Once we identify a valid SQL injection, it's time to decide what we're going to look for. Here, we have a list of the most typical things:
- Basic data: For example, database version, user running the database, current database, database directory, and so on
- Advanced data: MySQL usernames and passwords, databases, table names, column names, and content from tables
- OS files: We can read any file in the file system as long as the user running the database has privileges
These are some of the most useful and typically extracted data. I encourage you to continue learning what other things you can do once you have a working SQL injection.
A good starting point is the pentestmonkey Cheat Sheet (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet).
A good starting point is the pentestmonkey Cheat Sheet (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet).