Sql Injection Method(Advanced)

The idea here is to find the email addresses stored in the database. The First thing that comes to mind when trying to get information from a database should be an SQL Injection.
If you are not sure how SQL Injections work read the post SQL Injection Walkthrough. You will notice that sql injection does work here.If you play around with the site and enter an invalid e-mail address you will get an error that it could not enter the e-mail address into table ‘email’. This is important information because it tells us the table we are looking for. Another thing you should notice is that the page products.php takes a query string.


This is indicating to me that the page is doing something like this:

SELECT * FROM products WHERE category=1

What we should try then is UNION. UNION allows us to merge the results of two SELECT statements into one. For example:


would return all the columns from table1 and all the columns from table2. It is important to note that in order to use UNION the columns in both tables must be the same, so if table1 has 5 columns table2 must have five columns.

So Let’s find out how many columns the tables have. We can start with the products table because this is the easy one. If we use the ORDER BY command we can methodically increase the value. So

products.php?category=1 ORDER BY 1

might change the page slightly. As we increase the number you might continue to notice changes. It is not until you go to far that the page looks completely different (either a blank page, error, or something else). If you try:

products.php?category=1 ORDER BY 5

You will see what I mean. Which indicates that the number of columns in products is four.

Now for the email table. Lets assume that the email table only has one column (the emails). That means we would have to add at at most 3 columns. We can achieve this by using NULL. If we have three NULL columns plus the email column (which adds up to four) and we have no results we now know that the email table has more columns then the product table. So we would have to remove all the NULL columns from the email table and start adding them to the product table.
I know what your thinking…”What am I talking about?” Lets take a look. We start with this:

products.php?category=1 UNION ALL SELECT *, NULL FROM email

We get nothing so we add another NULL

products.php?category=1 UNION ALL SELECT *, NULL, NULL FROM email

Nothing again so another NULL. But realize this is the last one we can add as noted above:

products.php?category=1 UNION ALL SELECT *, NULL, NULL, NULL FROM email

You notice there are a bunch of broken images at the bottom. You have it. Now if you still got nothing that is when the email table has more columns then the product table and you would have to add NULL columns to the product table instead.

Now when I said you had I really meant it, but you are probably asking where are the e-mail addresses. View the source code. There they are. Now if you wanted to see the e-mail addresses on the page try moving the * around:

products.php?category=1 UNION ALL SELECT NULL, *, NULL, NULL FROM email

The hardest part was finding where to send the email addresses through HTS mail system…If you do not know how to send then click your username on left up corner and it will lead u to your profile and then click on your username in the profile again and a message composing box will open. Copy-Paste the emails in message area and the send the email to ‘SaveTheWhales’

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.