Join hundreds of InfoSec professionals at our upcoming [Global AppSec DC, September 9-13] and [Global AppSec Amsterdam, September 23-27] |
Last revision (mm/dd/yy): 06/16/2017
Example 8 – this is a second order SQL injection, this means that the page is filtering the user input but not the data on the Db, in order to pull this off you will need to do 3 steps Create random users; Frst you will need to create a user with the code you want to inject on the query (payload). SQL injection is a technique (like other web attack mechanisms) to attack data driven applications. This attack can bypass a firewall and can affect a fully patched system. The attacker takes the advantage of poorly filtered or not correctly escaped characters embedded in SQL statements into parsing variable data from user input.
SQLi
A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into to bypass.
For Mod_rewrite, Comments '/**/' cannot bypassed. So we use '%0b' replace '/**/'.
Advanced Methods
Crash Firewall via doing Buffer Over Flow.
1) Buffer Overflow / Firewall Crash:Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow.
2) Replace Characters with their HEX Values:We can replace some characters with their HEX (URL-Encoded) Values.
4) Misc Exploitable Functions:Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Auth Bypass
If we need to bypass some admin panels, and we do that using or 1=1.
SELECT * FROM login WHERE id=1 or 1-- -' or 1 or '1'or 1 or' AND username= AND password=the 'or 1-- -' gets active, make the condition true and ignores the rest of the query.now lets check regular string-
SELECT * FROM login WHERE username=' or 1-- -' or 1 or '1'or 1 or' ' .....the 'or 1' part make the query true, and the other parts are considered as the comparison strings.same with the double quotes.SELECT * FROM login WHERE username=' or 1-- -' or 1 or '1'or 1 or' '
Benchmark
Please use Benchmark and make you own SQLi Strings and test your different test cases on Benchmark
If you have any SQLi Quires which is Missed above Please help to Contribute Mail Down and be a part of The Popular SQLi Evasion CheatSheet.
Contributor
Dhiraj Mishra ([email protected])
A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application
Entry point detection
Detection of an SQL injection entry point
SQL injection using SQLmap
Basic arguments for SQLmap
Custom injection in UserAgent/Header/Referer/Cookie
General tamper option and tamper's list
Tamper | Description |
---|---|
apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
base64encode.py | Base64 all characters in a given payload |
between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' |
concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' |
charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) |
equaltolike.py | Replaces all occurances of operator equal ('=') with operator 'LIKE' |
escapequotes.py | Slash escape quotes (' and ') |
greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' |
modsecurityversioned.py | Embraces complete query with versioned comment |
modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
multiplespaces.py | Adds multiple spaces around SQL keywords |
nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace('SELECT', ')) filters |
percentage.py | Adds a percentage sign ('%') infront of each character |
overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
randomcase.py | Replaces each keyword character with random case value |
randomcomments.py | Add random comments to SQL keywords |
securesphere.py | Appends special crafted string |
sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
space2comment.py | Replaces space character (' ') with comments |
space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('n') |
space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('n') |
space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('n') |
space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('n') |
space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('n') |
space2plus.py | Replaces space character (' ') with plus ('+') |
space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and |
unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
varnish.py | Append a HTTP header 'X-originating-IP' |
versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
Authentication bypass
Time based
Polyglot injection (multicontext)
Insert Statement - ON DUPLICATE KEY UPDATE
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
WAF Bypass
No Space (%20) - bypass using whitespace alternatives
No Whitespace - bypass using comments
No Whitespace - bypass using parenthesis
No Comma - bypass using OFFSET, FROM and JOIN
Blacklist using keywords - bypass using uppercase/lowercase
Blacklist using keywords case insensitive - bypass using an equivalent operator
Information_schema.tables Alternative
Version Alternative
Thanks to - Other resources
- MySQL:
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
- MSQQL:
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
- ORACLE:
- [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
- POSTGRESQL:
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
- Others
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)