I am trying to exploit (legally) a MariaDb database with an SQLi vulnerability.
I have identified the vulnerability here...
/?o=1&page=app
The o=*
is vulnerable and produces the following error...
DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '5' or dest like '1'') LIMIT 10' at line 1
I am using Burp Suite and have landed upon the following syntax which seems to be closer to the mark but is still producing a syntax error.
I think it is closer to the mark because the error is only spitting out the query that I have introduced and not the 'extra' field: '5' or dest like '1'') LIMIT 10'
.
I am assuming that is part of the original query as the 1
is included and when I test with other random strings that remains true.
I am after the admin password hash which I know from the page clues is uid 1
.
What am I missing with this query?
SELECT Password FROM mysql.user WHERE (uid = '1' or dest like '%') --') LIMIT 10