Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Attack types
  • SQL Injection example
  • Cheat Sheets
  • Tools
  • sqlmap
  • Mole
  • Blisqy
  • For mobile devices
  1. Red Team
  2. Web Hacking

SQL Injection

SQL injection is taking advantage of unsanitized input vulnerabilities to pass SQL commands to a web application.

Attack types

SQL injections can be used for various types of attacks:

Security Threat
Description

Authentication Bypass

An intruder gains access to an application without a valid username and password, effectively obtaining administrative privileges.

Authorization Bypass

A hacker manipulates authorization data in a database by exploiting vulnerabilities, such as SQL injection.

Information Disclosure

An attacker acquires sensitive data from a database, potentially compromising the confidentiality of the information.

Compromised Data Integrity

Intruders vandalize web pages, insert malicious content, or alter a database's contents, compromising data integrity.

Compromised Data Availability

Aggressors delete database information, log records, or audit data stored in a database, leading to data unavailability.

Remote Code Execution

Intruders compromise the host operating system, potentially gaining control over the system's functionality.

SQL Injection example

Attackers can craft a query by inputting specific values in application fields, such as usernames and passwords. For example:

  • Username: Bob' or 1=1 --

  • Password: Whatever

During query execution, these values replace placeholders, resulting in a query like this:

SELECT Count(*) FROM Users WHERE UserName='Bob' or 1=1 --' AND Password='Whatever';

Analyzing this query reveals that the condition in the WHERE clause will always evaluate to true, potentially leading to unauthorized access.

Cheat Sheets

Tools

sqlmap

Target URL and Cookies: First, specify the target URL where the injection will occur. You can also provide the necessary cookies for authentication.

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" --dbs

  • -u specifies the target URL.

  • --cookie is used to set the HTTP cookie header.

  • --dbs instructs sqlmap to enumerate the available databases in the DBMS.

Select a Database: After identifying the databases, you can select a specific one for further exploration. In this example, we'll use a database named "exampledb."

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" -D exampledb --tables

  • -D specifies the database to enumerate.

  • --tables instructs sqlmap to list the tables in the chosen database.

Retrieve Table Content: Now, let's say we want to retrieve the content of a table called "user_data." You can use sqlmap to dump the table content.

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" -D exampledb -T user_data --dump

  • -T specifies the table to extract data from.

  • --dump is used to retrieve and display the table content.

Interactive OS Shell: sqlmap can also provide an interactive OS shell for advanced operations.

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" --os-shell

  • --os-shell initiates an interactive OS shell.

  • Optimize Delay Responses: If prompted with a message asking if you want sqlmap to optimize delay responses, you can respond with "Y" to improve the injection efficiency.

  • View Available Commands: To explore the available commands within the interactive OS shell, simply type "help."

Mole

Blisqy

For mobile devices

sqlmapchik

PreviousWeb vulnerability scannersNextCloud

Last updated 1 year ago

" is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections."

is a graphical, cross-platform SQL injection testing tool. It provides a user-friendly interface for analyzing and manipulating SQL injection attacks, making it easier for testers to perform various SQL injection techniques and assess the security of a web application.

is a lightweight and open-source SQL Injection tool that is designed to automate the process of discovering and exploiting SQL injection vulnerabilities in web applications. It's a command-line tool that provides a simple and efficient way to identify and exploit SQL injection flaws.

" is a cross-platform sqlmap GUI for popular sqlmap tool. It is primarily aimed to be used on mobile devices (currently Android is supported)."

sqlmap
Mole
Blisqy
sqlmapchik
LogoSQL InjectionHackTricks
LogoSQL Injection Cheat Sheet
https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheetpentestmonkey.net