SQL Injection attacks with Havij

This is a fictional adventure with fictional characters that have fictional (non)skills based on true events. This post was created for informational purposes only and no admins lost their job during the writing of this story. It was inspired by Troy Hunt's "Hacking is child's play" article.

Bob, a 20-something year old boy, never considered himself a computer “guru”. He started using computers around the age of 18, late compared to his friends. What he lacked in experience, he gathered through patience.
Saturday morning news, July 2012: Yahoo voices was breached, half a million emails and passwords were leaked. The attack was made possible due to a SQL injection flaw on their servers.

yahoo voices logo
 
SQL injection? Sound like a medical term. Bob moves to his computer and starts typing:
sql injection attacks
He goes through the results, reads various topics and his eyes fall on: 
Havij - an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
Havij SERP results from google search
 
He was never very tech-savvy so this might be what he was looking for. Another search follows:
havij torrent
Bam, first results, his beloved piratebay. The torrent is small in its size so it should be ready soon enough. In the meantime he'll grab a coffee, smoke a cigarette or two and wait.
Minutes later when he returns, the download session is complete. He registers – by using the all-too-easy provided steps - and fires-up the application. 

Havij default first screen

But, he remembers that he needs some websites to test it on. Opens Firefox again, set's the homepage to google.uk and enters:
inurl:newsitem.php?num=

Google results for inurl dork

This is the google “dork” he choose from a list. It's an example of “advanced search string operators” - termed by some people as “dorking”. Since Bob is inexperienced, he doesn't really care what these are or why they're named “dorks”. 
He starts copying and pasting the available results into Havij. First site doesn't work, Havij returns:
MySQL error based injection method cant be used!
MySQL time based injection method can't be used!
He moves on to the other results. Finally, one site seems to be vulnerable, he pressed “Analyze” and in less than 5 seconds:
Havij table results

This is getting interesting. From all the tables, only one seems to have the data he's looking for: labeled_user. He selects the table and clicks on “Get columns”. The important columns are there:
☐ forename
☐ surname
☐ username
☐ password
☐ email
He selects three of them: email, username and password, then presses on “Get data”. Finally, he has access to the admins usernames and passwords. But the passwords are encrypted so he needs to dig-on.

Table results with username and passwords

Havij has an MD5 decryption option available, let's try that one. He tries with the first encrypted password - Havij is using online resources to decrypt passwords.
Success! The results came in seconds and the password has been revealed: johnC1980 – it's a combination between the name of the web admin and his birthday dates - common password combination. Bob moves to the “Find admin” tab and clicks on start. The program found something like nameofthesite.co.uk/admin . He pastes the link into his browser and tries the username and password combination:

admin

John121980

Admin cpanel login screen
 
He's in. It was easier than he thought and now he has access to admin panels of this recruitment agency from the UK. He'll dig more into it tomorrow but for now he's done. He wants to celebrate his script-kiddie success.

Bob's back early in the morning. What if those five users are “recycling” their passwords? This was usually the cause for many famous successful break-ins in the past.
People are lazy and they don't want to remember 12 passwords used on 12 different websites: what they do instead? They use the same password for all sites. You got access to one, you have access to all of them.
After two hours, Bob was able to access John's Gemail, Linked-in, Facebook and twitter account. He used the same password on all of them: John121980.
Worse yet: John creates and administrates websites for other companies also. Obviously he's using the same password. From here on, Bob can get access to a huge amount of login details.
If you're curios enough, the sky is the limit.