search

1_SQL

hashtag
1. First-order SQL

First-order SQL injection occurs when the application processes user input from an HTTP request and incorporates the input into a SQL query in an unsafe way.

hashtag
1.1 Union

hashtag
1.1.1 method

' ORDER BY 1-- 

' ORDER BY 2-- 

' ORDER BY 3-- etc.

' UNION SELECT NULL-- 

' UNION SELECT NULL,NULL-- 

' UNION SELECT NULL,NULL,NULL-- etc.

(All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.)

hashtag
1.1.2 Finding columns with a useful data type

hashtag
1.1.3 Using a SQL injection UNION attack to retrieve interesting data

hashtag
1.1.4 Retrieving multiple values within a single column

This uses the double-pipe sequence || which is a string concatenation operator on Oracle. The injected query concatenates together the values of the username and password fields, separated by the ~ character.

The results from the query contain all the usernames and passwords, for example:

Different databases use different syntax to perform string concatenation. For more details, see the SQL injection cheat sheetarrow-up-right.

hashtag
1.2 Blind SQL injection vulnerabilities

hashtag
1.2.1 Exploiting blind SQL injection by triggering conditional responses

  • The first of these values causes the query to return results, because the injected AND '1'='1 condition is true. As a result, the "Welcome back" message is displayed.

  • The second value causes the query to not return any results, because the injected condition is false. The "Welcome back" message is not displayed.

确定有user表: (SELECT 'a' FROM users LIMIT 1) = 'a'

如果你写的子查询: (SELECT 'a' FROM users) 如果 users 表里有 100 个用户,这个查询会返回 100 个 'a'

当你拿 100个 'a' 去跟右边的 1个 'a' 做比较时 (= 'a'),数据库会报错说:“子查询返回了多行数据,我没法比!”。这会导致注入失败。

加上 LIMIT 1 确保了只返回一个值

We can continue this process to systematically determine the full password for the Administrator user:

hashtag
1.2.2 Error-based SQL injection

Exploiting blind SQL injection by triggering conditional errors

step:

WHERE ROWNUM = 1 condition is important here to prevent the query from returning more than one row, which would break our concatenation.

Extracting sensitive data via verbose SQL error messages

You can use the CAST() function to achieve this. It enables you to convert one data type to another. For example, imagine a query containing the following statement:

image-20260125172959560

hashtag
1.2.3 Exploiting blind SQL injection by triggering time delays

For example, on Microsoft SQL Server

Using this technique, we can retrieve data by testing one character at a time:

hashtag
1.2.4 Exploiting blind SQL injection using out-of-band (OAST) techniques

Burp Collaboratorarrow-up-right

(URL解码后)

Having confirmed a way to trigger out-of-band interactions, you can then use the out-of-band channel to exfiltrate data from the vulnerable application. For example:

This input reads the password for the Administrator user, appends a unique Collaborator subdomain, and triggers a DNS lookup. This lookup allows you to view the captured password:

官方答案 (Oracle 版本):

URL 解码后:

hashtag
2 Second-order SQL injection

First-order SQL injection occurs when the application processes user input from an HTTP request and incorporates the input into a SQL query in an unsafe way.

Second-order SQL injection occurs when the application takes user input from an HTTP request and stores it for future use.

Later, when handling a different HTTP request, the application retrieves the stored data and incorporates it into a SQL query in an unsafe way.

hashtag
2.1 Examining the database

The following are some queries to determine the database version for some popular database types:

Database type
Query

Microsoft, MySQL

SELECT @@version

Oracle

SELECT * FROM v$version

PostgreSQL

SELECT version()

For example,

hashtag
3 prevent sql vul

Previous0_resourcesNextWi-Fi

Last updated