🚨Advanced SQL Injection Techniques by nav1n0x
Here are some Advanced SQL Injection Techniques I commonly use. Happy hunting! 👍
Note: These advanced techniques should be used responsibly and only in legal and authorized testing scenarios. They go beyond the basics and exploit specific features and configurations of databases. Additionally, I may have unintentionally included openly available techniques from various sources.
WARNING: If you don't know what you are doing, please refrain from using these techniques. Improper use may harm the database.
The techniques showed in this repository is intended only for educational purposes and for testing in authorized environments. https://twitter.com/nav1n0x take no responsibility for the misuse of the techniques listed below. Use it at your own risk. Do not attack the target you don't have permission to engage with.
About the Author
nav1n0x (Navin) is an IT professional with years of experience in banking, government, and heavy industries. nav1n0x has taken bug bounty hunting as a part-time passion alongside his full-time DBA job, becoming a seasoned cybersecurity expert specializing in vulnerability testing and advanced penetration techniques. With years of experience identifying and exploiting security flaws, nav1n0x has developed strong expertise in web application security, particularly in SQL injection and WAF bypassing.
Passionate about sharing knowledge, nav1n0x believes in the motto "sharing is caring." Through Twitter and GitHub (currently suspended), nav1n0x aims to empower others in the cybersecurity community to enhance their skills and stay ahead of emerging threats.
Follow nav1n0x on Twitter: @nav1n0x
Feel free to let me know if you would like any adjustments!
Advanced Payloads and Techniques
Error-Based SQL Injection
Advanced Error Payloads:
Union-Based Injection
Determining the Number of Columns:
Extracting Data:
Blind SQL Injection
Boolean-Based Blind:
Time-Based Blind:
Second-Order SQL Injection
Injection in Profile Information:
Modify data stored in one place to affect queries executed elsewhere.
Advanced Union-Based SQL Injection
Union-Based Error Handling
Generate detailed error messages by crafting complex payloads:
Union with Hex Encoding
Encode parts of your query to evade WAFs:
Multi-Query Union Injection
Leverage multiple queries to extract more data:
Union-Based Cross Database Extraction
Combine data from different databases (when supported):
Advanced Boolean-Based SQL Injection
Time-Based Boolean Injection with Conditional Responses
Use time delays to infer data based on conditional responses:
Nested Boolean Injections
Nest conditions to extract specific data:
Error-Based Boolean Injection
Force errors conditionally to reveal information:
Using Bitwise Operations
Use bitwise operations for more obfuscation and complexity:
Combining Techniques
Combine multiple advanced techniques for robust and harder-to-detect payloads.
Example: Union with Time-Based Injection
Create a payload that uses both union and time-based injections:
Example: Nested Union and Boolean Injection
Combine nested boolean conditions with union-based data extraction:
Automating with Custom Scripts
Automate these advanced techniques using custom scripts to efficiently test and extract data.
Example: Python Script for Advanced Union Injection
Advanced Enumeration
Database Fingerprinting
MySQL:
PostgreSQL:
MSSQL:
Column Enumeration
Determine the Number of Columns:
Extract Column Names:
Advanced Data Extraction
Combine Multiple Rows into a Single Output:
Bypassing Filters and WAFs
Obfuscation
Using Comments:
Case Manipulation
Changing the Case of SQL Keywords:
Inline Comments
Inserting Inline Comments:
Whitespace Manipulation
Using Different Types of Whitespace Characters:
Exploiting Advanced Scenarios
Stored Procedures
Execute Arbitrary SQL:
Out-of-Band SQL Injection
Exfiltrate Data via DNS or HTTP Requests:
Leveraging Privileges
Reading or Writing Files:
Automation and Custom Scripts
Custom SQLMap Commands
Bypass WAFs or Target Specific Injection Points:
Some Tamper Scripts I use
tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
Creating Your Own Tamper Script
Creating your own tamper script for SQLMap involves writing a Python script that modifies the payloads used by SQLMap to evade web application firewalls (WAFs) or other filtering mechanisms. Here is a step-by-step guide to create a custom tamper script.
Step 1: Understand the Basics of a Tamper Script
A tamper script modifies the payload sent to the server. The script should contain a function called tamper
that takes a payload string as an argument and returns the modified payload string.
Step 2: Structure of a Tamper Script
Here is the basic structure of a tamper script:
__priority__
: Defines the order in which tamper scripts are applied.dependencies()
: Checks for any required dependencies.tamper(payload)
: The main function that modifies the payload.
Step 3: Implement a Simple Tamper Script
Let's create a simple tamper script that replaces spaces with comments to evade basic filters.
Example: Space-to-Comment Tamper Script
Step 4: More Advanced Example
Now, let's create a more advanced tamper script that randomly URL-encodes characters in the payload.
Example: Random URL Encoding Tamper Script
Step 5: Save and Use the Tamper Script
Save the Script: Save your tamper script in the
tamper
directory of your SQLMap installation. For example, save it asrandom_urlencode.py
.Use the Script: Use the
--tamper
option in SQLMap to apply your custom tamper script.
Step 6: Testing and Debugging
Test: Ensure the script works as intended by running SQLMap with different payloads.
Debug: Print debug information if necessary. You can add print statements within the
tamper
function to debug your script.
Debugging Example
Some More Advanced Techniques to Data Exfiltration, OOB, etc.
Stacked Queries
Executing Multiple Statements: ⚠️⚠️⚠️⚠️
SQLi with Web Application Firewalls
Using Obfuscated Payloads:
Leveraging SQL Functions
Using SQL Functions for Data Exfiltration:
DNS Exfiltration
Using DNS Requests for Data Exfiltration:
Leveraging JSON Functions
Extracting Data Using JSON Functions:
Advanced Automation Techniques
SQLMap Customization
Using Custom Tamper Scripts:
WAF Bypass Techniques for SQL Injection
1. Using Encoding and Obfuscation
URL Encoding
Encode parts of the payload to bypass basic keyword detection.
Double URL Encoding
Double encode the payload to evade detection mechanisms.
Hex Encoding
Use hexadecimal encoding for the payload.
2. Case Manipulation and Comments
Mixed Case
Change the case of SQL keywords.
Inline Comments
Insert comments within SQL keywords to obfuscate the payload.
3. Whitespace and Special Characters
Using Different Whitespace Characters
Replace spaces with other whitespace characters like tabs or newlines.
Concatenation with Special Characters
Use special characters and concatenation to build the payload dynamically.
4. SQL Function and Command Obfuscation
String Concatenation
Break strings into smaller parts and concatenate them.
Using SQL Functions
Leverage SQL functions to manipulate the payload.
5. Time-Based and Boolean-Based Payloads
Time-Based Blind SQL Injection
Use time delays to infer information from the response.
Boolean-Based Blind SQL Injection
Use conditions that alter the response based on true or false conditions.
6. Advanced Encoding Techniques
Base64 Encoding
Encode payloads using Base64.
Custom Encoding Scripts
Create custom scripts to encode and decode payloads in different formats.
7. Chaining Techniques
Combining Multiple Bypass Techniques
Use a combination of techniques to create a more complex and harder-to-detect payload.
8. Leveraging Lesser-Known SQL Features
Using JSON Functions
Leverage JSON functions to manipulate and extract data.
Using XML Functions
Utilize XML functions to create more complex payloads.
Last updated