Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Manual Testing
  • Verify the Existence of SQL Injection
  • Union-Based Exploitation
  • General Tips
  • Filter Evasion
  • Automated Testing

Was this helpful?

  1. Web App Hacking
  2. Database Attacks

SQL Injection

SQLi / SQL Injection

Manual Testing

How to test for SQL Injection manually.

Verify the Existence of SQL Injection

Broadly, to verify the existence of SQL injection in a given field you can try to either:

  1. Create an error

  2. Use SQL operators and see if the data is changed according to SQL rules

  3. Add a sleep statement to the SQL query

To create an error, you can:

  • Add single and double quotes everywhere and see if it fails

  • If there is an integer ID, then you can try a negative value, since negative IDs usually don't exist

Using operators, you can verify SQL like this:

  • If there is an integer ID, then you can try to subtract from it.

    • ?id=11-1, and see if the result is the same as ?id=10

  • If there is a string value, then that's trickier. You can try to concatenate to it, but it's easy to create an error accidentally.

    • asd' + 'f will work in MySQL, but not in PostgreSQL

    • asd' || 'f is the SQL standard, but it will still create an error in MySQL, because MySQL expects it in between a pair of parentheses.

Union-Based Exploitation

You can query additional rows using UNION SELECT. Before you do that, you'll need to determine the amount of rows. You can use ORDER BY for that.

General Tips

Here are some things to remember:

  • For commenting stuff out, use -- with a space at the end, because MySQL requires there to be a space.

  • Don't forget to URLencode.

    • Browsers will omit extra spaces from the end of an URL, so your -- will become just -- and your exploit won't work for MySQL.

Filter Evasion

Using flexible MySQL syntax: https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/

Advanced ways to evade filters (using tricks like putting backslashes, using MySQL syntax, etc): https://websec.files.wordpress.com/2010/11/sqli2.pdf

SQL smuggling for evading filters: If INSERT is blacklisted, then do concat("INS", "ERT")

Also unicode smuggling: 'Ā' may default to 'A' and thus evade detection.

Automated Testing

Sqlmap GET example:

sqlmap -u "mysite.com/sql.php?param=1"

Sqlmap POST example:

sqlmap -u "mysite.com/sql.php" --method "POST" --data "POST_DATA_HERE"

Sqlmap using a saved request:

sqlmap -r saved_http_request.txt

Useful flags:

  • --level: Allows you to increase the sophistication level. Values {1...5}

  • --risk: Allows you to increase the potential damage the script might do. Values {1...5}

  • --random-agent: Random user agent

  • -v3: Increase verbosity

  • --cookie: set cookie

  • --proxy: set a proxy

PreviousDatabase AttacksNextGet a Shell From DB Connection

Last updated 3 years ago

Was this helpful?

LogoSQL InjectionHackTricks