SQL injection
How Dangerous is it ?
P! - Critcal
(CVSS) is 9-10
some sql basics
Sql statements syntax
Insert Statement
Modify the password of existing object/user
To do so you should try to create a new object named as the "master object" (probably admin in case of users) modifying something:
Create a user named: AdMIn (uppercase & lowercase letters)
Create a user named: admin=
SQL Truncation Attack (when there is some length limit in the username or email) --> Create a user with the name: admin [a lot of spaces] a
If the database is vulnerable and the max number of chars for a username is 30 and you want to impersonate the user admin, try to create a username called: "admin [30 spaces] a" and any password.
How to Exploit it ?
Find the injection Point.
Fix Quary or Balance SQLI
in GET we add '--+
in POST we add '--SPACE or '#
Find the total number of vuln Columns
Order by n
UNION select 1,2,3,4,n-1 => look Different number of Columns
WHERE OR HAVING
version() to test
How to perform a Query
SQL Logic
Comments
Copy
use Limit
How to union the results
information_schema
Use wildcard
How to test
add
'"
" or 1=1#
|
' or 1=1#
in DVWA
SQLMAP
-r
=> File name
-dbs =>
Enumerate DBMS databases
--level=LEVEL =>
Level of tests to perform (1-5, default 1)
--risk=RISK =>
Risk of tests to perform (1-3, default 1)
-p
TESTPARAMETER Testable parameter(s)
Assuming you've tested a parameter with '
and it is injectable, run SQL map against the URL:
It may not run unless you specify the database type.
Get the databases:
Get the tables in a database:
Get the columns in a table:
Dump a table:
Confirming with Timing
In some cases you won't notice any change on the page you are testing. Therefore, a good way to discover blind SQL injections is making the DB perform actions and will have an impact on the time the page need to load. Therefore, the we are going to concat in the SQL query an operation that will take a lot of time to complete:
Exploiting Union Based
Detecting number of columns
If you can see the output of the query this is the best way to exploit it. First of all, wee need to find out the number of columns the initial request is returning. This is because both queries must return the same number of columns. Two methods are typically used for this purpose:
Order/Group by
To determine the number of columns in a query, incrementally adjust the number used in ORDER BY or GROUP BY clauses until a false response is received. Despite the distinct functionalities of GROUP BY and ORDER BY within SQL, both can be utilized identically for ascertaining the query's column count.
UNION SELECT
Select more and more null values until the query is correct:
You should use null
values as in some cases the type of the columns of both sides of the query must be the same and null is valid in every case.
Exploiting Blind SQLi
In this case you cannot see the results of the query or the errors, but you can distinguished when the query return a true or a false response because there are different contents on the page. In this case, you can abuse that behaviour to dump the database char by char:
Exploiting Error Blind SQLi
This is the same case as before but instead of distinguish between a true/false response from the query you can distinguish between an error in the SQL query or not (maybe because the HTTP server crashes). Therefore, in this case you can force an SQLerror each time you guess correctly the char:
Exploiting Time-Based SQLi
In this case there isn't any way to distinguish the response of the query based on the context of the page. But, you can make the page take longer to load if the guessed character is correct. We have already saw this technique in use before in order to confirm a SQLi vuln.
Raw hash authentication Bypass
This query showcases a vulnerability when MD5 is used with true for raw output in authentication checks, making the system susceptible to SQL injection. Attackers can exploit this by crafting inputs that, when hashed, produce unexpected SQL command parts, leading to unauthorized access.
Injected hash authentication Bypass
Recommended list:
You should use as a username each line of the list and as password Pass1234. (This payloads are also included in the big list mentioned at the beginning of this section)
GBK Authentication Bypass
IF ' is being scaped you can use %A8%27, and when ' gets scaped it will be created: 0xA80x5c0x27 (╘')
Python script
WAF Bypass
No Space (%20) - bypass using whitespace alternatives
No Whitespace - bypass using comments
No Whitespace - bypass using parenthesis
No Comma - bypass using OFFSET, FROM and JOIN
Blacklist using keywords - bypass using uppercase/lowercase
Blacklist using keywords case insensitive - bypass using an equivalent operator
Information_schema.tables Alternative
Version Alternative
Other resources
MySQL:
[PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
[Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
MSSQL:
[EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
[PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
ORACLE:
[PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
POSTGRESQL:
[PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
Others
[Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
[PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
[Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
[Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
[SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
[Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
Sqlmap:
Last updated