SQL Injection (SQLi)
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database. By manipulating input fields.
Last updated
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database. By manipulating input fields.
Last updated
is a popular open-source relational database management system (RDBMS) often used in web applications. It’s a common target for attackers due to its widespread use and the potential to expose sensitive data through SQL injection or other vulnerabilities.
connect to mysql remotely
retrieve the version of the running SQL instance
retrieve the current username and hostname for the MySQL connection.
list all of the databases running in the MYSQL session.
retrieve mysql user password hash
A trick to output vertically and get normal formatting
connect to mssql using windows authentication
retrieve the version of the running SQL instance
list all of the databases running in the MYSQL session.
list dbo users of the current database
list all of the database tables
Error-based SQL injection relies on extracting information from the database by triggering error messages that reveal valuable details.
The following examples show how to trigger errors and extract information using Error-Based injection:
Union-based SQL injection enables attackers to concatenate results of malicious query with a legitimate one by using union operator, allowing them to retrieve additional information from other tables.
In order to make the union-based SQL injection work, the attacker must satisfy two conditions:
Ensure that the number of columns in the injected query match those of the original query .
The number of columns can be found using ORDER BY and incrementing the number until the query failed:
It's less recommended but it possible also to enumerate the number of columns using UNION and NULL values until the query works:
Ensure that the data types in the injected query match those of the original query.
The following examples describes the process of finding string column, when the query works means the column using 'a' is a string column.
Boolean-based SQL injection is used in case the query does not reflect the results of the injected query, so it relies on extracting information by using conditions and changes of the web application.
SQL Server supports the following system stored procedures that provide an interface from an instance of SQL Server to external programs, for various maintenance activities.
xp_cmdshell procedure allows sysadmin to execute os commands
Enable xp_cmdshell procedure:
Execute commands using xp_cmdshell:
It's possible to create a file on the server disk using SQL query for example:
sqlmap is a tool which used to automate exploit a SQLi vulnerability given request with the vulnerable parameter.
sqlmap is not allowed in the OSCP exam so I won't dig in it.
is a database management system that natively integrates into the Windows ecosystem.
Windows has a built-in command-line tool named , that allows SQL queries to be run through the Windows command prompt or even remotely from another machine.
