WEB security: Mysql database SQL injection (1)

Solemnly declare:
The purpose of writing this note is only to improve safety knowledge and to share safety knowledge with more people. Do not use the technology in the note for illegal activities. The consequences of using the technology in the note have nothing to do with the author. Advocate that everyone has the responsibility to maintain network security, and jointly maintain network civilization and harmony.

Mysql database SQL injection (1)

The server-side program uses user input parameters as query conditions, directly splices SQL statements, and returns the query results to the client browser; thus, not only can the database be obtained, but also system permissions, file operations, etc. can be obtained through SQL;

**The main hazards are: ** 1. Extract data; 2. Execute system commands; 3. Insert code into the database; Bypass login verification.

1 Basic knowledge of SQL injection into Mysql database

1.1 information_schema

information_schema: System database, containing all the relevant information of the database. For databases such as Mysql and Infobright, the tables in the information_schema database are read-only, and operations such as updates, deletions, and insertions cannot be performed, and triggers cannot be added, because they are actually just a view, not a basic table, and no associated files. Need root authority;

information_schema.tables 存储了数据表的元数据信息,下面对常用的字段进行介绍:
table_schema: 记录数据库名;
table_name: 记录数据表名;
engine : 存储引擎;
table_rows: 关于表的粗略行估计;
data_length : 记录表的大小(单位字节);
index_length : 记录表的索引的大小;
row_format: 可以查看数据表是否压缩过;

1.2 Mysql comment symbol

1. #
2. -- (--最后有一个空格)
3. /* content */

# 用于注释后面语句,使其不执行
例:http://192.168.100.129/dvwa/vulnerabilities/sqli/?id=1' order by 3-- &Submit=Submit#

1.3 Mysql injection of commonly used statements and functions

select VERSION();	# 查询 MySQL 版本
select USER();		# 数据库用户名
select DATABASE();	# 数据库名
select @@datadir;	# 数据库路径
select @@version_compile_os;	# 操作系统版本

exists (str):判断是否存在,存在返回 True,不存在返回 False

hex():编码,十进制数字/字符串 -> 十六进制。例:select(hex('A'));

sleep(s):延时执行s秒

LEFT(str,len):返回最左边的n个字符的字符串str,或NULL如果任何参数是NULL。

concat(): 
	# concat(十六进制): 解码,十六进制 -> 字符串。例:select concat(0x2D);
	# concat(str1,str2,...):没有分隔符连接字符串;其中任何一个参数为NULL则结果为 NULL
	# concat_ws(separator,str1,str2,...):含有分隔符连接字符串,
		例:http://192.168.100.129/dvwa/vulnerabilities/sqli/?id='union select CONCAT_WS(CHAR(32,58,32),user(),database(),version()),null-- 
 第1个字段同时查询多个数据,第2个字段为空,CONCAT_WS连接字符:32,58,32对应的字符为 “空格:空格”;
	# group_concat(str1,str2,...):连接一个组的所有字符串,并以逗号分隔每一条数据

ascii(str):不能查询中文字符.
	# str 为非空字符串,返回字符串 str 的最左字符的 ASCII 码数值
	# str 为空字符串,返回 0
	# str 为NULL,返回 NULL
	# 注:ASCII() 返回数值是从 0 到 255

MID(column_name,start[,length])/SUBSTRING(str, start , length):用于从文本字段中提取字符
	# column_name:必需。要提取字符的字段
	# start:必需。规定开始位置(起始值是 1)
	# length;可选。要返回的字符数。如果省略,则 MID() 函数返回剩余文本。

substring_index(str,delim,count)
    例:查询user(),并以@为分隔符,取第一个切分字段:
    	http://192.168.100.129/dvwa/vulnerabilities/sqli/?id='union select  database(),substring_index(user(),"@",1)-- 

information_schema:系统数据库,含有所有数据库的相关信息。一般利用它可进行一次完整的注入。
# 列出所有的数据库:select group_concat(schema_name) from information_schema.schemata
# 列出某个库当中所有的表:select group_concat(table_name) from information_schema.tables where table_schema='xxxxx'

1.4 Mysql injection of common operators

1.4.1 UNION operator

The UNION operator is used to combine the result sets of two or more SELECT statements. Each SELECT statement within the UNION must have the same number of columns. That is, the number of fields in the second SELECT statement needs to be equal to the number of fields in the first SELECT statement.

