SQL Injection with an uninjectable URL
I was recently given a subdomain to try and exploit with SQLi: gov.ns.agency. Unlike what I would see in most tutorials, I can't really inject parameters into the URL like I would see everywhere else.
Here's what I tried:
At the login page, any username sufficed with password:
' OR '1'='1and I'm directed to gov.ns.agency/users. Here a form returns whether a user exists. I'm supposed to get info from columns 'name' and 'pass' from table 'users'. There's a hint also that MySQL is the database and the requests sent are GET and not POST with the exception of some queries which return a 500 Internal Server Error.'UNION ALL SELECT NULL,version()'--returned MySQL version 8.0.11 - omitting single quotes would return 'user not found'.'UNION SELECT 'Found', COLUMN_NAME FROM information_schema.columns WHERE table_name = 'users' AND column_name LIKE 'pa%returned [name]Found -> [priv]pass. I'm still scratching my head over what 'priv' is, it might describe privileges? admin perhaps?'UNION ALL SELECT NULL,concat(schema_name) FROM information_schema.schemata'this would give DB names but instead gave me a 500 Internal Server Error.
I'm quite new to penetration testing and I'm not sure which query would get the tables and even how I'd use tools such as SQLMap or Burpsuite to do it, or even how I'd approach this kind of site where I can't even inject queries into the URL (normally ending in .php?id=123) so any tips would be greatly appreciated!
