The basics of MySQL pouring into the heavenly book

The first part/page-1 Basic challenges

Background-1 Basic Knowledge

Here are some basic knowledge of MySQL injection.

(1) The classification of injection---the benevolent see of the beholder.

The following is a paragraph of cousin Adhemar, personally think that the classification has been comprehensive enough. Can't understand skip, when you completely read the whole study process and then look back to this paragraph. With a full understanding of each of these categories, and the knowledge and understanding of each category, you are a small achievement, of course, just SQL injection.

Based on the response received from the server?

▲ Error-based SQL injection

▲ Types of federated queries

Heap Query Injection

▲ SQL Blinds

? based on Boolean SQL Blinds

? Time-based SQL Blinds

? Error-based SQL Blinds

based on how the input SQL query (data type) is processed?

? string-based

? A number or integer-based

Injection based on degree and order (where the impact occurs)

★ First Order Injection

★ Second-Order Injection

First order injection refers to the input of the injection statement on the web directly affected, there is a result, second-order injection similar to storage-type XSS, refers to the input submitted statements, can not directly affect the Web application, through other auxiliary indirect to the web harm, this is known as the second injection.
Based on the location of the injection point?

▲ Injection of the form field entered by the user.

▲ through a cookie injection.

▲ injection via server variable. ? (injection based on header information)

?

(2) System functions

Describes several common functions:
1. Version ()--mysql versions
2. User ()--database username
3. Database ()--Data name
4. @ @datadir--Database path
5. @ @version_compile_os-os version

2. String Join function

   function Specific Introduction http://www.cnblogs.com/lcamry/p/5715634.html

4. Concat (STR1,STR2,...) --no delimiter to concatenate strings
   2. Concat_ws (SEPARATOR,STR1,STR2,...) --string with delimited connection
   3. Group_concat (STR1,STR2,...) --concatenate all the strings of a group and separate each piece of data with a comma
   Say the more abstract, in fact, do not need to understand the details, know that the three functions can be found all the information at once on the line.
6. Statements that are typically used to try

   Ps:--+ can be replaced with #, URL-encoded # is%23 during URL submission

   or 1=1--+

   ' Or 1=1--+

   "Or 1=1--+

   ) or 1=1--+

   ') or 1=1--+

   ") or 1=1--+

   ")) or 1=1--+

   The General code is:

   $id =$_get[' id '];

   $sql = "SELECT * from users WHERE id=' $id ' LIMIT 0,1";

   Consider two points here, one is to close the front of your ' another is to handle the back ', generally using two ideas, close the back of the quotation marks or comments out, commented out using--+ or # (%23)

7. Introduction to the Union operator

   The UNION operator is used to combine the result set of two or more SELECT statements. Note that the SELECT statement inside the UNION must have the same number of columns. The column must also have a similar data type. Also, the order of the columns in each SELECT statement must be the same.

   SQL UNION Syntax

   SELECT column_name (s) from table_name1

   UNION

   SELECT column_name (s) from table_name2

   Note: By default, the UNION operator chooses a different value. If duplicate values are allowed, use UNION all.

   SQL UNION All syntax

   SELECT column_name (s) from table_name1

   UNION All

   SELECT column_name (s) from table_name2

   In addition, the column name in the union result set is always equal to the column name in the first SELECT statement in the Union.

   (6) Logical operations in SQL

   Here I would like to say the question of logical operation.

   Ask a question select * from users where id=1 and 1=1; Why is this statement able to choose the content of id=1, and 1=1 does it work? This is where the SQL statement execution sequence should be clear.

   At the same time, we use the universal password when using it.

   Select * from admin where username= ' admin ' and password= ' admin '

   We can use ' or 1=1# as the password input. What is the reason?

   Here is a logical operation, when using the so-called universal password, the composition of the SQL statement is:

   Select * from admin where username= ' admin ' and password= ' or 1=1# '

   Explain: When the above statement executes, we log in to the Admin user without knowing the password.

   The reason is that after the WHERE clause, we can see three conditional statements username= ' admin' and password= 'or 1=1. three conditions are connected with and and OR. In SQL, our and's operations priority is greater than or of the meta-precedence. So you can see that the first condition (denoted by a) is true, the second condition (denoted by B) is false, A and B = false, the first condition and the second condition are false, and then the third condition or operation, because the third condition 1=1 is constant, so the result is true. So the above statement is the constancy of truth.

   ?

   ?

   ?

   ?

   ?

   ①Select * from users where id=1 and 1=1;

   ②Select * from users where id=1 && 1=1;

   ③Select * from users where id=1 & 1=1;

   What is the difference between the three above? ① and ② are the same, meaning that id=1 conditions and 1=1 conditions are performed and calculated.

   ③ means that the id=1 condition and 1 perform a & bit operation, Id=1 is treated as true, with 1 for the & operation result or 1, then = action, 1=1, or 1 (ps:& priority is greater than =)

   Ps: The bitwise operation performed here. We can convert the number to binary and then perform the operations with, or, non-, XOR, or the like. This method can be used to inject results when necessary. For example, after converting a character to an ASCII code, you can separate it with 1,2,4,8,16,32 .... And the operation, you can get each bit of value, stitching up is the ASCII code value. The character is then pushed back from the ASCII value. (Less use)

   (7) Injection process

   Our database stores data in the form of a database with a large number of data tables, with many columns in the data table and data stored in each column. The process we inject is to get the database name, get the data table under the current database, get the columns under the current data table, and finally get the data.

   Now do some basic MySQL operations. Start MySQL, and then check the database through the query:

   show?databases;

   The database used for this experiment is called security, so we chose security to execute the command.

   use?security;

   We can see what tables are in this database

   show?tables;

   Now we can see that there are four tables here, and then let's look at the structure of the table.

   desc?emails;

   In the continuation of the foreground attack, we would like to discuss the system database, that is, information_schema. So we use it

   use?information_schema

   Let's take a look at the table.

   show?tables;

   Now, let's enumerate this table first.

   desc?tables;

   Now let's use this query:

   select?table_name?from?information_schema.tables?where?table_schema?=?"security";

   Using this query, we can download to the table name.

   MySQL has a system database INFORMATION_SCHEMA, which stores all the relevant information of the database, in general, we use the table can be a complete injection. The following is a general process.

   Guess database

   Select Schema_name from Information_schema.schemata

   Guess the data table of a library

   Select table_name from information_schema.tables where table_schema= ' xxxxx '

   Guess all the columns of a table

   Select column_name from Information_schema.columns where table_name= ' xxxxx '

   Get the contents of a column

   Select * * * * FROM * * *

   The above knowledge reference use case: LESS1-LESS4

The basics of MySQL pouring into the heavenly book