SQL injection:
is by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually reaching a malicious SQL command that deceives the server. By constructing malicious input, the database executes malicious commands, causing data leaks or modifying content to achieve the purpose of the attack. This is mainly due to the fact that the application has not been strictly filtered by the user's input.
First, universal password
Before we say SQL injection classification, let's take a look at the principle of the universal cipher. Universal password is due to some programs, by using the decision to determine whether the value of SQL statement query results greater than 0, to determine the correctness of the user input data caused. When the query is greater than 0 o'clock, on behalf of the user exists, returns True, on behalf of the successful login, otherwise the return of FALSE indicates that the login failed. Since ' or 1=1--' is executed, the result is always 1, so you can log on successfully. Therefore, is called the universal password.
Ii. Classification of injections
Types of injections: digital and character type. The only thing the attackers have to do is to bypass the limitations of the program, bring the data entered by the user into the database execution, and use the specifics of the database to get more information or greater permissions.
1, Digital type injection
When the input parameter is shaping, if there is an injection vulnerability, it can be considered as a digital injection.
Test steps:
(1) Add single quote, url:www.text.com/text.php?id=3 '
The corresponding Sql:select * from table where id=3 ' SQL statement error, the program does not normally query data from the database, will throw an exception;
(2) Add and 1=1, url:www.text.com/text.php?id=3 and 1=1
The corresponding Sql:select * from table where id=3 ' and 1=1 statements perform normally, as with the original page as any difference;
(3) Plus and 1=2,url:www.text.com/text.php?id=3 and 1=2
The corresponding Sql:select * from table where id=3 and 1=2 statements can execute normally, but the result cannot be queried, so the return data differs from the original page
If the above three points are met, you can tell that the URL has a digital injection.
2, character type injection
When the input parameter is a string, it is called the character type. One of the biggest differences between a character and a numeric type is that a numeric type does not need a single quotation mark to close, whereas a string usually needs to be closed by single quotation marks.
For example, a digital statement: SELECT * FROM table where ID =3
The character type is as follows: SELECT * from table where name= ' admin '
As a result, statements can be executed successfully by closing single quotes when constructing payload:
Test steps:
(1) Add single quote: SELECT * FROM table where name= ' admin '
Since the addition of single quotation marks into three single quotation marks, it can not be executed, the program will error;
(2) Add ' and 1=1 at this time the SQL statement is: SELECT * from table where name= ' admin ' and 1=1 ', also cannot inject, but also need to pass the annotation symbol to bypass it;
Mysql has three commonly used annotation characters:
--note that there is a space behind this comment symbol
# Make comments by #
/*/Comment out the contents within the symbol
Therefore, the construct statement is: SELECT * FROM table where name = ' admin ' and 1=1-' can successfully execute the returned result correctly;
(3) Add and 1=2-this time the SQL statement is: SELECT * from table where name= ' admin ' and 1=2– ' will error
If the above three points are met, you can tell that the URL is a character injection.
The SQL injection classification can be divided into numeric and character types by parameter type. There are also some common injection classifications, such as:
(1) Post: Injecting the field into the post data;
(2) Cookie: Injecting the field into the cookie data;
(3) Time-delay injection: Based on the database delay characteristic injection
(4) Search injection: The location of the injected field in the search;
(5) Base64 injection: Injected characters are injected after Base64 encoding;
(7) Error injection: Response injection based on database error information;
Wait a minute...
Note: The above content for the author's own original, error points also hope to point out, thank you!!!
Classification of SQL injection: Digital + character type