In front, we have installed the sqlol, open http://localhost/sql/, first jump to http://localhost/sql/select.php, we first test from the Select module.
Slect module, with input processing and output processing, can be configured with different SQL injection situation, here first in the simplest, do not do any input processing of the situation to test, slowly in-depth, SQL configuration such as:
1. Input Test statement
2, display the complete SQL statement, easy to construct
3, choose the injection location (respectively 8 different injection location, below we take the injection position classification test)
One, the string in the WHERE clause
Tips: Character-type injection;
In the injection string, enter: admin, display the statement, select the injection position as the string in the WHERE clause, and return the information:
We can know that the admin we entered is stitched into the WHERE clause, and then we start to construct the POC:
Admin ' Union Select User () #
For example, we obtain the database user name ([email protected]), you can replace user () with other query statements to query other data.
Number in the WHERE clause
Tips: Similar to the string in the WHERE clause above, different, this is a digital injection;
In the injection string, enter: 1, display the statement, select the location of the injection, the data in the WHERE clause, the returned information is:
SELECT username from users WHERE isadmin = 1
To construct a POC:
For example, we obtain the database user name.
Iii. the entire statement
Tips: You can execute any SQL statement directly
Enter in the injection string: SELECT * from Users,users is the database user table, displays the statement, selects the injection location as the entire statement, and returns the following information:
You can enter any SQL statement execution here.
Iv. Name of Column
Tips: Injection position in username
Username
How to use:
1. Query the Users table for input fields, or use * Instead, query all the data in the Users table
2, comment out the following statement, and select directly splicing, for example: the injection string location input version (), splicing into
Replace version (), enter additional database query statements to query other data
V. Name of Table
Tips: Injection locations in the table users
How to use:
1. Enter the correct table name, Union select query
Vi. ORDER BY clause
Tips: Injection locations in order by
When a union operation is used, the sort statement must be placed on the last side correctly, meaning that order by is only used in the last subquery of the Union, and therefore cannot be used here with union Slect.
How to use:
Error injection
1 and (select 1 from (SELECT COUNT (*), concat (select (SELECT DISTINCT concat (0x7e,schema_name,0x7e) from Informati On_schema.schemata limit 0,1)) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_ Schema.tables GROUP by X) a) #
Get the database sqlol, you can use other statements to continue the error injection.
Reference: http://www.myhack58.com/Article/html/3/7/2013/38704.htm
Vii. GROUP BY clause
Tips: Injection locations in GROUP by
The GROUP BY statement is used to combine aggregate functions to group result sets based on one or more columns.
How to use:
1, as with order by, direct error injection
2, in the MSSQL, you can use group by, have to explode the current column
Viii. HAVING clause
Tips:having Location
How to use:
Error injection
SQL injection test Platform Sqlol-2.select injection test