Skip to content

SQL Engine

Jump to bottom
ron190 edited this page Jun 2, 2024 · 22 revisions

💉jSQL generates default SQL syntax which is editable in tab SQL Engine, allowing to debug and optimize queries live for current identified engine.

Any SQL part is defined by unique ${tag} and all tags are replaced by its concrete value in the final query.

The entire query roughly appears like the following:

character insertion  # input prefix like quote or parenthesis, eg. &p=', &p='), etc
  ${indices}:Normal or ${window}:Error+Stacked or ${boolean.mode}&${test}:Time+Blind
    ${injection}:all & ${window.char}:Multibit+Bittest & ${bit}
      ${database} ${table} ${fields}
        ${field.value}
          ${indice} & ${calibrator}:Normal
      ${limit}
        ${limit.value}
  ${window.char}

Structure — schema content — ${injection}

  • Database: get names with number of tables
  • Tables: get names with number of rows
  • Columns: get names
  • Rows: get de-duplicated rows
    • Field: single column name, all fields are concatenated into ${fields} with separator
    • Field Separator: added between fields to separate column values
  • Metadata: get engine info like version and current user

Strategy — high level syntax

  • Normal: apply union-based select
  • Stacked: apply stack select
  • Error: apply exception trigger that includes the result
  • Boolean — bitwise strategies
    • Mode${boolean.mode}: use AND/OR depending on the initial query state (eg. where 1=1 AND, where 1=0 OR)
    • Blind: trigger Yes/No response for given single char ASCII code bit
    • Time: trigger Yes/No page delay for given single char ASCII code bit
    • Multibit: get specific result for given single char ASCII code bits group
    • Bit test${test}: return true when the bit of given ASCII code is 1, else return false

Configuration — other parts

  • Char Sliding Window${window.char}: set a substring of data
  • Rows Sliding Window${limit}: set rows starting at specific position (see LIMIT)
  • Limit start index${limit.value}: set LIMIT initial position, some engine starts at 0 and some at 1
  • Capacity${capacity}: set specific Normal query to measure indexes response size
  • Calibrator${calibrator}: repeat given char for Normal capacity measure
  • Failsafe: set Normal index with N0+1 form
  • End comment: set SQL comment to ignore internal query remaining parts

Fingerprint — identify engine and character insertion

  • Order by: set wrong column index to trigger specific engine error
  • Order by error: expected engine error when order by index is wrong
  • String error: expected SQL syntax error when query is incorrect
  • Truthy: list of predicate checked as true by engine
  • Falsy: list of predicate checked as false by engine

File

  • Privilege: get current user's read permission
  • Read: get file content to read
  • Write body: set file content to write
  • Write path: set file path to write
Previous topic: Strategies, Next topic: Parameters
  1. Home
  2. TL;DR
  3. General
  4. Strategy
  5. Insight
  6. Exploit
  7. Reverse shell
  8. Window
  9. SQL Engine
  10. Parameter
  11. Preference
  12. Database
  13. Programming
  14. Test script
  15. Roadmap
  16. Changelog
Clone this wiki locally