CC table which has valid CVVs.

Save All Data


Once you have got the data off the site tables, you can copy all that data to the clipboard by using this
function. Just in case you want to copy a single line to the clipboard, then double click on the line you want to
copy, and it will be sent to clipboard.

Build Query
Use this function to build the query to make any specific changes. This function is for advanced level users.

Find Admin Login Page


This function uses google queries to see if it can get the indexed admin login page of the hacked site.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Get Data
Use this function to get the data of the selected hacked site. You can also save this data directly to a text file.
For that check the Save to File Checkbox and then click Get Data button which will then show you a save
file dialog box. You can also get the data from any specific record like if you stopped getting the data at a
record ie 400 id, then you put this 400 ID in the From text box and the data retrieval will start from that
specific point.
You can also use the order by clause and sort the results in Dsec or Asc orders. As shown in the picture
below, the selected columns data is retrieved sorted by ID column name.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Database of Successful Hits


This is the third part of SQL Exploiter Pro v2.15 where all the marked ((Success)) sites are stored. All the
sites that are marked as ((Success)) or in other words hacked, they are immediately saved in the
database so that you can access them later and just like shown below in the picture below. You can also see
the error message that those sites are hacked with.
I have crossed some of the sites below because those are fully working shop admins which have real
working CVV2 Credit Cards. You cant have them for free hahahahahahahahahaaaaa. Whenever you
need to check the databases of any of your hacked sites then you have them in the database.
You can also search this database for any specific hacked site you are look for. Just type in the textbox given
and press enter. The result list will be displayed. When you want to retrieve any site that you want to work on
again, just double click on the site or select the site row and click Add Site to Attacker, the site will be added
to the appropriate Section of Attacker according to the type of error the shop has. I have hacked about 700
shops till now :>.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Syntax Error Hacks


This is the forth part of SQL Exploiter Pro v2.15 where all the marked ((Success)) Syntax Error sites are
added to this section. With Syntax Error we use the guessing method to guess the admin table and then try
to find the correct number of columns. The whole process is explained below with in action screen shots:

Find Table
Find Table function is used to find the table name. I have put in two targets; find the Admin table or the
Orders tables. All the hackable sites discovered by URL Extractor for Hackable Sites with Syntax Error
Hacks are added to his section like the one example you see in the picture. When you try to get the table
names by Union Select query, then the error you get from that is enter in the Error Msg text box then you
click the Find Table button and it start trying all the Admin table names given in the Admin Table Combo box.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Find Columns
Once you have found the correct Admin or Order table name then you try to find the correct number of
columns. Check what error you get when you enter the wrong number of columns in your browser and then
paste that error msg in the Error Msg Text box and click Find Columns. It starts trying the number of
columns and stops when it finds the correct number of columns just like show in the picture below:

Find Admin
This function gets the column names of the table we found in the picture above and displays all the found
column names in the list Found Columns. To find column names of the table you have found, first copy and
paste the full URL with columns numbers just as it is from Action of URL and paste the link in your FireFox
(highly recommended for hacking shops with errors) browser and note the numbers displayed on the page.
Then put any single number just like in the example in the picture the 5 was one of the numbers displayed
on the page. You could use any number from the ones displayed on the page. Just see example in the
picture below:

We put number 5 in the Discovered Columns textbox and hit the Find Admin button and it starts trying all
of the possible column names in the Admin table and whenever it finds a valid column name, it adds it in the
Found Columns list. You do the same for the find orders table and columns. You just have to select the
Orders radio button to do that.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Build Query
This function creates a query that is the final step and that query is also copied to the clipboard. Just open
the FireFox browser and paste that link in there and press enter. The page opens with the column names
data as show in the picture below:
In the above example, we chose Admin_id - Admin_username - Admin_name - Admin_password and the
data in the picture below is displayed in the same order.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

MySQL and PHP Hacks


This is the fifth part of SQL Exploiter Pro v2.15 where all the marked ((Success)) MySQL Error sites are
added to this section. MySQL error in PHP has different method and commands with different versions of
MySQL database. MySQL v5.0 and above are easier to hack since you can get the tables, columns and data
but MySQL v4.0 is more or less like the Syntax Error where you have to guess the table names and column
names. MySQL Error hacking is explained below with SQL Exploiter Pro V2.15 screen shots in action:

Debug
When the URL Extractor for Hackable Sites marks the sites with ((Success)) MySQL Error then those
Exploitable sites are added in the sections Successful Hits list. So simply select a URL in the Successful hits
list and press Debug button. It then opens your default browser window and shows you the error. Copy and
paste initial part of that error as in this case the error displayed in the picture below for the site is Unknown
column. You can also double click on the URL in the Successful Hits which will open the windows just like
you click on the debug button.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Find Columns
This function is used to find out the correct number of columns. When you click Find Columns button, it
start trying number of columns one by one. When the correct number of columns is found, then it creates the
union select query automatically in the Action of URL text box just like shown in the picture below. The
site correct number of columns were 4.

Add Manually
This function is used to manually add a site if you dont have that already in the database. Mind you that
adding manually here will not save the site URL in the database. So you had better add the site to the URL
Extractor and then retrieve it from the database.

SQL Exploiter Pro v2.15 -- Developed by SQL Dare Devil

Get Info
This function is used to get the server information to find out the Version Information, User Name, DB Name
and Server Time. Version Information is mandatory to get before you can get the tables or columns. Because
the SQL Injection commands are used based on the version information. See the picture below: The MySQL
version is 5.0.24 where we can get the tables and columns just like in the picture below:

Get Tables
This function is used to get the table names from the database. See the picture given above.

Get Columns
This function is used to get the column names from the database. See the picture given above.

Get data
This function is used to get the data from the table and columns selected. See the picture given above.

You might also like