To level set this recipe, let's first baseline the current number of records in the account table and perform SQL Injection to see this:
- Navigate to the User Info page: OWASP 2013 | A1 – Injection (SQL) | SQLi – Extract Data | User Info (SQL).
- At the username prompt, type in a SQL Injection payload to dump the entire account table contents. The payload is ' or 1=1-- <space> (tick or 1 equals 1 dash dash space). Then press the View Account Details button.
- Remember to include the space after the two dashes, since this is a MySQL database; otherwise, the payload will not work:
- When performed correctly, a message displays ...