SQL injection
salutations my friends.
I come to you today in hopes one/some of you might be able to help me. currently im trying to create a solid understanding of the first few steps of hacking. these being scanning/enumaeration, and backdoor creation ex. SQL injections.
If any of you fine individuals would be so kind as to share some methods you may have used to become competent in these areas (learning methods, educational sources, or videos) that would be greatly appreciated.
Interestingly enough, I would personally consider those listed as somewhere further down from “first steps.” I like I preach a learn-how-to-make-it-before-learning-to-break it philosophy. But that’s not a good answer, so here goes.
scanning/enumerating: I don’t have much experience here, but I feel like setting up and playing with metasploitable by rapid7 could really help. It’s popular enough that there are “walkthroughs” available (although i suggest avoiding them because being given an answer is less valuable than learning to find an answer) and serves as a good tool to test your different enumeration and post-enumeration strategies in a realish environment.
backdoor creation: this is really a combo of OS internals, networking, and basic-ass software development. Creating a (stealthy) backdoor requires you to know how the system you’re targeting tracks things, how the people use the system, and all the steps between you and the target so you can successfully avoid them. Maybe “rootkits” isn’t really what you’re looking for when you say “backdoor”, but if you can find a copy of rootkit arsenal I think it would be very interesting for you. While the code samples won’t work exactly as they’re printed, I think the ideas behind them will be inspiring. Basically I would suggest taking some time to learn how to program in C as that will be foundational for any kind of progress for OS-related tasks. I would also suggest just learning to code a basic client/server application to “get a feel” for what the ultimate goal is and then work backwards. Add encryption to the comms. Masquerade your traffic as something else. Hide the fact that you’re listening for connections. etc.
SQL Injections: Honestly and most importantly, set up a sql database yourself and play around with it. Learn what commands do and how the language works. Then move forward. This is one of my biggest weak points because early on I just ran around copy/pasting from sqli “cheat sheets” without really understanding what was going on. While it’s “less sexy” to take the slow route, I ultimately think it will benefit in the long run. Once you have a feel for how everything fits together, crafting a payload will become significantly easier. Good resources include owasp and portswigger.
Hope that helps!
Futility is spot on with his advice about learning SQL injection, as every single sql introduction tutorial and guide you’ll read at first will show you how to use ORDER BY and UNION SELECT, and how to get table and column names from the INFORMATION_SCHEMA, but as these steps are the exact same almost every time, the temptation to just copy and paste them from a saved notepad file is hard to resist.
Setting up your own database is deffo the safest option as it will allow you to endlessly practice different injection techniques without the fear of ever being caught, kicked, or IP banned and losing access.
To be honest I’m not sure if a normal database set up would allow you to do more advanced things like for example when you find a directory that has write permissions enabled, so you can use INTO OUTFILE to create a file on the server and inject shellcode in order to backdoor it, but maybe Futility will know the answer to this.
He is 100% wrong about the slow route being “less sexy” though, as nothing with turn your imaginary girlfriend on more than when at some future date you tell her how you just pwned a site using BENCHMARK or SLEEP to extract usernames and passwords from a site even though they had php display_errors turned off.
1
As I mentioned, sql/database stuff is currently one of my weakest points so I unfortunately can’t shed much info, however I will say that (again, unfortunately,) most of what you can do seems to depend on configuration details. For instance, are you dealing with mysql, sql server, sqlite, postgresql. Maybe something even a little more exotic like mariadb or mongodb or cassandra. Are they following default setups or did the admin make some changes to make things easier on themselves. What privs does the user you’re currently running commands as have?
Learning to recognize the idiosyncrasies between them and what different setups might look like ends up being far more useful than copy/pasting ' OR 1=1--
everywhere and hoping for the best.
To that end, I strongly suggest (something like) docker which will allow you to easily spin up and play with tons of different options locally without having to go through the headache of “oops I accidentally broke , looks like I have to start all over again”. There are images for basically any db you might want to mess around with. postgres, mysql, cassandra, etc.
Sometimes you’ll come across an SQLi vulnerability where the syntax you need is so fucking annoying to get right that you’ll definitely want to save every single injection that works and returns data, so you’ll never have to put yourself through something like that ever again.
These were double query based SQL injections from a website where keywords like UNION were being filtered out via a blacklist.
https://hbh.sh/articles/15/183/rtb-wargames-challenge-article-1
I played in one ctf that ran a trashy OCR algorithm on my input which could be leveraged to get sqli. Figuring out what wasn’t working because of my handwriting or the computer on the other side be overloaded or the letter recognition algorithm being dumb or any of a thousand other annoyances was a huge pain. But then when it worked oh boy was it good.