The column names in the UNION result set are always equal to the column names in the first SELECT statement in UNION. When the data obtained in the front is Null, the column name in the second SELECT statement is displayed. example:

http://192.168.100.137/index.php?id=-1 union select 1,2,3 
http://192.168.100.137/index.php?id=1 and 1=2 union select 1,2,3 

UNION selects only values ​​with different results by default. If duplicate values ​​are allowed, UNION ALL is used.

The fields queried in the second SELECT statement can be replaced by numbers.

If the table queried by the second SELECT statement does not exist, an error message is returned.

Even if the number of fields in the table queried by the second SELECT is less than the number of the table queried by the first, no error message will be returned.

1.5 Logical operations of Mysql

1. and == &&
2. or  == ||
3. not == !
4. XOR 异或
# && 与 || 这种特殊的符号 一定要在输入浏览器 URL 前转码之后方可提交,因为浏览器默认不会进行编码

1.6 Injection type

1.6.1 Distinguish based on the data submission method

  1. GET injection :
  • The method of submitting data is GET. The parameters of the GET request are placed in the URL. The URL parameter of the GET request has a length limit, and the Chinese requires URL encoding.
  • The location of the injection point is in the GET parameter section. For example:, http://host/?id=1id is the injection point.
  1. POST injection
  • Use the POST method to submit data. POST request parameters are placed in the request body, and there is no limit to the length.
  • The injection point is in the POST data part, which often occurs in the form.
  1. Cookie injection
  • The cookie parameter is placed in the request header, and the server will get the parameter from the request header when submitting.
  • The injection point is stored in a certain field in the cookie.

1.6.2 Distinguish based on data type

  1. int injection :
  • Such as: http://host/?id=1injection, generally called int type injection. The id type of the injection point is a number. In most web pages, such as viewing user personal information, articles, etc., most of them use this form of structure to transfer id and other information, and hand it to the backend to query the corresponding information in the database. Return to the front end.
  • SQL statement prototype:select * from 表名 where id=1
  • Check for phrases: select * from user where id=1 and 1=1
  1. String injection :
  • Such as: http://host/?username=admininjection, generally called string injection. Note that when dealing with this type of injection, you may need to deal with the SQL statement closure problem.
  • SQL statement prototype:select * from user where username='admin'
  • Check for phrases:select * from user where username='admin' and 1=1'
  1. like injection :
  • It refers not filter search parameter data during the search, in general there is a link address "keyword=关键字"some link in the address which is not displayed, but submitted directly through the search box form.
  • SQL statement prototype:select * from user where username like '%关键字%'
  • Check for phrases:select * from user where username like '%关键字%' and '%1%'='%1%'

1.6.3 Distinguish based on injection method

  1. Joint query injection :
  • union select Joint two table injection
  1. Error injection :
  • That is, the page will return the database error message, or the result of the injected statement will be directly returned to the page.
  1. Blind injection :
  2. Boolean injection : the injection that determines whether the condition is true or false based on the return page.
  3. Time injection : that is, you can't judge any information based on the content of the page return. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time increases) to judge.

2 Injection detection method

2.1 Normal query method

Observe the injectable points through normal query;

2.2 Detection method based on closed error

Generally speaking, the database is closed with single quotation marks/double quotation marks, etc. If you directly enter a single quotation mark '/double quotation mark ", percent sign %, parenthesis at the injectable point (), the database will report an error because it cannot be closed due to multiple input characters;

例:http://192.168.100.129/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

2.3 Boolean-based detection method

**Boolean test: **All standard objects can be used for Boolean test, the Boolean value of the following objects is False:

  • None
  • False
  • All numbers with a value of zero: 0 (integer type), (floating point type), 0L (long integer type), 0.0+0.0j (complex number)
  • "" (empty string),, [ ](空列表)() (empty tuple), {} (empty dictionary)

The detection method is judged based on whether the information returned by the page is the same, and then further confirms whether the server is executable

# 以报错为 `'` 为例:
1. 方法一:
正确查询内容' and '1'='1
2. 方法二:
正确查询内容' and '1
例:http://192.168.100.129/dvwa/vulnerabilities/sqli/?id=1%27++AND+%271&Submit=Submit#

# 若闭合报错的检测无法确认,可以尝试忽视闭合符号进行查询:
1. 方法一:
正确查询内容 and 1=1
2. 方法二:
正确查询内容 and 1
例:http://192.168.100.135/index.php?ID=104%20AND%201

2.4 Time-based detection method

By Mysql inside the sleep()function, it means the function is the number of seconds to delay execution.

and sleep(5) 这种方法判断注入,如果存在注入的情况下 页面是延时5秒返回页面。