SQL Injection
What is SQL injection?
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behaviour. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack. (From here).
In this POST I'm going to suppose that we have found a possible SQL injection and we are going to discuss possible methods to confirm the SQL injection, recon the database and perform actions.
Entry point detection
You may have found a site that is apparently vulnerable to SQLi just because the server is behaving weird with SQLi related inputs. Therefore, the first thing you need to do is how to inject data in the query without breaking it. To do so you first need to find how to escape from the current context. These are some useful examples:
Then, you need to know how to fix the query so there isn't errors. In order to fix the query you can input data so the previous query accept the new data, or you can just input your data and add a comment symbol add the end.
Note that if you can see error messages or you can spot differences when a query is working and when it's not this phase will be more easy.
Comments
Confirming with logical operations
One of the best ways to confirm a SQL injection is by making it operate a logical operation and having the expected results.
For example: if the GET parameter ?username=Peter
returns the same content as ?username=Peter' or '1'='1
then, you found a SQL injection.
Also you can apply this concept to mathematical operations. Example: If ?id=1
returns the same as ?id=2-1
, SQLinjection.
This word-list was created to try to confirm SQLinjections in the proposed way:
Confirming with Timing
In some cases you won't notice any change on the page you are testing. Therefore, a good way to discover blind SQL injections is making the DB perform actions and will have an impact on the time the page need to load. Therefore, the we are going to concat in the SQL query an operation that will take a lot of time to complete:
In some cases the sleep functions won't be allowed. Then, instead of using those functions you could make the query perform complex operations that will take several seconds. Examples of these techniques are going to be commented separately on each technology (if any).
Identifying Back-end
The best way to identify the back-end is trying to execute functions of the different back-ends. You could use the sleep functions of the previous section or these ones:
Also, if you have access to the output of the query, you could make it print the version of the database.
A continuation we are going to discuss different methods to exploit different kinds of SQL Injection. We will use MySQL as example.
Exploiting Union Based
Detecting number of columns
If you can see the output of the query this is the best way to exploit it. First of all, wee need to find out the number of columns the initial request is returning. This is because both queries must return the same number of columns. Two methods are typically used for this purpose:
Order/Group by
Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
UNION SELECT
Select more and more null values until the query is correct:
You should use null
values as in some cases the type of the columns of both sides of the query must be the same and null is valid in every case.
Extract database names, table names and column names
On the next examples we are going to retrieve the name of all the databases, the table name of a database, the column names of the table:
There is a different way to discover this data on every different database, but it's always the same methodology.
Exploiting Error based
If for some reason you cannot see the output of the query but you can see the error messages, you can make this error messages to ex-filtrate data from the database. Following a similar flow as in the Union Based exploitation you could manage to dump the DB.
Exploiting Blind SQLi
In this case you cannot see the results of the query or the errors, but you can distinguished when the query return a true or a false response because there are different contents on the page. In this case, you can abuse that behaviour to dump the database char by char:
Exploiting Error Blind SQLi
This is the same case as before but instead of distinguish between a true/false response from the query you can distinguish between an error in the SQL query or not (maybe because the HTTP server crashes). Therefore, in this case you can force an SQLerror each time you guess correctly the char:
Exploiting Time Based SQLi
In this case there isn't any way to distinguish the response of the query based on the context of the page. But, you can make the page take longer to load if the guessed character is correct. We have already saw this technique in use before in order to confirm a SQLi vuln.
Stacked Queries
You can use stacked queries to execute multiple queries in succession. Note that while the subsequent queries are executed, the results are not returned to the application. Hence this technique is primarily of use in relation to blind vulnerabilities where you can use a second query to trigger a DNS lookup, conditional error, or time delay.
Oracle doesn't support stacked queries. MySQL, Microsoft and PostgreSQL support** them: QUERY-1-HERE; QUERY-2-HERE
Out of band Exploitation
If no-other exploitation method worked, you may try to make the database ex-filtrate the info to an external host controlled by you. For example, via DNS queries:
Out of band data exfiltration via XXE
Automated Exploitation
Check the SQLMap Cheetsheat to exploit a SQLi vulnerability with sqlmap.
Tech specific info
We have already discussed all the ways to exploit a SQLinjection vulnerability. Find some more tricks database technology dependant in this book:
Or you will find a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
Authentication bypass
List to try to bypass the login functionality:
Login bypass ListAuthentication Bypass (Raw MD5)
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
Allowing an attacker to craft a string with a true
statement such as ' or 'SOMETHING
Challenge demo available at http://web.jarvisoj.com:32772
Hash Authentication Bypass
Recommended list:
You should use as username each line of the list and as password always: Pass1234. (This payloads are also included in the big list mentioned at the beginning of this section)
GBK Authentication Bypass
IF ' is being scaped you can use %A8%27, and when ' gets scaped it will be created: 0xA80x5c0x27 (โ')
Python script:
Polyglot injection (multicontext)
Insert Statement
Modify password of existing object/user
To do so you should try to create a new object named as the "master object" (probably admin in case of users) modifying something:
Create user named: AdMIn (uppercase & lowercase letters)
Create a user named: admin=
SQL Truncation Attack (when there is some kind of length limit in the username or email) --> Create user with name: admin [a lot of spaces] a
SQL Truncation Attack
If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user admin, try to create a username called: "admin [30 spaces] a" and any password.
The database will check if the introduced username exists inside the database. If not, it will cut the username to the max allowed number of characters (in this case to: "admin [25 spaces]") and the it will automatically remove all the spaces at the end updating inside the database the user "admin" with the new password (some error could appear but it doesn't means that this hasn't worked).
More info: https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html & https://resources.infosecinstitute.com/sql-truncation-attack/#gref
MySQL Insert time based checking
Add as much ','',''
as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
ON DUPLICATE KEY UPDATE
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
Extract information
Creating 2 accounts at the same time
When trying to create a new user and username, password and email are needed:
Using decimal or hexadecimal
With this technique you can extract information creating only 1 account. It is important to note that you don't need to comment anything.
Using hex2dec and substr:
To get the text you can use:
Using hex and replace (and substr):
Routed SQL injection
Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output. (Paper)
Example:
WAF Bypass
No Space (%20) - bypass using whitespace alternatives
No Whitespace - bypass using comments
No Whitespace - bypass using parenthesis
No Comma - bypass using OFFSET, FROM and JOIN
Blacklist using keywords - bypass using uppercase/lowercase
Blacklist using keywords case insensitive - bypass using an equivalent operator
WAF bypass suggester tools
Other Guides
Brute-Force Detection List
Last updated