当前位置:网站首页>[SQL injection point] location and judgment of the injection point
[SQL injection point] location and judgment of the injection point
2022-07-03 04:38:00 【Black zone (rise)】
Catalog
Two 、 Determine if the injection point exists
One 、 Four injection points
1.1、 brief introduction :
The injection point we encounter is not necessarily in the form username Fields , Sometimes injection points are hidden in different places
Location of four common injection points :GET Parameters in 、POST In request 、User-Agent in 、Cookies in
1.2、 classification :
(1)GET Injection in parameter (URL):
GET The injection point in is generally the easiest to find , Because we can get it in the address bar URL And parameters , It can be used Sqlmap Or manually verify whether there is injection .
(2)POST Injection in the request ( Grab the bag ):
burp:POST Generally, we need to find the injection point in by capturing packets , It's like using Burp
plug-in unit : Browser plug-in Hackbar To send the POST package .
Sqlmap Or manual verification .
(3)User-Agent Injection in ( Grab the bag ):
burp: Find out User-Agent Injection in , have access to Burp Of Repeater modular
Sqlmap: take Sqlmap The parameter of is set to level=3, such Sqlmap It will automatically detect User-Agent Whether there is injection in .
(4)Cookies Injection in ( Browser plug-in 、 Grab the bag ):
burp: seek Cookies Injection in , have access to Burp Of Repeater modular .
Sqlmap: The parameter can be set to level=2, such Sqlmap Will automatically detect Cookies Whether there is injection .
plug-in unit : Browser modification cookie The plug-in can also be installed and used
Two 、 Determine if the injection point exists
1、 Determine if there is an injection point
(1) Modify the parameter value at the parameter position ,eg:id=1 It is amended as follows 2 Whether the data changes after
(2) Insert sheet 、 Detection method of double quotation marks ( Commonly used ), Unclosed single quotation marks cause SQL Statement single quotation mark unclosed error prompt
2、 Determine whether the injection point is plastic or character
(1) Digital : adopt and 1=1
(2) String type : Closed single quotation mark test statement 'and'1'='1 Judge
3、 Determine the number of query Columns
order by or union select
4、 Judge the display bit
Error echo , Use the nonexistent id=-1 add union select……
perhaps and1=2 add union select……
The following are all through the error report , Construct the information to be found in the display bit
5、 Get all database names
6、 Get all the table names in the database
7、 Get field name
8、 Get the data in the field
边栏推荐
- Employee attendance management system based on SSM
- AWS VPC
- IPhone x forgot the boot password
- [pat (basic level) practice] - [simple simulation] 1063 calculate the spectral radius
- Wine travel Jianghu War: Ctrip is strong, meituan is strong, and Tiktok is fighting
- Mount NFS in kubesphere
- Ffmpeg tanscoding transcoding
- General undergraduate college life pit avoidance Guide
- I stepped on a foundation pit today
- Function introduction of member points mall system
猜你喜欢
stm32逆向入门
SSM based campus part-time platform for College Students
2022 registration examination for safety production management personnel of hazardous chemical production units and examination skills for safety production management personnel of hazardous chemical
After job hopping at the end of the year, I interviewed more than 30 companies in two weeks and finally landed
A outsourcing boy's mid-2022 summary
MC Layer Target
I stepped on a foundation pit today
![[USACO 2009 Dec S]Music Notes](/img/e6/282a8820becdd24d63dcff1b81fcaf.jpg)
[USACO 2009 Dec S]Music Notes
![[literature reading] sparse in deep learning: practicing and growth for effective information and training in NN](/img/7e/50fa6f65b5a4f0bb60909f57daff56.png)
[literature reading] sparse in deep learning: practicing and growth for effective information and training in NN
2022 new examination questions for the main principals of hazardous chemical business units and examination skills for the main principals of hazardous chemical business units
随机推荐
After job hopping at the end of the year, I interviewed more than 30 companies in two weeks and finally landed
BMZCTF simple_ pop
商城系统搭建完成后需要设置哪些功能
C Primer Plus Chapter 10, question 14 3 × 5 array
Ffmpeg tanscoding transcoding
Internationalization and localization, dark mode and dark mode in compose
Auman Galaxy new year of the tiger appreciation meeting was held in Beijing - won the double certification of "intelligent safety" and "efficient performance" of China Automotive Research Institute
[fairseq] error: typeerror:_ broadcast_ coalesced(): incompatible function arguments
Number of 1 in binary (simple difficulty)
I've been in software testing for 8 years and worked as a test leader for 3 years. I can also be a programmer if I'm not a professional
FFMpeg example
Network security textual research recommendation
Asp access teaching management system design finished product
220214c language learning diary
Day 51 - tree problem
Summary of training competition (Lao Li's collection of questions)
Why does I start with =1? How does this code work?
2022-02-13 (347. Top k high frequency elements)
Employee attendance management system based on SSM
2022 t elevator repair simulation examination question bank and t elevator repair simulation examination question bank