diff --git a/README.md b/README.md index dcbefb1..fa9764b 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,4 @@ See [CONTRIBUTING.md](https://github.com/NetSPI/WikiJekyllTheme/blob/master/CONT - Khai Tran (@k_tr4n) - Rafael Seferyan - Scott Sutherland (@_nullbind) + diff --git a/_data/injectionDescriptions.yml b/_data/injectionDescriptions.yml index 19755bc..c19bd61 100644 --- a/_data/injectionDescriptions.yml +++ b/_data/injectionDescriptions.yml @@ -1,6 +1,6 @@ injectionDetection: Injections can be detected in a number of ways. The simplest being adding a ' or \ after various parameters and getting a database error returned from the web server. The sections below describe where to find and how to detect these parameters." dbmsIdentification: Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used. -errorBased: Error based injections are exploited through triggering errors generated by the database when invalid input is passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation. +errorBased: Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation. unionBased: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). blindBased: Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation. conditionalStatements: Conditional statements are beneficial for creating complex queries and aiding in Blind Injection. @@ -8,9 +8,10 @@ injectionPlacement: SQL injection is always a hassle when it isn't apparent wher injectionObfuscation: Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections. dataExfiltration: Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various Layer 4 requests, and hidden techniques. dataTargeting: Being able to properly target and identify sensitive information can exponentially decrease time spent in a database. This means less time spent poking around and more time spent researching other vectors. -executingOSCommands: Running an OS command is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database. +executingOSCommands: Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database. informationGathering: It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this. lateralMovement: Lateral movement allows a tester to gain access to different sets of functionality/data that don't explicitly require a more privileged user. Switching user accounts laterally will expose different information and could aid in compromising a more privileged user. privilegeEscalation: Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step. readingAndWritingFiles: Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443. -persistence: Gaining persistence on a system allows a semi-permanent foothold in a network. Through this foothold different vectors and exploit methods can be attempted. +persistence: Gaining persistence on a system creates a semi-permanent foothold in the network, allowing prolonged exploitation time. With this extra time different vectors and exploit methods can be attempted. +parameterManipulation: Manipulating parameters aids in bypassing Web Application Firewalls, Anti-Virus scanners, and allows modification of various SQL queries for unique situations. diff --git a/_data/metadata.yml b/_data/metadata.yml index 0fbea2d..da5abc0 100644 --- a/_data/metadata.yml +++ b/_data/metadata.yml @@ -1,6 +1,5 @@ googleTagManagerID: GTM-M7JZ64N -keywords: "netspi, sql injection, wiki, sqli, sql, injection, netspy, network security professionals, oracle, mysql, sqlserver, mssql, cheat sheet, cheat, sheet" -description: This wiki's mission is to be a one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems -ogImageLink: https://sqlwiki.netspi.com/assets/images/facebookCard.jpg -twitterImageLink: https://sqlwiki.netspi.com/assets/images/twitterCard.jpg +keywords: netspi, sql injection, wiki, sqli, sql, injection, netspy, network security professionals, oracle, mysql, sqlserver, mssql, cheat sheet, cheat, sheet +ogImageLink: /assets/images/facebookCard.jpg +twitterImageLink: /assets/images/twitterCard.jpg title: NetSPI SQL Injection Wiki diff --git a/attackQueries/dataExfiltration/index.html b/attackQueries/dataExfiltration/index.html index dae0e89..c1b8291 100644 --- a/attackQueries/dataExfiltration/index.html +++ b/attackQueries/dataExfiltration/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Exfiltrating data through SQL Injection allows easier data analysis, as well as an offline copy of any compromised data. +keywords: data exfiltration, exfiltration, breach +Title: Data Exfiltration | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/attackQueries/dataTargeting/index.html b/attackQueries/dataTargeting/index.html index dae0e89..ca62069 100644 --- a/attackQueries/dataTargeting/index.html +++ b/attackQueries/dataTargeting/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Being able to properly target and identify sensitive information can exponentially decrease time spent in a database. +title: Data Targeting | NetSPI SQL Injection Wiki +keywords: data targeting, sql injection data, breach data tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/attackQueries/executingOSCommands/index.html b/attackQueries/executingOSCommands/index.html index ddc7195..9a36cac 100644 --- a/attackQueries/executingOSCommands/index.html +++ b/attackQueries/executingOSCommands/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. +keywords: os command, operating system command, command injection +title: OS Commands | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql diff --git a/attackQueries/index.html b/attackQueries/index.html index 195265c..2bb8bc7 100644 --- a/attackQueries/index.html +++ b/attackQueries/index.html @@ -1,5 +1,8 @@ --- layout: default +description: After verifying a SQL injection, all of these methods can be used to further exploit the database. +title: Attack Queries | NetSPI SQL Injection Wiki +keywords: attack queries ---

