How to use SQL injection to explode a database

What SQL injection can do

In the "SQL Injection Basics" article describes the basic principles of SQL injection and the experimental methods, then you need to ask, what can SQL injection in the end?

It is estimated that many friends would think that using SQL injection can only fetch all the records in the current table, but not the contents of the other tables.

Just as the thief crawled into the room from the window, could he only steal things in the room? No, he can looted the whole house.

Don't believe it? So let's see how MySQL can be exploded.

How to uproot a MySQL database

If, as a hacker, there is no way to know what tables are in the system, which fields are in the table, how do you steal the contents of the database?

The answer is that the MySQL data has a meta-database that describes what databases the entire MySQL server has, what tables each data has, and what fields each table has, which is tantamount to telling people what they have in their own house.

The meta-database is a root, as long as it captures this basis, along:

Table contents, List of tables, table list, database list, meta database

This tree-like hierarchical retrieval order, you can completely steal the entire database content, the following to show you.

Where's the meta-database?

There's a meta-database in MySQL just now, but where is it hiding? Don't worry, please log in to the MySQL database and run show databases; the command to get a list of all the databases as shown in:

The red color of the database information_schema is the meta-database, inside the application, you can explore virgin land.

Enter information_schema the database to see what data tables are in it and use the following command:

The root of what we call is the SCHEMATA table, which describes all the databases under MySQL.
Then using the table, you TABLES can see the table name under the data, and then, using the COLUMNS table, you can see the field names under each table. The following shows how to view the data in turn.

View all databases

The schemata table describes all database information, just the standard SELECT statement:

SELECT * FROM information_schema.SCHEMATA

You can display the contents of the table all:

Note that the table is accessed from the standard format of < database name >.< table name > , since it is no longer entered into a database. The above information_schema.SCHEMATA representation queries the information_schema table under the database SCHEMATA .

The field in the graph SCHEMA_NAME is the database name, and the MySQL server has 5 databases from the query results.

View Table

With the list of databases, you can further see all the tables under a database (all the tables under all databases are now also viewable). For example lyt_test , look at all the tables under the database, using SQL statements:

SELECT TABLE_SCHEMA, TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = ‘lyt_test‘

The query results are as follows:

TABLE_NAMERepresents the table name, the left column TABLE_SCHEMA is the database name, because the Lyt_test database has only accounts the table, so the output is only one column.

View all fields in a table

Then use the columns table to query all the field information for the table, and use the following SQL statement to query all the field names and types of the accounts table:
SELECT TABLE_NAME, COLUMN_NAME, DATA_TYPE FROM information_schema.COLUMNS WHERE TABLE_NAME = ‘accounts‘

Query out the Accounts table for all field and type information as shown in:

View all records in a table

Viewing the contents of the accounts table is a piece of cake, learned the database of all know that SQL is written as follows:
SELECT * FROM lyt_test.accounts

The results are as follows:

Well, here I believe you've learned how to steal all the database content from MySQL.

Looking for a fulcrum.

A great physicist, Mead, once said:

Give me a fulcrum, I can pry up the Earth

In front of the technical introduction in the case of not knowing how MySQL data design, through the meta-database, step by step informatio_schema to steal the entire database content.

So how do you use SQL injection to steal an entire database? , this is the Fulcrum to look for.

Do you remember the experiment that was introduced in the last article? With SQL injection technology, you can steal all the data from the UserInfo table. But the portion of the SQL that can be injected is only WHERE partial, and the SELECT ... FROM ... fields and table names in the section are not injected, so how can you steal data from other tables?

The secret is to use UNION statements. Yes, standard SQL provides UNION statements that combine two SELECT results (that is, a union of two SELECT results). UNIONThe syntax of the statement is as follows:

SELECT column_name1(s) FROM table_name1UNIONSELECT column_name2(s) FROM table_name2

• 1
• 2
• 3

• 1
• 2
• 3

The only requirement is that SELECT the number of columns in the two statement be equal.

