Probe offset Injection

The injection at the Union offset was first proposed by the lake2 hacker. He used to be a chicken rib and didn't pay attention to it until yesterday when he met a point of mysql4.1. If the table and column are all guessed, the data is poor. Because the parameters are separated by commas (,), you must avoid commas (,) during injection. In this way, normal union is useless.

The injection at the Union offset was first proposed by the lake2 hacker. He used to be a chicken rib and didn't pay attention to it until he met a mysql 4.1 point yesterday.
If the table and column are all guessed, the data is poor. Because the parameters are separated by commas (,), you must avoid commas (,) during the injection. In this way, normal union cannot be used, and brute-force guesses won't work, becauseSuBsTrA comma is also used for ing. RememberJoinA very important technique in offset injection is to use join statements to control the number of fields and the position of data display. The trouble is that you don't know the environment of the target system, the number of columns in the table, the data type, and so on. You can only guess how to assemble it into the number of fields.
If order by 7 is normal for the target website and order by 8 is not returned, there are seven fields in total. The common practice is to first and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7 # Let's take a look at the situation. To avoid commas, you must use the join statement. However, we do not know how many columns exist in the User table. It does not matter. We can use select * from (select username from users) as a join (select username from users) as B on. username = B. username), use the result set of some select fields as a table, and then join them together. In this way, you only need to repeat (select username from users) as a seven times, you can complete the fields.
The preceding statement can be executed normally in mysql5 or in the union clause. However, a syntax error is reported in mysql4. x does not support such complex nesting. Modified:
Select * from users as a join (selectIdFrom users) as B on a. id = B. id
In this way, the statement can be executed normally in 4.1. Because the sub-statement is not supported in 4.0, simply put, the select statement is not supported in.
But there is another problem, because the first select must be followed by *. Otherwise, only the first column will be returned. Mysql's join statement should be inner join by default, that is, internal join. I try to change to left join or right join. I remember that mysql4 should support left join and right join, I don't understand why it doesn't work here. In this way, you must guess the number of fields in the target table, and the number of fields in the target table must be <= the number of select fields in the statement, which is also restricted by the display data fields. The advantage is that it doesn't matter if you don't know the column name. You can use constants instead, that is, select 1, 2, 4, 5 union select * from users as a join (select 1 from users) as B join (select 1 from users) as c on. id = 1
This completely avoids ",", and the selected data may have many duplicates.NcT keyword is filtered out.
It doesn't matter if the field in the target table> the selected field, because the first field must be *. Find a table with fewer fields, that is, select * from news as a join (select username from users) as B. However, this is restricted by the table name, number of fields, and display data fields.
The above statement is successfully tested in mysql. If you want to use it in access or mssql, it is estimated that you have to debug it separately. This is a little different from the offset injection mentioned previously. Let's just calculate the offset injection in another sense. The core idea is to constantly join fields to avoid ,.

The most depressing thing is that fck is used.EdThe itor shell has no technical skills. I studied it all afternoon -_-

When riding a bicycle outside, I suddenly thought that the previous statement select * from users as a join (select id from users) as B on. id = B. * must be used before id because he does not parse this select * from users as a whole, but joins users as a with the following, that is, select * from (users as a join (select id from users) as B on. id = B. id), of course, the first use * to return all the columns in the substatement.
Then rewrite it to select distinct * from (select 1 from users) as a join (select 2 from users) as B, and then perform the following join to complete the field, finally, replace the appropriate information with the username and password field. Mysql 4.1 is successfully tested. Of course, you still need to know the column name.