h00die
35 lines
1.2 KiB
Markdown
35 lines
1.2 KiB
Markdown
SQL Injection library support was added in 2020 by @red0xff during the Google Summer of Code.
|
|
|
|
# Supported Databases
|
|
* MySQL/MariaDB (#13596)
|
|
* SQLite (#13847)
|
|
* PostgreSQL (#14067)
|
|
|
|
# Supported Techniques
|
|
* Boolean Based Blind
|
|
* Time Based Blind
|
|
|
|
| | MySQL/MariaDB | SQLite | Postgres |
|
|
|---------------------|---------------|--------|----------|
|
|
| Boolean Based Blind | X | X | |
|
|
| Time Based Blind | X | X | |
|
|
| | | | |
|
|
|
|
## How to use in a module
|
|
|
|
You'll need to start off by including the library.
|
|
|
|
```
|
|
include Msf::Exploit::SQLi
|
|
```
|
|
|
|
Next we create our SQLi object:
|
|
|
|
```
|
|
sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do |payload|
|
|
# Here is where we write in what to do each request using #{payload} as the spot to inject
|
|
end
|
|
```
|
|
|
|
`dbms` can be set to either `Common` if the DB isn't know, or one of the other databases and methods if it is known ahead of time such as `SQLitei::BooleanBasedBlind`
|
|
`sqli_opts` is a hash containing all of the options: https://github.com/red0xff/metasploit-framework/blob/master/lib/msf/core/exploit/sqli/common.rb#L10 |