SQL Injection Mining
A few days ago, I saw such a question in the member question area of the red/Black Alliance: "Who Are You Still injecting, it is found that many websites cannot be effectively injected when testing with tools. Some websites cannot be injected directly, and the red/Black Alliance's attention and pangolin are not injected. What do you mean by sqlmap? I got it too. To Be Honest With sqlmap, I am not sure about its speed. Sometimes I can bypass some waf and restrict the access speed of my website. Manual injection is required for various reasons, as a cainiao, I published this article to consolidate my learning and provide guidance to new friends.
0x01 batch injection: Batch injection: the method used in the past is actually, but now Baidu cannot batch find injection. It is still very good to use the ah d injection tool, but the search engine is about to change to Google, but now www.google.com cannot enter, so I will give a Google address. Http: // 216.58.208.24.
0x02 manual test injection this "manual test injection" is mainly used to test the injection of a specified website. It can be used when we don't want to start a large scanner, and waf (web firewall, such as safedog, D shield), it will be used manually.
1st: the most classic: and 1 = 1 and 1 = 2 are added to a dynamic link respectively. Remember to place a space in front of and. Example: http://www.bkjia.com/php? Id = 1 and 1 = 1 // return normal page http://www.bkjia.com/php? Id = 1 and 1 = 2 // if a different page is returned, injection exists.
2nd: 'This is a single quotation mark in English, which is the key on the left side of the Return key and on the right side of the colon. Directly after the dynamic link, no space is required. If the returned page is different from the previous one, it can be determined that there is an injection vulnerability.
3rd types: 1. Open the address and we can see that it is a normal page. 2. Then add-1 behind the address, into: http://www.bkjia.com/php? Id = 1-1. If the returned page is different from the previous one and is another normal page, the injection vulnerability exists and is a digital injection vulnerability .. 3, if the address followed by-0, into the http://www.bkjia.com/php? Id = 1-0. The returned page is the same as the previous page. Then, if-1 is added, the error page is returned, indicating that the injection vulnerability exists and is digital.
Type 4th: If '% 2B' is added to the address, it becomes: http://www.bkjia.com/php? Id = 1 '% 2B', the returned page is the same as the previous; plus '% 2B' sb, the address becomes: http://iverson5.blog.163.com/php? Id = 1' % 2B 'SB. If another normal page is returned, or this record is not found or an error is returned, the injection vulnerability exists and is in the text format.
5th types: and 1 between 1 and 2. Return to the normal page and 1 between 2 and 2. If different pages are returned, the injection vulnerability exists.
6th: (the same as 1st, but this is a test text injection .) And '1' = '1' and '1' = '2
There are many more, but these are quite common. This requires collection by yourself, and you can also capture injection statements from various injection tools.
0x03 Tool Test Injection
1. I think it is very suitable for new friends if you use the 3.5 and D tools.
2. pangolin, commonly known as pangolin, can inject various databases. I like to use this tool. This tool supports get post cookie injection and can also test the login page injection, which is very useful.
Enter the url to be tested and injected directly in the corresponding box, and click the one above to start. If there is no way to test the url, select type or DB.
3. The NBSI tool is indeed very NB-intensive. When SQL server is injected, the accuracy can be said to be very high! Developed by the year-month alliance.
4. sqlmap is a powerful tool written by foreign users! It is used in the command line, and many parameters and commands need to be remembered.
