Skip to content

SQL Engine

Jump to bottom
ron190 edited this page Jun 8, 2024 · 22 revisions

💉jSQL generates default SQL syntax based on a template which is editable in tab SQL Engine, allowing to live-debug and optimize queries on the fly for current identified engine.

Any SQL part is defined by a unique ${tag} and all tags are replaced by its concrete value in the final query.

The entire template is roughly like the following:

character insertion layer                                    # input prefix
  ${indices}:Normal or ${boolean.mode} & ${test}:Time+Blind  # strategy layer
    ${window}                                                # chars substring
      ${window.char}:Multibit+Bittest & ${bit}               # chars position index
        ${injection}:all                                     # main select
          ${database} ${table} ${fields}                     # all fields with main from
            ${field.value}                                   # single field syntax
              ${indice} & ${calibrator}                      # Normal specific
          ${limit}                                           # rows position
            ${limit.value}                                   # rows position index

Structure — schema content — ${injection}

  • Database: get names with number of tables
  • Tables: get names with number of rows
  • Columns: get names
  • Rows: get de-duplicated rows
    • Field: single column name, all fields are concatenated into ${fields} with separator
    • Field Separator: added between fields to separate column values
  • Metadata: get engine info like version and current user

Strategy — high level syntax

  • Normal: apply union-based select
  • Stacked: apply stack select
  • Error: apply exception trigger that includes the result
  • Boolean — bitwise strategies
    • Mode${boolean.mode}: use AND/OR depending on the initial query state (eg. where 1=1 AND, where 1=0 OR)
    • Blind: get result Yes/No for given bit from ASCII code of a single char
    • Time: get delay Yes/No for given bit from ASCII code of a single char
    • Multibit: get specific result for given bits from ASCII code of a single char
    • Bit test${test}: return true when the bit of given ASCII code is 1, else return false

Configuration — other parts

  • Char Sliding Window${window.char}: set a substring of data
  • Rows Sliding Window${limit}: set rows starting at specific position (see LIMIT)
  • Limit start index${limit.value}: set LIMIT initial position, some engine starts at 0 and some at 1
  • Capacity${capacity}: set specific Normal query to measure indexes response size
  • Calibrator${calibrator}: repeat given char for Normal capacity measure
  • Failsafe: set Normal index with N0+1 form
  • End comment: set SQL comment to ignore internal query remaining parts

Fingerprint — identify engine and character insertion

  • Order by: set wrong column index to trigger specific engine error
  • Order by error: expected engine error when order by index is wrong
  • String error: expected SQL syntax error when query is incorrect
  • Truthy: list of predicate checked as true by engine
  • Falsy: list of predicate checked as false by engine

File

  • Privilege: get current user's read permission
  • Read: get file content to read
  • Write body: set file content to write
  • Write path: set file path to write
Previous topic: Strategies, Next topic: Parameters
  1. Home
  2. TL;DR
  3. General
  4. Strategy
  5. Insight
  6. Exploit
  7. Reverse shell
  8. Window
  9. SQL Engine
  10. Parameter
  11. Preference
  12. Database
  13. Programming jSQL
  14. Test script
  15. Roadmap
  16. Changelog
Clone this wiki locally