SQL injection notes, first day, Zhangzhenfeng teacher

First, the function

　　1. Version () MySQL Edition

2, User () database username

3. Database name

4, @ @datadir database path

5, @ @version_compile_os operating system version

6. Current_User () Current user name (viewable permissions)

7, Load_file () read the file

8, into outfile ()/into DumpFile write file

9, Group_concat (STR1,STR2 ...) Concatenate all the strings of a group and separate each piece of data with a comma.

Second, comments, can be used in the #--+ URL with%23

Third, UNION operator

The result set used to merge two or more SELECT statements. Note that the SELECT statement inside the UNION must have the same number of columns. The column must also have a similar data type. Also, the order of the columns in each SELECT statement must be the same.

SQL UNION Syntax:

SELECT column_name (s) from table_name1

UNION

SELECT column_name (s) from table_name2

Note: By default, the UNION operator chooses a different value. If duplicate values are allowed, use UNION all.

SQL UNION All syntax

SELECT column_name (s) from table_name1

UNION All

SELECT column_name (s) from table_name2

In addition, the column name in the union result set is always equal to the column name in the first SELECT statement in the Union.

Four, Mysql has a system database INFORMATION_SCHEMA,

Store all the information about the database, in general, we use the table can be a complete injection. The following is a general process.

Guess database

Select Schema_name from Information_schema.schemata

Guess the data table of a library

Select table_name from information_schema.tables where table_schema= ' xxxxx '

Guess all the columns of a table

Select column_name from Information_schema.columns where table_name= ' xxxxx '

Get the contents of a column

Select * * * * FROM * * *

　　

The above knowledge reference use case: LESS1-LESS4

Five, Notes

1, single-line comments, #后面直接加内容, single-line comments,--must be added after the space;

2, multi-line annotation,/**/Middle can cross the line;

3, inline injection, the inline comment is the MySQL database in order to maintain compatibility with other databases, specifically added features.

To avoid SQL statements exported from MySQL that cannot be used by other databases, it puts some MySQL-specific statements in the/*! ... */IN,

These statements are not executed when used in incompatible databases. and MySQL itself can recognize and execute.

Vi. ORDER BY statement

1. The order BY statement is used to sort the result set based on the specified column.

2. The order BY statement sorts records by default in ascending order.

Seven, string join function

1, Concat (STR1,STR2.) Function Direct connection

2, Group_concat (STR1,STR2.) function uses commas as separators

3, Concat_ws (SEP,STR1,STR2.) function uses the first argument as a delimiter

Eight, Information_schema

Cases:

Select Schema_name from Information_schema.schemata;

Select table_name from information_schema.schemata where Table_schema = ' zzcms ';

Select column_name from information_schema.columns where table_schema = ' zzcms ' and ' table_name ' = ' zzcms_zx ';

IX. Classification of SQL injection

X. Injection mode based on federated query, step

Xi. to determine if there are injected and closed characters

1, id = 1 ' exception

id = 1 and 1 = 1--+ correct

id = 1 and 1=2--+ Error

Conclusion: There is a high likelihood of digital SQL injection

PS: Single quotes have a special effect: the command delimiter

2, id = 1 ' exception

id = 1 ' and 1 = 1--+ correct

id = 1 ' and 1=2--+ Error

Conclusion: It is very possible to have single-quote character SQL injection

3, id = 1 ' exception

id = 1 "and 1 = 1--+ correct

id = 1 "and 1=2--+ Error

Conclusion: It is very possible to have a double-quote character-type SQL injection

4, id = 1 ' exception

id = 1) and 1 = 1--+ correct

id = 1) and 1=2--+ Error

Conclusion: It is very possible to have parentheses digital SQL injection

SQL injection notes, first day, Zhangzhenfeng teacher