Looking for SQL injection
The primary goal of this phase is to identify the exceptions in the server response and determine whether the SQL injection vulnerability is generated, then determine the type of SQL query that runs on the server side (Select,update,insert or delete), and where the attack code is injected into the query (such as from, Where or order BY, etc.)
We need to focus on: get,post,cookie,host,referer,useragent.
The main techniques involved in understanding and leveraging SQL injection vulnerabilities include rebuilding the code that developers write in Web applications and envisioning the content of remote SQL code. If you can imagine the code that the server is executing, you know exactly where to end the single quotation mark and where to start adding single quotes.
Manipulating parameters
Change the parameter to apply an unexpected value
Add single quotation marks (')
Replace the string or number equivalent for example: MySQL: Bike and bi ' ke equivalent in SQL Server bike and bi ' + ' ke equivalent number is reduced by large number if the result is the same as the injection
Change the string to a number, or vice versa
Further confirmation with the And,or
Database error
When a user requests to trigger a database error, there are several possible responses
Displays the SQL error on the page, which is visible to the Web browser user.
Hide SQL errors in the Web page source code for debugging
Jump to another page when an error is detected
Returns HTTP error code 500 (internal server error) or HTTP redirect Code 302
A common error page may be displayed if the appropriate processing error is applied but the result is not displayed
SQL Blinds
An attacker could manipulate an SQL statement, and the application would return different values for the true or false condition, but the attacker could not retrieve the query results.
Inline SQL injection
numeric or string equivalent substitution
Test with AND OR
End-of-SQL injection
Comment characters
SQL Server, Oracle,postgresql-(single-line comment)/* */(Multiline comment)
MySQL--(followed by a blank line comment) # (single line comment)/* * */(Multiline comment)
Execute multiple statements
All versions after SQL Server 6.0 are supported and allow the following statements to be executed:
Select Foo from bar; Select Foo2 from Bar2;
This feature is also introduced after MySQL4.1, but it does not support this feature by default.
Oracle does not support multiple statements.
Time delay
SQL Server; waitfor delay ' 0:0:5 ';--
MySQL Benchmark (1000000,encode (' hello ', ' Mom ')
SQL injection attack and defense second Edition reading note two--sql injection test