docs/metasploit-framework.wiki/SQL-Injection-Libraries.md

SQL Injection library support was added in 2020 by [@red0xff](https://github.com/red0xff)  during the Google Summer of Code.

## Supported Databases

* MySQL/MariaDB ([#13596](https://github.com/rapid7/metasploit-framework/pull/13596))
* SQLite ([#13847](https://github.com/rapid7/metasploit-framework/pull/13847))
* PostgreSQL ([#14067](https://github.com/rapid7/metasploit-framework/pull/14067))

## Supported Techniques

* Boolean Based Blind
* Time Based Blind

|                     | MySQL/MariaDB | SQLite | Postgres |
|---------------------|---------------|--------|----------|
| Boolean Based Blind | X             | X      | X        |
| Time Based Blind    | X             | X      | X        |

## How to use in a module

You'll need to start off by including the library.

```ruby
include Msf::Exploit::SQLi
```

Next we create our SQLi object:

```ruby
sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do |payload|
  # Here is where we write in what to do each request using #{payload} as the spot to inject
end
```

`dbms` can be set to either `Common` if the DB isn't know, or one of the other databases and methods if it is known ahead of time such as `SQLitei::BooleanBasedBlind`
`sqli_opts` is a hash containing all of the [options](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/sqli/common.rb#L12).

## Notes

### run_sql

`run_sql` can only return 1 column.

### magic_quotes bypass

*CAN ONLY RETURN ONE COLUMN AT A TIME*

At times, PHP will use `magic_quotes` to escape `'` and `"`.  This may cause problems in the SQL injection. You'll know its a problem, because you'll see log items like this:

```
[Sat Jan 02 14:11:53.103512 2021] [php7:notice] [pid 55607] [client 2.2.2.2:36475] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\\';\\',ifnull(user_login,\\'\\'),ifnull(user_pass,\\'\\')) as binary) mMJZrCxQ from w' at line 1 for query SELECT * FROM wp_chopslider3 WHERE chopslider_id =938076279 OR 1=1 AND if(length(cast((select group_concat(mMJZrCxQ) from (select cast(concat_ws(\\';\\',ifnull(user_login,\\'\\'),ifnull(user_pass,\\'\\')) as binary) mMJZrCxQ from wp_users limit 1) fWLwo) as binary))&1<>0,sleep(1.0),0)
```

However, the query was similar to this:

```
[*] {SQLi} Executing (select group_concat(qcO) from (select cast(concat_ws(';',to_base64(ifnull(user_login,'')),to_base64(ifnull(user_pass,''))) as binary) qcO from wp_users limit 1) dTWyw)
```

The query was sent without the escapes, however they were added.  The solution is to avoid quotes at all.  To do this, we will need to use  the `hex` encoder

```ruby
if payload.include?("''")
  payload.gsub!("''", 'hex(0x00)')
end
```

This will convert all instances of `''` which were previously being escaped to `\'\'` to `hex(0x00)` which does not get altered.
Update docs to use links for github handles 2023-04-03 10:26:58 +01:00			`SQL Injection library support was added in 2020 by [@red0xff](https://github.com/red0xff) during the Google Summer of Code.`
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00
Cleanup markdown uses 2021-09-07 00:59:05 +01:00			`## Supported Databases`

Updated SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:44:34 -04:00			`* MySQL/MariaDB ([#13596](https://github.com/rapid7/metasploit-framework/pull/13596))`
			`* SQLite ([#13847](https://github.com/rapid7/metasploit-framework/pull/13847))`
			`* PostgreSQL ([#14067](https://github.com/rapid7/metasploit-framework/pull/14067))`
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00
Cleanup markdown uses 2021-09-07 00:59:05 +01:00			`## Supported Techniques`

Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00			`* Boolean Based Blind`
			`* Time Based Blind`

			`\| \| MySQL/MariaDB \| SQLite \| Postgres \|`
			`\|---------------------\|---------------\|--------\|----------\|`
update postgres and fix link to framework 2021-08-22 11:52:08 -04:00			`\| Boolean Based Blind \| X \| X \| X \|`
			`\| Time Based Blind \| X \| X \| X \|`
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00
			`## How to use in a module`

			`You'll need to start off by including the library.`

Cleanup markdown uses 2021-09-07 00:59:05 +01:00			```ruby
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00			`include Msf::Exploit::SQLi`
			```

			`Next we create our SQLi object:`

Cleanup markdown uses 2021-09-07 00:59:05 +01:00			```ruby
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00			`sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do \|payload\|`
			`# Here is where we write in what to do each request using #{payload} as the spot to inject`
			`end`
			```

			`dbms` can be set to either `Common` if the DB isn't know, or one of the other databases and methods if it is known ahead of time such as `SQLitei::BooleanBasedBlind`
Cleanup markdown uses 2021-09-07 00:59:05 +01:00			`sqli_opts` is a hash containing all of the [options](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/sqli/common.rb#L12).
add one column note 2020-10-27 19:32:20 -04:00
			`## Notes`

magic_quotes 2021-01-02 13:38:15 -05:00			`### run_sql`

			`run_sql` can only return 1 column.

			`### magic_quotes bypass`

Cleanup markdown uses 2021-09-07 00:59:05 +01:00			`CAN ONLY RETURN ONE COLUMN AT A TIME`
magic_quotes 2021-01-02 13:38:15 -05:00
			At times, PHP will use `magic_quotes` to escape `'` and `"`. This may cause problems in the SQL injection. You'll know its a problem, because you'll see log items like this:

			```
			[Sat Jan 02 14:11:53.103512 2021] [php7:notice] [pid 55607] [client 2.2.2.2:36475] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\\';\\',ifnull(user_login,\\'\\'),ifnull(user_pass,\\'\\')) as binary) mMJZrCxQ from w' at line 1 for query SELECT * FROM wp_chopslider3 WHERE chopslider_id =938076279 OR 1=1 AND if(length(cast((select group_concat(mMJZrCxQ) from (select cast(concat_ws(\\';\\',ifnull(user_login,\\'\\'),ifnull(user_pass,\\'\\')) as binary) mMJZrCxQ from wp_users limit 1) fWLwo) as binary))&1<>0,sleep(1.0),0)
			```

			`However, the query was similar to this:`

			```
			`[*] {SQLi} Executing (select group_concat(qcO) from (select cast(concat_ws(';',to_base64(ifnull(user_login,'')),to_base64(ifnull(user_pass,''))) as binary) qcO from wp_users limit 1) dTWyw)`
			```

			The query was sent without the escapes, however they were added. The solution is to avoid quotes at all. To do this, we will need to use the `hex` encoder

Cleanup markdown uses 2021-09-07 00:59:05 +01:00			```ruby
			`if payload.include?("''")`
			`payload.gsub!("''", 'hex(0x00)')`
			`end`
magic_quotes 2021-01-02 13:38:15 -05:00			```

Use kramdown flavored markdown instead of github flavored markdown 2021-09-06 19:22:01 +01:00			This will convert all instances of `''` which were previously being escaped to `\'\'` to `hex(0x00)` which does not get altered.