search

SQL Injection (SQLi)

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database. By manipulating input fields.

hashtag
Enumeration

hashtag
MySQL

MySQL arrow-up-rightis a popular open-source relational database management system (RDBMS) often used in web applications. It’s a common target for attackers due to its widespread use and the potential to expose sensitive data through SQL injection or other vulnerabilities.

connect to mysql remotely

mysql -u root -p'root' -h 192.168.191.16 -P 3306

retrieve the version of the running SQL instance

select version();

retrieve the current username and hostname for the MySQL connection.

select system_user();

list all of the databases running in the MYSQL session.

show databases;

retrieve mysql user password hash

select user, authentication_string from mysql.user where user = '<username>';

A trick to output vertically and get normal formatting

select * from mysql.user where user = 'offsec'\G;

hashtag
MSSQL

MSSQLarrow-up-right is a database management system that natively integrates into the Windows ecosystem.

  • Windows has a built-in command-line tool named SQLCMDarrow-up-right, that allows SQL queries to be run through the Windows command prompt or even remotely from another machine.

connect to mssql using windows authentication

retrieve the version of the running SQL instance

list all of the databases running in the MYSQL session.

list dbo users of the current database

list all of the database tables

hashtag
Manual Exploitation

hashtag
Error Based

Error-based SQL injection relies on extracting information from the database by triggering error messages that reveal valuable details.

The following examples show how to trigger errors and extract information using Error-Based injection:

hashtag
Union Based

Union-based SQL injection enables attackers to concatenate results of malicious query with a legitimate one by using union operator, allowing them to retrieve additional information from other tables.

In order to make the union-based SQL injection work, the attacker must satisfy two conditions:

  1. Ensure that the number of columns in the injected query match those of the original query .

The number of columns can be found using ORDER BY and incrementing the number until the query failed:

It's less recommended but it possible also to enumerate the number of columns using UNION and NULL values until the query works:

  1. Ensure that the data types in the injected query match those of the original query.

The following examples describes the process of finding string column, when the query works means the column using 'a' is a string column.

hashtag
Boolean-Based

Boolean-based SQL injection is used in case the query does not reflect the results of the injected query, so it relies on extracting information by using conditions and changes of the web application.

hashtag
MSSQL System Procedures

SQL Server supports the following system stored procedures that provide an interface from an instance of SQL Server to external programs, for various maintenance activities.

xp_cmdshell procedure allows sysadmin to execute os commands

Enable xp_cmdshell procedure:

Execute commands using xp_cmdshell:

hashtag
Create Files

It's possible to create a file on the server disk using SQL query for example:

hashtag
Automated Exploitation

sqlmap is a tool which used to automate exploit a SQLi vulnerability given request with the vulnerable parameter.

sqlmap is not allowed in the OSCP exam so I won't dig in it.

LogoGitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover toolGitHubchevron-right
sqlmap - automated sqli tool

hashtag
References

LogoSQL Server Technical Documentation - SQL ServerMicrosoftLearnchevron-right
LogoMySQL :: MySQL Documentationdev.mysql.comchevron-right
LogoSQL injection cheat sheet | Web Security AcademyWebSecAcademychevron-right

PreviousWordPressNextCommand Injection

Last updated