Advanced
In this article, we learned how to judge SQL injection, but it is far from enough to obtain the website's confidential content. Next, we will continue to learn how to obtain the desired content from the database. First, let's take a look at the general steps of SQL injection:
Section 1: General steps of SQL injection
First, judge the environment, find the injection point, and determine the database type. This is already discussed in the getting started article.
Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:
(A) ID = 49 these injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is ID = 49 And [query condition], that is, the generated statement:
Select * from table name where field = 49 And [query condition]
(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameters are Class = Series and [query conditions] and ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] and ''=''
& Copy; parameters are not filtered during search, such as keyword = keyword. The SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] and' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] and '%' = '%'
Then, replace the query condition with an SQL statement to guess the table name, for example:
ID = 49 And (Select Count (*) from Admin)> = 0
If the page is the same as that of ID = 49, the additional conditions are true, that is, the table Admin exists, and vice versa (Please remember this method ). This loop ends until the table name is guessed.
After the table name is guessed, replace Count (*) with Count (field name) and use the same principle to guess the field name.
Some people may say: there are some occasional elements. If the table name is complex and irregular, it won't be enough. That's right. There is no 100% successful hacker technology in this world. No matter how technical or advanced hackers are, this is because other people's programs are not strictly written or the user's security awareness is not enough.
I am a little confused. After all, there is still a way for the SQL Server database to let the program tell us the table name and field name. We will introduce it in the advanced article.
Finally, after the table name and column name are successfully guessed, use an SQL statement to obtain the field value. The following describes the most common method-Ascii verbatim decoding, although this method is slow, it must be a feasible method.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
