Forum Thread: Help with Advanced (Manual) SQL Injection

Help with Advanced (Manual) SQL Injection

Hey there, fellow tinkerers. Long time lurker, first time poster (isn't everyone?)... I've got a couple questions regarding manual exploitation of SQLi vulnerabilities. Yes, I have - and regularly use - sqlmap for my projects and I love it, but it doesn't do much in the way of explaining. I am one of those people who has to know the hows and whys of everything. I know that, simply put, SQL is the language that web applications use to communicate with their back-end DBMS. I know that sub-par coding or poorly maintained servers can allow the user to fool the back-end DBMS into executing SQL commands that eventually reveal almost everything about the target machine and its front end. I know that if you know how to speak to the server you can coax it into doing some pretty naughty things, up to and including dumping databases or gaining root privileges.

So it goes like this:

Find a target and confirm vulnerability. Vulnerable pages are those with parameters that directly query server and whos user-supplied input is either poorly sanitized or not sanitized at all (...customers/online/shop.php?item=00012). Here the "item" parameter appears vulnerable. To confirm, we toss a ' at the end of the URL (...customers/online/shop.php?item=00012'). We are looking for a SQL error, if none, we try this:

...customers/online/shop.php?item*=00012

A lot of times simply sticking a couple brackets after the target parameter will cause a SQL error, even when the above attempt failed.

Get column information. Use UNION ALL SELECT to 1. help determine the MySQL version, as UNION ALL does not work on older versions, and 2. to determine the number and position of the columns that are responding to your queries.

Force the vulnerable columns to give up the MySQL version and contents of 'information schema'. Use this info to dump the 'admin' or 'user' or similarly named tables, along with any other useful data.

Now, here's where I'd like to expand upon my extremely limited understanding of SQL injection. Usually I'd just dump any desirable info and move on to the next target, but I know much more is possible.

How do I escalate my privileges? What privileges do I have to begin with? Does the output of sqlmap's '--current-user' option reflect my privilege level? In other words, if the current user is 'dude1', and dude1 is a moderator, do I have moderator privileges? How do I give myself admin access?

Can I upload a backdoor to the server? How? My goal is to upload a persistent shell that has admin privileges. How would I go about writing the payload?

Also, can XSS be used to upload a file to the back-end? How?

I guess what I'm looking for is the syntax.

Anyhoo, it's nice to meet everyone. OTW, Null-Byte is an excellent blog and one of my favorite sources of reliable information, keep up the awesome work!

2 Responses

Sorry, I must not have stated my questions clearly. I use sqlmap all the time. Likely not to its potential, but I seriously probably use it 4 days a week. It's not sqlmap I am asking about, I want to know how to do it manually, which I already said in my OP...

Basically I am trying to learn how to write payloads like this:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause

Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)2))x FROM INFORMATIONSCHEMA.CHARACTERSETS GROUP BY x)a)

How do you even know to try that....?

From what I gather, the payload is saying get 1489 tables from a dbs with "wildcard" tables, I don't know what CONCAT is or why the delimiter is there or how you get the delimiter values, in the event that 1489=1489 then answer is TRUE if not END, another delimiter, and I don't know what FLOOR means, some random value, what does GROUP BY do? what is x)a)?

And for the record, I'm on a Kali box. I'd also like to not use metasploit. I want to understand the conversation between the target and my computer.

Ethan:

I recommend that you study SQL a bit before trying to build your own SQLi payload.

OTW

Share Your Thoughts

  • Hot
  • Active