Categories
Uncategorized

MySQL system tables using gestures (Probe)

MySQL database file read and write

Permission requirements:

  • Have read and write permissions to the file and read the contents of the target

  • The object has the full path and directory accessible

  • Whether they have the target content file read and write permissions

    See if the file read and write permissions

    show variables like '%secure%';

    Function secure_file_priv absolute file read

    null: Do not allow any import and export

    ./[url]: Import / export operation may be performed only at ./[url] path

    “: Empty contents; import and export unlimited

    In my.ini file, modify the attribute values ​​can be modified secure_file_priv import and export rights

~~~ file read and write operations can be carried out to ensure that the files have import and export rights

Read and write files:

The contents of the database table to read the file and save it ~

load_file:
load_file(<[./url/]file>);

load_file create files in the specified directory

First we need to create a file user.txt in / var / lib / mysql-files /

$ vi /var/lib/mysql-files/user.txt
user.txt:
  Hello,World!
create table file(
    id int not null auto_increment primary key,
    file_url text
)engine=innodb default charset=utf8; -- 创建表file

insert into file(file_url) values (load_file('/var/lib/mysql-files/user.txt'));
mysql> select * from file;
+----+---------------+
| id | file_url      |
+----+---------------+
|  1 | NULL          |
|  2 | Hello,World!  |
+----+---------------+
2 rows in set (0.00 sec)

The data content of the file thus written data in the table!

load data infile:
load data infile '/var/lib/mysql-files/name.txt' into table file(file_url);
mysql> mysql> select * from file;
+----+---------------+
| id | file_url      |
+----+---------------+
|  1 | NULL          |
|  2 | Hello,World!  |
|  3 | Hello,World!  |
+----+---------------+
3 rows in set (0.00 sec)

Injection use:

SQL injection vulnerability we can target site by penetration means that somewhere early and analysis; so we can take advantage of features in SQL to read a file to read the contents of a file in the target system

MySQL database system table

MySQL immediately after initialization, there are three default system default libraries:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

These things MySQL database that comes with three basic system libraries

information_schema:

Save all of which have maintained MYSQL database information, including the library name, table name, column table, privilege and other information ……

performance_schema:

Performance parameters for the collection database server

mysql:s

Reservations mysql account information, permissions, stored procedures, event, time zone configuration information

information_schema library:

information_schema libraries are usually kept by the metadata database:

Database name, table name, column properties, types, access rights, and so on ……

There are a number of important system tables in information_schema library can help infiltration process!

SCHEMATA Table: Library Information

Provides current information on all MySQL database, show databases; the result is displayed accordingly ~

tables: Table Information

information_schema.tables table provides detailed information table

select <列名> from information_schema.tables;

The main record table table metadata for all the tables in the database, such as a table name, type, engine ……

In the infiltration process, if we have to grasp this table you can probably list the database

COLUMNS table: Field Information

information_schema.COLUMNS table field information table is provided

select COLUMN_NAME,DATA_TYPE,IS_NULLABLE,COLUMN_DEFAULT 
from information_schema.COLUMNS
where table_name = 'user';

Field name information query the user table

STATISTICS table: index information

Index information table provided in the table information_statistics

TRIGGERS Table: Trigger Information

VIEWS Table: View information

USER_PRIVLEGES Table: user permissions table

Information derived from the mysql.user authorization form; a database which holds information for each account have the authority

SCHEMA_PRIVLEGES table: Program (Library) authority table

Information derived from the mysql.db authorization form, preserved permissions to the database of information

TABLE_PRIVLEGES: Table permissions table

Information derived from the mysql.tables_prive authorization form, permission to hold all the information table

COLUMNS_PRIVLEGES: Column Permissions table

Information derived from the mysql.columns_prives grant tables, table columns save authority information

CHARCTER_SETS table: Character Set Table

Mysql provide all relevant information on the character set

Use injection system table

* In a joint injection SQL injection is the most common in union

Under general circumstances, the use of joint union statement to achieve injection (echo injection) ……

' union ; # 

Now a few simple example condition queries SQL statement to achieve the core

MySQL Query inject SQL:

查当前 库名:
select 1 , database();
查库 SQL语句:
select schema_nam from  information_schema.schemata;
查表 SQL语句:
select table_name from information_schema.tables where table_schema = "";
查列(字段) SQL语句:
select columns_name from information_schema.columns where table_name = "";

Incidentally ~ SQL blinds

The above said SQL injection page is based on the “echo” of injection (echo injection)

If the page does not echo, then it needs to be “blind injection”

hash crack *

Obtain Administrator hash:

select user,password from mysql.user;

Crack hash:

Recommended Artifact: hashcat

Recommended sites: CMD5 (This example uses CMD5 website hack)

** successfully solved password …… ^ _ ^! **

Leave a Reply