As a newbie testing on a website demonstration, I’ve found the SQL injection vulnerability on the search functionality. The query I put on the URL is encoded. For example,
The base case I’ve spotted the vunlerability is:
url/search=ball' UNION SELECT 1,2,3,4 OR '1'='1
It is successful since the query is not parameterized, but using the comment
-- at the end is not successful.
It’s also possible to go further to find the server information: (1,2,3 are strings, 4 always show 1 no matter I put a string or a number)
url/search=ball' UNION SELECT version(),2,3,4 OR '1'='1 >> 8.0.23-0ubuntu0.20.04.1
However, when I tried further to seek the table name and match the number of columns using:
url/search=ball' UNION SELECT table_name,2,3,4 FROM information_schema.tables OR '1'='1
There’s no information shown in the provided table.
Do I miss something or anything I can try? Thanks.