🍩
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page
  • Things to look for:
  • Tools to help:
  • Impact:
  • Basic Commands:
  • Url injection:
  • Authentication bypass:
  • Loot:

Was this helpful?

  1. Web Application Hacking
  2. Web Hacking Techniques
  3. SQLi

Hacking SQL

Things to look for:

  • URL params that look like they feed requests

  • Any form that touches a database

  • Settings and experience based items that can be edited

  • Header items like User-Agents that might get stored in the DB

  • Fuzz characters: ' " # -- , SELECT UNION

Tools to help:

  • MSF SQL enumeration scripts

  • SQLMAP fully featured sql enum/injection tool

Impact:

  • Dump the database

  • Read the file system

  • Run OS commands

  • Create Admin login

  • Install Shells

Basic Commands:

The table dump/login: ' OR 'a'='a

Url injection:

Testing control and output. Here 9999 returns only the frame

Now we use an existing id and we try both a true statement and a false statement.

True:

False:

Now we add our union select and we keep incrementing the number of nulls until we get a true statement back.

Now we will check the types of each null by either giving it a number or a 'string' to see what the type is if it is enforced. Once we have our types we can switch back to ID 9999 to get our populated entries

Now we first want to try the @@version in a place where we have a string and then we will look up the pentest monkey sql commands for that version.

Here we are going to test this Current User query to get the db user:

Next we will try the list user table which will take some slight edits. //we could have queried to get the table name but he already had it.

This will give you the first user of the DB. We can add a WHERE clause and enumerate users but we are better off using sqlmap.

Authentication bypass:

If we have a login portal, sign in, or attempt to, and send the traffic to burp. Then you can map the login and use sqlmap to fuzz for injectables. 

sqlmap -u "http://3.lab.auth.site/ajax.php?fun=login&username=david&password=test" --keep-alive
sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" --keep-alive

In method one we use the GET request like how we see it being generated from ajax.php . This may not always work. We will also want to try POSTing the same param data. And also try to sql inject at different data points like the user-agent, refer, and so on. For this example the method 2 POST of data works to get SQLi on username. Likely bypassing the security mechanism that is setup to look at GETs.

We can now specify the vuln param and what we want to dump from it

sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" -p username --dbs --tables --columns --keep-alive
sqlmap -u "http://3.lab.auth.site/ajax.php" --data="fun=login&username=david&password=test" -D ratingAgency3 -T analyst --dump --keep-alive

Loot:

PreviousSecuring SQLNextsqlmap

Last updated 3 years ago

Was this helpful?

login request