SQL Injection
PRACTICE ! PRACTICE ! PRACTICE !
Payloads to test the presence of SQLi => 500 (Internal Server Error)
Login Bypass Payloads
UNION Based SQLi Attacks
Finding a Column containing text - Figuring out the datatype of a column
Retreiving data from other tables
Retreiving multiple values from a single column
Querying the DB name and version on a Oracle DB
In Oracle DB, the UNION select statement must have a FROM clause, but we don't have a table from a BlackBox prespective :(
Fortunately, Oracle provides us with a DUAL table which is a special table that belongs to the schema of the user SYS, but it is accessible by all the users :)
Querying the database type and version on MySQL and Microsoft
Listing the database contents on non-Oracle DB
Listing the database contents on Oracle DB
Blind-Based SQL Injections
Blind SQL injection with conditional responses
Test the normal way and we'll never get to see any difference - Everything gives 200
But there's something fishy with the Cookies, set by the application - It has something called TrackingID - Let's try tampering that !
Since it's a Blind Sqli, we'll just have to use boolean based payloads such as AND / OR tricking the application to answer our questions (TRUE or FALSE)
If it's true it'll display a Welcome Back message !
Let's now confirm whether the users table exists or not
If suppose the users table has 5 users, it should display 5 users and hence display the Welcome Back message too !
Let's now check the presence of the user administrator - displays the Welcome Back message
Let's analyze the length of the password
Obviously, the length of the password is greater than 1, hence displays the Welcome Back message
Send the request to intruder and bruteforce the length with the sniper attack - 20 is the password length
Since we've found the password length, let's now check character by character - To do this we'll have to use Cluster bomb attack where payload1 is the character count and payload2 is the bruteforcer
Password -
gujv2v5tmroiosor2ztf
Blind SQL injection with conditional errors
Since it's a Blind Sqli, we'll just have to use boolean based payloads such as AND / OR tricking the application to answer our questions (TRUE or FALSE)
But there's something fishy with the Cookies, set by the application - It has something called TrackingID - Let's try tampering that !
It breaks the query behind and results in 500 Internal Server Error - Which is a good sign !
Let's now confirm that the users table exists
We get an error because the
' 'outputs an empty entry in each entry in the users table, so the solution to this would be to LIMIT the entry by using ROWNUM=1
Let's now confirm that the user administrator exists in the users table or not
But wait ...... Does it mean we can enumerate random users with this statement?
Okay so everything gives 200 response, Let's try to think in a smart way now - Since we are dealing with an Oracle DB, let's use the CASE expression in Oracle to determine whether the user administrator actually exists or not !
The 1st statement tells us to select the CASE when
1=1which is always true, then perform the function(1/0)which returns us an error => 500 errorThe 2nd statement tells us to select the CASE when
1=0which returns false, it executes the ELSE statement which is an empty string which gives 200 OK response
Now let's check whether the administrator user actually exits or not ?
The Order of execution in SQL queries is => The FROM clause is executed first before the SELECT clause - So when the administrator user exists in the users table, only then the select clause will get executed, which ultimately gives us an error because of the TO_CHAR function
Now since the user administrator is present, let's now determine the length of the password
Which confirms that the length of the password is 20 characters, now lets use the SUBSTR function to crack the password with Burp's ClusterBomb attack
Let's now automate it with the Intruder
Payload 1 => Number from 1 to 20
Payload 2 => Bruteforcer list
Once the Attack's done, filter it by all the 500 error responses and arrange it in order to get the password
Password -
0pv5ev8qcqck64ojocya
Blind SQL injection with time delays
Let's try fuzzing the vulnerable parameter TrackingID in the session cookie with some single line characters
'=> 200 OK? Something fishy !Now to inject some time delay queries but before that we do not know what DB is run by the backend - So to know that lets try to fuzz all the time related queries
Thus it confirms that the Backend DB is PostgresSQL
Blind SQL injection with time delays and information retrieval
The vulnerable parameter is TrackingID, let's try fuzzing it with a
'character => 200 OK, fishy!Let's fuzz the database version - and it seems to be like a PostgresSQL running in the backend
Let's now confirm that the users table exists in the DB or not, inorder to confirm that we'll ask the application to sleep for 10 seconds => If its true it'll sleep for 10 seconds if not its false
Now let's determine the user administrator's password?
Thus confirms that the passwords length = 20
Let's try cracking the password by feeding the request to the Intruder => ClusterBomb Attack
Password - geayezhire570zx8xqjb
Blind SQL injection with out-of-band interaction
The vulnerable parameter is TrackingID, let's try fuzzing it with a
'character => 200 OK, fishy!Let's fuzz the database version - and it seems to be like an Unpatched Oracle DB Instance running in the backend
Url encode the above and we'll see some DNS lookups hoppin on our collaborator
We got an Out-of-Band Interaction with the target !
Blind SQL injection with out-of-band data exfiltration
The vulnerable parameter is the TrackingID
Since we know the DB => Oracle
Url encoding the above gives us some DNS lookups hoppin on our collaborator attached with our Burp client's address as we've concatenated it in our query
Password -
1pfyp67nj2aslkjyvkyj
Last updated
