How to Craft SQL Injection Payloads
So you suspect there’s an SQL injection (SQLi)… but you don’t know how to prove it…
Well you’ve come to the right place. This is my first instructional, inspired by my struggle to get through the MicroCMS-v2. I know there is SQLi but I just can’t seem to figure out how to craft my payload properly. So I’ll write this and hopefully will make a breakthrough.
About SQL
First of all, some people may rope use SQL injection synonymously with database injection as a whole, which may also include NoSQL injections. This write up will focust specifically on SQL databases.
SQL stands for Standard Querry Language, and it’s the way that Relational Databases interact with itself or other applications. NoSQL is a language to interacti with NON-Relational Databases. There a number of popular databases that use SQL like MySQL, PostgreSQL, Oracle Databae, and more. These can be called Relational DataBase Management Systems (RDBMS). If you can determine that an application has an SQL based database, you can start looking for SQLi.
Some basic commands that you can string together can be found here (don’t worry, we’ll go over more specifics in a little bit):
| Verbs | Modifiers | Data Types | Symbols (purpose) |
|---|---|---|---|
| SELECT | WHERE | Integer | ‘, " (String Delimiters) |
| INSERT | AND | Float | ; (SQL Statement Terminator) |
| UPDATE | OR | Char | –, # (Comment Delimiter) |
| DELETE | ORDER BY | Boolean | %, * (Wildcard Character) |
| DROP | LIMIT | Binary | +, "" (String Concatenation) |
| UNION | Date | -, +, <, > (Math Operators) | |
| Timestamp | = (Equivalence) | ||
| () (Calling Functions, Subqueries, and INSERTS) | |||
| %00 |
Where Are SQL Injection
So where can we find SQL injections? Well they might occur anywhere that there is a request being sent to a database. This may be in a URL if the pages are retrieved from a database, or maybe in input forms or login screens. They can also be in HTTP headers or cookies. To confirm if input fields are calling to databases, we can either look at its use case (maybe it’s pulling customer data, maybe it’s a login, maybe it outright says searching in databases). When fingerprinting the network, you can also see if it has any databases attached (that will also help determine if it is an SQL or NoSQL database.). Finally, if you can look at the network traffic, it may give you some clues as to how the data is being sent, and you can see if there is sql syntax involved.
The most sure method, however, is by putting in test cases to try.
How to test for SQLi
Manual Testing
Included in the resources section will be links to cheat sheets and wordlists to try. Understanding the general premise, however, will help show how you can make your own on the fly. Let’s look at an example SQL statement: query = “SELECT * FROM users WHERE username = ‘user’;”
In this example, it seems like there is some search field, you type user into the input field, and the database returns something about user. This is the statement that is on the backed that we will try and get a reaction out of.
Now there are many variations with different quirks in them, so it might take some fishing arround to get a reaction out of it.
One idea, is to type user' into the input field. Now, the statement looks like this:
query = “SELECT * FROM users WHERE username = ‘user’’;”
Notice how the single quotes end early and there is now an unended single quote at the end as a result. This may return some error.
Additionally, we can try writing ' OR 1=1; -- in which our query would look like:
query = “SELECT * FROM users WHERE username = ’’ OR 1=1; –’;”
This works because
'closes the stringORmakes it so that the statement is always true (meaning theoretically, the SQL statement should always return an output)1=1always evaluates to true (similarly we could use1=0if we wanted false, ora=a);ends the statement--indicates everything else after is a comment (to get rid of the open'left over) There are a lot more other statements, take a look at the wordlist and see if you can tell how they work.
When you use a good statement, you will know because there may be an error, unexpected output, or some kind of anomolous activity.
Using Automated Tools
You can also use burp, zap, sometimes FFUF, or other tools to automate the process of testing payloads. There are tutorials on how to use them in on my website. Essentially, load up a wordlist, let it run, and filter on different outputs.
This would also be a good time to talk about a tool called sqlmap. This is a super helpful way to exploit SQL injection, and there is a writeup on how to use that on the website as well.
Identification
Some common indicators SQL injection is possible:
- Error-Based: the database generates an error maybe with useful information
- Time-Based: The database may take longer or quicker depending on if the statements are valid or not. Additionally, you can use database commands like
sleepto delay output times
Crafting SQL Statements
So let’s say you found a payload that works and causes some interrupt (not all statements will cause anomalous activity and not all statements that do will be able to work for your goal). Now we have to craft some kind of payload to actually achieve the objective. A good resouce for some of this information can be found here.
There are a few different types to look out for: