SQL injection intercept string common functions

In SQL injection, it is often used to intercept string problems, such as not to echo the case of injection, but also become blind, in this case often need a one-character de-guessing, the process needs to use the intercept string. This article mainly lists three functions and some use cases in the process of this function injection. Ps; used here MySQL for other types of databases, please check them yourself.

Three magic Weapons:mid (), substr (), left ()

Mid () function

This function is part of the intercept string. MID (Column_name,start[,length])

Parameters	Describe
column_name	Necessary. The field to extract the characters from.
Start	Necessary. Specifies the starting position (the starting value is 1).
Length	Optional. The number of characters to return. If omitted, the MID () function returns the remaining text.

Eg:str= "123456" Mid (str,2,1) result is 2

SQL use case:

(1) Mid (Database (), () > ' A ', view the name of the first place,Mid (Database (), 2,1) look at the second digit of the name, and view the characters in turn.

(2) MID ((SELECT table_name from INFORMATION_SCHEMA. TABLES WHERE T table_schema=0xxxxxxx LIMIT 0,1), > ' A ' Here the column_name parameter can be a SQL statement, You can construct your own SQL statements for injection.

substr () function

The functions implemented by the SUBSTR () and substring () functions are the same, all of which are truncated strings.

String substring (string, start, length)

String substr (String, start, length)

The parameter description is the same as the mid () function, the first argument is the string to be processed, start is the starting position, and length is the Intercept.

SQL use case:

(1) substr (Database (), substr) > ' A ', view the first bit of the name of the data base,the Database(), 2,1) look at the second bit of the name, and view the characters in turn.

(2) substr ((SELECT table_name from INFORMATION_SCHEMA. TABLES WHERE T table_schema=0xxxxxxx LIMIT 0,1), > ' A ' here the string parameter can be a SQL statement that can be constructed by itself SQL statements are injected.

L EFT () function

Left () to get the specified number of characters in a string

Left (string, N) is the string to intercept, andn is the length.

SQL use case:

(1) Left (database (), 1) > ' A ', view the database name first,left(Database (), 2) >' ab ', view the first two bits of the database name.

(2) The same string can be a self-constructed SQL statement.

Also introduce the ORD () function, which is the ASCII code that returns the first character and is often used in combination with the function above.

For example, ORD (Database (), >114 ) means that the first ASCII code for the test DATABASE () is greater than and that is 'r'

SQL injection intercept string common functions