With the UNION statement, you can combine SELECT * from userinfo WHERE ... the SELECT * from lyt_test.accounts two results together.

And so on, as a hacker, did not get the source code, how to know how SELECT * from userinfo many columns of query results?
Obviously, it is not known, but it is possible to get this value by means of a heuristic : Inject UNION SELECT 1, ... N Such a statement in turn to test. Try first, SELECT 1 SELECT 1，2 then, and then SELECT 1，2，3 until the error is not run. You can test it on MySQL first, as shown in the results:

From the test results, it is known that the result after Union SELECT must be two columns, or else an error will occur.

Yes, remember when it was injected.WHEREIs there a two-condition after? (name = 'name ′andpas swd=′ PASSSWD '), in the actual code may be more complex conditions, and even hackers are difficult to guess the conditions, that thisUNIONThe language should be inserted in that variable? Makes the entire SQL still a legitimate query statement.

It is best to be safe to UNION SELECT ... inject into the first variable, then add a comment symbol at the end of the injection, comment out the post statement, and not consider what the following statement is. In the MySQL database, # annotations can be implemented using symbols.

Say so much, you can do a bit of injection testing, verify:

In the username text box, type: ivan‘ union select 1,2# , such as:

Click login the button to run the result as shown:

Please leave a note on the statement generated in the red box SQL :

SELECT * from userinfo WHERE name = ' Ivan ' union select 1,2# and passwd = "

#Comment out the following SQL content, MySQL resolves it directly to kill it, equivalent to the following SQL statement:

SELECT * from userinfo WHERE name = ' Ivan ' union select

The result of select 1, 2 is a constant row , and in the following example, an attempt is to query data from a table, not exactly a constant row.

All right, UNION and that # 's the fulcrum of the bomb vault.

Practice Explosion Library

Everything is ready, only owed the East wind . Let the wind blow up and blow it more violently.

The following experiments are based on the "SQL Injection Foundation" in the development of the database application demo to experiment, if the reader does not have the basic knowledge of SQL injection, it is recommended to look at this article, but also suggested that the SQL injection of beginners in this article to build the same data application demo to test A.

Exploded Database list

To username inject in:

Ivan ' Union select 1,schema_name from INFORMATION_SCHEMA. Schemata #

You can query all database lists such as:

The icon in the Red box is the list of databases. We have the UNION SELECT ... first column in the statement constant 1, and the second is information_schema. This column is schema_name in the Schemata table, which is exactly the database name.

Explode all the table names under a database

To reduce the output, only the table name under the Lyt_test database is exploded and username injected into:

Ivan ' Union select 1,table_name from INFORMATION_SCHEMA. TABLES where Table_schema = ' lyt_test ' #

You can query all the tables under the Lyt_test database, as shown in:

The difference is that the Lyt_test database has only accounts a table, and the other is the same principle as the exploded database, without much explanation.

Explode all fields under a table

All the fields below the accounts table are only exploded here, and username injected into:

Ivan ' Union Select 1, column_name from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' accounts ' #

The results are as follows:

Red is the field name. So what's the type? Modify the injected content as:

Ivan ' Union Select 1, data_type from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' accounts ' #

You can get the field type information as shown in:

The red ones are the types of the previous two fields, that is ID char , the type is, and the type is balance float .

The rule can be found from the above: each injection can get to each list data in the target table , if the table has n tables, injection n times can get the complete table information.

Explode all the records under a table

This is not written here, the reader can practice their own, the original is exactly the same as above.

Summarize

The original SQL injection burst database is so easy, but there are a few prerequisites

1. A metabase information_schema appears in MySQL, which describes the table-and-field tree for all databases---all MySQL servers
2. SQL language provides UNION statements that can be added to steal other data to merge into the injected SELECT results
3. MySQL expands on SQL and provides annotations so that # injections can do whatever they want

is the essence of the bomb vault mastered? Come on, try it.

Note: This article is transferred from http://blog.csdn.net/linyt/article/details/52966555#

How to use SQL injection to explode a database