Jump to content

Havij Help


TheKingUnderTheHill
 Share

Recommended Posts

Hey, just got Havij (pro edition) been playing around but making no real progress,

looked at a few tutorials online, but none of them actually tell me in detail how

to use the program.

Such as an example of what type of URL to put in, i know its got to be .php etc.

but what about the ?id=51 part, is this necessary?

If anyone can explain to me how you are supposed to use the program, any help

would be greatly appreciated, cheers!

Link to comment
Share on other sites

Hey, just got Havij (pro edition) been playing around but making no real progress,

looked at a few tutorials online, but none of them actually tell me in detail how

to use the program.

Such as an example of what type of URL to put in, i know its got to be .php etc.

but what about the ?id=51 part, is this necessary?

If anyone can explain to me how you are supposed to use the program, any help

would be greatly appreciated, cheers!

Ifs its sql injection, then yes, the ID=## part, is where it tests the injection. Learn to do it manually on a vulnerable script/website first. Never heard of this tool and more than likely you could be infecting your own machine trying to run stuff you know nothing about. Also, do this on your own systems, in a virtual lab. Attacking random websites to try to learn about this, is not only illegal, could land you in jail. If you attack a site that isn't vulnerable, you could set off all kinds of alerts to the sys admin and they could turn over all your info to law enforcment.

Edited by digip
Link to comment
Share on other sites

Exactly This ^ If you run off doing this on peoples websites you will most likely get caught. I had a friend back in Freshmen Year that got caught just by running a portscan and arrested, imagine what doing this without having authorization could lead to.

Link to comment
Share on other sites

I ended up finding the app by r3dm0ve, on itsec something or other. Unpacked inno setup file and sent to virustotal, would be careful running it, Had like 20 some hits and most said hack tool, but some said trojan as well.

Link to comment
Share on other sites

Just curious, when you bought it did you send over all the PI that they wanted to see? There is no way I'd send a copy of my passport and other info like that to a random hacker group.

If you didn't buy it then I've been told that most of the pirate versions around are fully loaded with all sorts of nastiness, beware!

Link to comment
Share on other sites

Yes, You can try a blind injection,

Settings > (click on the blue link "User Agents") > and select %Inject_Here%

hit apply and then you will be able to attempt a blind injection

^^

everyone gets their panties bunched up in a knot over havij, dont get me wrong Its always good to know how to do it the manual way too but Havij is an awesome tool Have fun man!

Link to comment
Share on other sites

Yes, You can try a blind injection,

Settings > (click on the blue link "User Agents") > and select %Inject_Here%

hit apply and then you will be able to attempt a blind injection

^^

everyone gets their panties bunched up in a knot over havij, dont get me wrong Its always good to know how to do it the manual way too but Havij is an awesome tool Have fun man!

There are other tools out there he could use too, that are well known and don't have the notion of malware attached, but my concern for him was using software, that could have infected his system in the process. Boot up backtrack, there are tools on there to do what he asks if he really wants to do it, although what he does is on him. That goes without saying.

If you didn't buy it then I've been told that most of the pirate versions around are fully loaded with all sorts of nastiness, beware!

He didn't say it was pirated or cracked, but if they were, thats a good point. I would be even more cautious if it was.

Link to comment
Share on other sites

Ah, well it is quite a commonly known tool in many of the other forums I trawl and

the download link that I used came up clean on Virustotal, my own scan, and was verified

by many people (some that i know personally) from the link where I got it. I also didnt

hand over any personal information, nor am I trying this on any unauthorized sites, a The

friend has set one up for us to play about on, but couldnt get it to work.

Other than that, thanks for the feedback, its very helpful. I'll boil it down for anyone else

reading the thread who wants to know more.

> The page must have "?id=#" at the end.

> Put a single quote ' on the end of the link, if it returns an SQL Error, the site is vulnerable

> Then use Havij to find User and Pass tables

> Crack MD5 hashes

> Done

Also curious about how to do this in BT, i've played about with the SQLi tool on there, but could anyone point me in the direction of a decent tutorial?

Edited by TheKingUnderTheHill
Link to comment
Share on other sites

Joe Mccray has done a lot of talks on the subject and many of the anonymous sites that have tuts on it, copy almost verbatim the talks and slides hes written.

http://bit.ly/JNJnBn

I think if you understand the manual way of entering it through a browser, you will be able to figure out Havij or other tools much easier. I have a text doc around here somewhere too, but you can easily search pastebin for sqli cheat sheet(s), there are numerous.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...