SQL Injection
Making web request via Command Line
wget
Print response on STDOUT.
curl
SQL Injections
3 types:
In-band
Error-based
Blind SQL
Finding SQL Injections
In the Information Gathering phase, categorize the different input parameters and note that ones used for retrieving data from database.
Inputs:
GET / POST request parameters
HTTP Header
Cookies
Steps:
Try invalid input to see the response and error message
Try SQL syntax (one at a time!):
'
or"
SELECT
,UNION
...#
,--
Try Boolean-based detection to guess the SQL statement behind
e.g. True = display; False = not display
In-band SQL Injection
Mainly use UNION
SQL command.
Note that:
Number of selected fields and data type of the first SQL statement and UNION statement should be identical
Also we have to know the tables and columns name
Testing number of fields
By using NULL:
Testing field type
Simple, change NULL to another data type, one at a time.
Error-based SQL Injection
First, we have to know the database version by forcing DBMS error, which could reveal the database version.
SQL function could be like @@version
and user_name()
.
Each time running the payload, we will retrieve one data entry. Then add the data into the <list>
. Run the payload again, we will get another.
MSSQL
Find readable databases
Then increment 0, ...
Enumerate tables
xtype='U'
declares user-defined tables.
Enumerate columns
Dump data
MySQL
Use
group by
to extract
Example of <info_to_extract>
: version()
PostgreSQL
Blind SQL Injection
Substring
To optimize, for example:
First \ Second
T
F
T
[0-9] or symbol
[A-Z]
F
[a-z]
N/A
Time-based
SQLMap
Basic usage:
To exploit UNION-based in-band SQLi:
If it is a POST parameter:
Grab Banner
Normally, the first step is to grab the banner:
Enumerate users
Then check if the user is an admin:
List Databases
Extract Schema
Then extract the columns:
To dump selected columns:
Specify the DBMS
For example:
MySQL
Oracle
SQLite
PostgreSQL
Microsoft SQL Server
DB2
...
Fine-tune Payload
If there is a string which is always be present in the TRUE output page, use --string
to specify; inversely, use --not-string
.
Also, if SQLi payload is inserted in a structured POST parameter like JSON, you may use --prefix
and --suffix
Aggressiveness
You may specify the --level
:
1
: GET/POST2
: Cookie header3
: User Agent / Referer5
: Host Header
Also, you can use -p
to bypass a level.
To lower the risk, you may use --risk
to fine-tune the injection.
1
: Default, innocuous injections2
: Heavy time-based injections3
: EnableOR
based injections
You can also do it in multi-threads:
XP_CMDSHELL
MySQL READ WRITE Abuse
To read file, we can use:
To read binary:
It is possible to dump a file into a table:
To chain it,
Last updated