Attack Queries

Once the injectable parameters and DBMS type are identified we need to attack the database. Below you will find various section to aid you in escalating privileges, exfiltrating data, and more.

diff --git a/attackQueries/informationGathering/index.html b/attackQueries/informationGathering/index.html index dae0e89..33036f2 100644 --- a/attackQueries/informationGathering/index.html +++ b/attackQueries/informationGathering/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. +keywords: information gathering, information, data, gathering +title: Information Gathering | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/attackQueries/lateralMovement/index.html b/attackQueries/lateralMovement/index.html index dae0e89..aa3fb9d 100644 --- a/attackQueries/lateralMovement/index.html +++ b/attackQueries/lateralMovement/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Lateral movement allows a tester to gain access to different sets of functionality/data that don't explicitly require a more privileged user. +title: Lateral Movement | NetSPI SQL Injection Wiki +keywords: privilege escalation, lateral, movement, lateral movement, privilege tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/attackQueries/parameterManipulation/index.html b/attackQueries/parameterManipulation/index.html index dae0e89..837a0fa 100644 --- a/attackQueries/parameterManipulation/index.html +++ b/attackQueries/parameterManipulation/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Manipulating parameters aids in bypassing Web Application Firewalls, Anti-Virus scanners, and allows obfuscation of the injection string. +keywords: parameter manipulation, obfuscation, waf, web application firewall +title: Parameter Manipulation | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/attackQueries/parameterManipulation/mysql.html b/attackQueries/parameterManipulation/mysql.html index dce4c51..d1946df 100644 --- a/attackQueries/parameterManipulation/mysql.html +++ b/attackQueries/parameterManipulation/mysql.html @@ -1,6 +1,6 @@

Parameter Manipulation

-

Manipulating parameters aids in bypassing Web Application Firewalls, Anti-Virus scanners, and allows modification of various SQL queries for unique situations.

+

{{site.data.injectionDescriptions.parameterManipulation}}

diff --git a/attackQueries/parameterManipulation/oracle.html b/attackQueries/parameterManipulation/oracle.html index 3015405..3909c99 100644 --- a/attackQueries/parameterManipulation/oracle.html +++ b/attackQueries/parameterManipulation/oracle.html @@ -1,6 +1,6 @@

Parameter Manipulation

-

Manipulating parameters aids in bypassing Web Application Firewalls, Anti-Virus scanners, and allows modification of various SQL queries for unique situations.

+

{{site.data.injectionDescriptions.parameterManipulation}}

diff --git a/attackQueries/parameterManipulation/sqlserver.html b/attackQueries/parameterManipulation/sqlserver.html index 15084d5..109f317 100644 --- a/attackQueries/parameterManipulation/sqlserver.html +++ b/attackQueries/parameterManipulation/sqlserver.html @@ -1,6 +1,6 @@

Parameter Manipulation

-

Manipulating parameters aids in bypassing Web Application Firewalls, Anti-Virus scanners, and allows modification of various SQL queries for unique situations.

+

{{site.data.injectionDescriptions.parameterManipulation}}

diff --git a/attackQueries/persistence/index.html b/attackQueries/persistence/index.html index d2e0dc5..5ccff23 100644 --- a/attackQueries/persistence/index.html +++ b/attackQueries/persistence/index.html @@ -1,5 +1,8 @@ --- layout: tab +description: Gaining persistence on a system creates a semi-permanent foothold in the network, allowing prolonged exploitation time. +keywords: persistence, network, foothold +title: Persistence | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql diff --git a/attackQueries/privilegeEscalation/index.html b/attackQueries/privilegeEscalation/index.html index d2e0dc5..22b3e17 100644 --- a/attackQueries/privilegeEscalation/index.html +++ b/attackQueries/privilegeEscalation/index.html @@ -1,5 +1,8 @@ --- layout: tab +description: Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step. +keywords: privilege escalation, dba, dbo, admin, administrator +title: Privilege Escalation | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql diff --git a/attackQueries/readingAndWritingFiles/index.html b/attackQueries/readingAndWritingFiles/index.html index dae0e89..4796d56 100644 --- a/attackQueries/readingAndWritingFiles/index.html +++ b/attackQueries/readingAndWritingFiles/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Reading and writing to files aids in data gathering as well as data exfiltration. +keywords: data gathering, reading and writing, reading, writing +title: Reading and Writing Files | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/dbmsIdentification/index.html b/dbmsIdentification/index.html index b038f57..00b8b8c 100644 --- a/dbmsIdentification/index.html +++ b/dbmsIdentification/index.html @@ -1,7 +1,8 @@ --- layout: tab - - +description: Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. +keywords: dbms identification, what, database, what kind +title: DBMS Identification | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql diff --git a/detection.html b/detection.html index a962cdb..e1a0989 100644 --- a/detection.html +++ b/detection.html @@ -1,5 +1,8 @@ --- layout: default +description: SQL injections can be detected in a number of ways, use these methods to help you start your escalation path. +keywords: sql injection detection, detection, blind sql injection, error based sql injection +title: Detection | NetSPI SQL Injection Wiki ---

