SQL-Injection-%28SQLi%29-Libraries.md

SQL Injection library support was added in 2020 by @red0xff during the Google Summer of Code.

# Supported Databases
* MySQL/MariaDB ([#13596](https://github.com/rapid7/metasploit-framework/pull/13596))
* SQLite ([#13847](https://github.com/rapid7/metasploit-framework/pull/13847))
* PostgreSQL ([#14067](https://github.com/rapid7/metasploit-framework/pull/14067))

# Supported Techniques
* Boolean Based Blind
* Time Based Blind

|                     | MySQL/MariaDB | SQLite | Postgres |
|---------------------|---------------|--------|----------|
| Boolean Based Blind | X             | X      |          |
| Time Based Blind    | X             | X      |          |
|                     |               |        |          |

## How to use in a module

You'll need to start off by including the library.

```
include Msf::Exploit::SQLi
```

Next we create our SQLi object:

```
sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do |payload|
  # Here is where we write in what to do each request using #{payload} as the spot to inject
end
```

`dbms` can be set to either `Common` if the DB isn't know, or one of the other databases and methods if it is known ahead of time such as `SQLitei::BooleanBasedBlind`
`sqli_opts` is a hash containing all of the options: https://github.com/red0xff/metasploit-framework/blob/master/lib/msf/core/exploit/sqli/common.rb#L10

## Notes

`run_sql` can only return 1 column.
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00			`SQL Injection library support was added in 2020 by @red0xff during the Google Summer of Code.`

			`# Supported Databases`
Updated SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:44:34 -04:00			`* MySQL/MariaDB ([#13596](https://github.com/rapid7/metasploit-framework/pull/13596))`
			`* SQLite ([#13847](https://github.com/rapid7/metasploit-framework/pull/13847))`
			`* PostgreSQL ([#14067](https://github.com/rapid7/metasploit-framework/pull/14067))`
Created SQL Injection (SQLi) Libraries (markdown) 2020-10-26 19:41:54 -04:00
			`# Supported Techniques`
			`* Boolean Based Blind`
			`* Time Based Blind`

			`\| \| MySQL/MariaDB \| SQLite \| Postgres \|`
			`\|---------------------\|---------------\|--------\|----------\|`
			`\| Boolean Based Blind \| X \| X \| \|`
			`\| Time Based Blind \| X \| X \| \|`
			`\| \| \| \| \|`

			`## How to use in a module`

			`You'll need to start off by including the library.`

			```
			`include Msf::Exploit::SQLi`
			```

			`Next we create our SQLi object:`

			```
			`sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do \|payload\|`
			`# Here is where we write in what to do each request using #{payload} as the spot to inject`
			`end`
			```

			`dbms` can be set to either `Common` if the DB isn't know, or one of the other databases and methods if it is known ahead of time such as `SQLitei::BooleanBasedBlind`
add one column note 2020-10-27 19:32:20 -04:00			`sqli_opts` is a hash containing all of the options: https://github.com/red0xff/metasploit-framework/blob/master/lib/msf/core/exploit/sqli/common.rb#L10

			`## Notes`

			`run_sql` can only return 1 column.