☎️
Contrxl
  • 🏡Home
  • ❓Anonymity Tools
  • ⌨️Cisco
    • Networking Basics
      • Communication in a Connected World
      • Network Components, Types and Connections
      • Wireless and Mobile Networks
      • Home Networking Technologies
      • Communication Protocols
      • Network Media
      • The Access Layer
      • The Internet Protocol
      • IPv4 and Network Segmentation
  • 💾Intune
    • ADMX Configuration
    • App Deployment
    • App Updating/Patching
    • File Deployment
    • Remediations
  • 🎓Learning Links
  • 💻Microsoft
    • 📘Microsoft Portal Links
    • Configure SIEM Security Operations using Microsoft Sentinel
      • Create and Manage Microsoft Sentinel Workspaces
        • Introduction
        • Plan for the Microsoft Sentinel Workspace
        • Create a Microsoft Sentinel Workspace
        • Manage Workspaces Across Tenants Using Azure Lighthouse
        • Understand Microsoft Sentinel Permissions and Roles
        • Manage Microsoft Sentinel Settings
        • Configure Logs
  • 📰News & Information
  • 💡OSINT
    • IP & Domain OSINT
    • Email & Username OSINT
    • Vulnerability OSINT
  • 📚Projects
    • ‼️A Simulation Study of DDoS
  • ⚒️Tools
    • Burp Suite
      • Repeater
      • Intruder
      • Other Modules
    • GoPhish
    • Hydra
    • John the Ripper
    • Metasploit
      • Exploitation
      • Meterpreter
    • NMAP
    • Wireshark
  • 🖥️TryHackMe
    • Learning Paths
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
Powered by GitBook
On this page
  1. TryHackMe
  2. Learning Paths
  3. Jr Penetration Tester

SQL Injection

Tenth section in Jr Penetration Tester learning path.

Introduction

SQL (Structured Query Language) Injection (or SQLi) is an attack on a web app database that executes malicious queries. This occurs when a web app communicates with a database without sanitising or validating user input which is received.

A database is storage of collections of data. A database is controlled by a DBMS (Database Management System). There are two kinds of DBMS: Relational and Non-Relational. A relational database stores info in tables which often have info shared between them. The table contain a column with a unique ID (primary key) which can be used in other tables to reference it. Non-relational databases are any database which does not use tables, columns and rows to store data.

In a DBMS, there can be multiple databases containing their own related datasets. Information in databases is stored separately using tables, which each have unique identifiers.

A table is made up of columns and rows. Each column (or field) has a unique name. Each column also has a type set for the data it will contain (e.g. integer, string, date). Each row (or record) contains the individual lines of data, when data is added to the table a new record is created, and when data is deleted a record is removed.

Simple SQL Commands

  • SELECT : select * from users;

  • UNION : select name,city,postcode from customers UNION SELECT company,city,postcode from suppliers;

  • INSERT : insert into users (username,password) values ('bob','password');

  • UPDATE : update users SET username='root',password='pass' where username='admin';

  • DELETE : delete from users where username 'martin';

In-Band SQLi

Easiest type to detect and exploit. For example, an SQLi vulnerability on a website page which leads to extraction of data to the same page. In SQL injection, ;-- will end a query and comment out any additional code after it, for example, ' OR 1=1;-- will return true and end the query.

Blind SQLi - Auth Bypass

Blind SQLi is where we get little to no feedback to confirm if our queries were successful. One of the most straightforward techniques is bypassing a login form. Login forms that are connected to a database of users are often developed so that the web app isn't interested in the content of the username and password but whether the two make a matching pair.

Blind SQLi - Boolean Based

This refers to the response received to an injection, which could be true/false, yes/no, on/off or any response with two outcomes.

Blind SQLi - Time Based

Time based SQLi is similar to boolean based, but there is no visual indicator of right/wrong. Instead, our indication of success is how long the query takes to complete, the delay can be invoked with methods like SLEEP(x) alongside UNION. The SLEEP() method will only ever be executed after a successful UNION SELECT.

Last updated 11 months ago

🖥️
  • Introduction
  • Simple SQL Commands
  • In-Band SQLi
  • Blind SQLi - Auth Bypass
  • Blind SQLi - Boolean Based
  • Blind SQLi - Time Based