SQL Injection Detection

{{site.data.injectionDescriptions.injectionDetection}}

diff --git a/index.html b/index.html index 0dc8ca7..12372dd 100644 --- a/index.html +++ b/index.html @@ -1,5 +1,7 @@ --- layout: default +description: A one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems. +title: NetSPI SQL Injection Wiki --- diff --git a/injectionTechniques/conditionalStatements/index.html b/injectionTechniques/conditionalStatements/index.html index dae0e89..1b6204e 100644 --- a/injectionTechniques/conditionalStatements/index.html +++ b/injectionTechniques/conditionalStatements/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Conditional statements are beneficial for creating complex queries and aiding in Blind SQL Injection. +title: Conditional Statements | NetSPI SQL Injection Wiki +keywords: conditional statements, if, case, statement tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/injectionTechniques/index.html b/injectionTechniques/index.html index 2431f3e..c8b9d3f 100644 --- a/injectionTechniques/index.html +++ b/injectionTechniques/index.html @@ -1,5 +1,8 @@ --- layout: default +description: The following techniques will aid in gaining first exploitation of a new SQL Injection. +keywords: techniques, how-to, obfuscation, placement, conditional statements +title: Injection Techniques | NetSPI SQL Injection Wiki ---

Injection Techniques

Below are a couple techniques to aid you in exploiting various SQL injections.

diff --git a/injectionTechniques/injectionPlacement/index.html b/injectionTechniques/injectionPlacement/index.html index dae0e89..5f0e186 100644 --- a/injectionTechniques/injectionPlacement/index.html +++ b/injectionTechniques/injectionPlacement/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: SQL injection is always a hassle when it isn't apparent where the injection is taking place. Here are the most common places. +keywords: injection placement, placement, where +title: Injection Placement | SQL Injection Wiki tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/injectionTechniques/obfuscation/index.html b/injectionTechniques/obfuscation/index.html index dae0e89..041bcb7 100644 --- a/injectionTechniques/obfuscation/index.html +++ b/injectionTechniques/obfuscation/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Obfuscating SQL Injection queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). +keywords: waf, ids, ips, obfuscation, query, manipulation +title: Obfuscation | NetSPI SQL Injection Wiki tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/injectionTypes/blindBased/index.html b/injectionTypes/blindBased/index.html index dae0e89..1520de2 100644 --- a/injectionTypes/blindBased/index.html +++ b/injectionTypes/blindBased/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. +title: Blind Based Injection | NetSPI SQL Injection Wiki +keywords: blind, blind based, blind-based tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/injectionTypes/errorBased/index.html b/injectionTypes/errorBased/index.html index dae0e89..225a0c9 100644 --- a/injectionTypes/errorBased/index.html +++ b/injectionTypes/errorBased/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description:Error based SQL Injections are exploited through triggering errors in the database when invalid inputs are passed to it. +title: Error Based Injection | NetSPI SQL Injection Wiki +keywords: error based, error-based, error tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/injectionTypes/index.html b/injectionTypes/index.html index 712e5cd..e33667e 100644 --- a/injectionTypes/index.html +++ b/injectionTypes/index.html @@ -1,5 +1,8 @@ --- layout: default +description: These sections identify the main types of SQL Injection that can be found and how to exploit certain scenarios within those injection types. +title: Injection Types | NetSPI SQL Injection Wiki +keywords: error, union, blind, based ---

Injection Types

The sections below identify the main types of injections that can be found and how to exploit certain scenarios within those injection types.

diff --git a/injectionTypes/unionBased/index.html b/injectionTypes/unionBased/index.html index dae0e89..b9ce44d 100644 --- a/injectionTypes/unionBased/index.html +++ b/injectionTypes/unionBased/index.html @@ -1,8 +1,8 @@ --- layout: tab - - - +description: Union based SQL Injection allows an attacker to extract information from the database by extending the results returned by the original query. +title: Union Based Injection | NetSPI SQL Injection Wiki +keywords: union, union based, union-based tabs: - title: MySQL shortName: mysql @@ -13,4 +13,4 @@ - title: SQL Server shortName: sqlserver fileName: sqlserver.html ---- \ No newline at end of file +--- diff --git a/misc/contributors.html b/misc/contributors.html index 81ca46a..ce1a1c3 100644 --- a/misc/contributors.html +++ b/misc/contributors.html @@ -1,5 +1,8 @@ --- layout: default +description: Huge amounts of thanks to all of our contributors! +keywords: contributors +title: Contributors | NetSPI SQL Injection Wiki ---

Special thanks to our contributors: