Ice origin Note: In order to make more people understand this book fairly and fairly, I decided to publish the trial chapters on the Internet! I hope to have a correct understanding of this book! Of course, this is only one of them!
There are still some situations we often encounter during injection, that is, there is no error echo. In addition to one-by-one guesses or blind Injection Using Time Difference Methods, a good technique is union Joint query. However, I recently discovered that union injection has very few errors in combination with mysql, and there are many problems with mssql, if the field type does not match or there is no echo content on the page. Today we are going to solve these two problems.
But before that, I have to mention how to obtain the number of fields at the current injection point. I know three methods to obtain the number of fields. The first method is to use having 1 = 1 to force the current number of fields, such
● Http://www.kumhobuslines.co.kr/custom/Noti_02.asp? Id = 366% 20 having % 201 = 1 -- ●
A lot of people use this method to obtain the value of the current column name. In this way, we use group by to generate the number of all fields in one row, as shown in the following URL:
● Http://www.kumhobuslines.co.kr/custom/Noti_02.asp? Id = 366% 20 group % 20by % 20khnotice. notice_id, khnotice. notice_idx, khnotice. name, khnotice. title, khnotice. writedate, khnotice. fromdate,
Khnotice. todate, khnotice. filename, khnotice. tag, khnotice. readnum, khnotice. content % 20 having % 201 = 1 -- ●
Return the information shown in 1.
Figure 1
The error here is no longer a column name, but a message similar to "Type mismatch". After counting it, we found that there were eleven tables, so the number of fields is of course 11. The second method is the order by N method. Note that order by 11 does not have to return correct order by 12. If an error is returned, it is determined that the number of fields is 11. ● Order by 11 ● here is the same as returning an error, 2.
Figure 2
Therefore, the returned message is displayed here. However, 3 is returned when ● order by 12 ● is submitted.
Figure 3
The third method is ● and 1 = 2 union select n1, n2 ...... ● Try this method one by one. Yes, if there are more than one field plus no echo, this method is not interesting, but please do not ignore this method. I once encountered a problem that I could not use order by, but I used this method to guess the number of current fields in sequence.
After obtaining the number of fields, the next step is the echo problem. How can I display the numbers on the current page like MYSQL. In the above example, we will submit the following URL:
● Http://www.kumhobuslines.co.kr/custom/Noti_02.asp? Id = 366% 20and % 201 = 2% 20 union % 20 select %, 11 ●
This is a common method, but expected result 4 is displayed.
Figure 4
What should I do at this time? If there are eleven fields, how can we determine which field type does not match? Do I have to replace them one by one and then display them again? If you are smart enough, you will think of replacing all with null. Let's try and submit the following URL:
● Http://www.kumhobuslines.co.kr/custom/Noti_02.asp? Id = 366% 20and % 201 = 2% 20 union % 20 select % 20 null, null ●
Returned information 5.
Figure 5
Are you stunned? What? Even null error.
Actually it is not. Let's take a closer look at the error echo, prompting that it is not a Type Mismatch. The key word is "DISTINCT ". We come to MSDN to check the usage of union (http://msdn.microsoft.com/zh-cn/events/bb399797.aspx), take a look at the official explanation:
★
UNION
Specify a combination of multiple sets and return them as a single set.
ALL
Specify a combination of multiple sets and return them as a single set (including repeated items ). If not specified, the duplicate items are deleted from the result set.
★
Union can only add a single set and does not contain repeated items. The word DISTINCT we just saw is "completely different". Obviously, this injection statement contains different result sets. The solution here is not to let it be violent or wrong, rather than the matching problem, but its parameter ALL can be solved. We submit:
● Http://www.kumhobuslines.co.kr/custom/Noti_02.asp? Id = 366% 20and % 201 = 2% 20 union % 20all % 20 select % 20 null, null ●, the problem was solved in this way, but the new problem came again, as shown in figure 6.
Figure 6
The problem is coming again. I have encountered special situations here. However, here is a reminder that NULL can match any type, and most of the types we encounter are numbers and numbers. Therefore, we can use numbers to guess one by one, instead of such errors, for example, if we use NULL for the first 1 and NULL for the second 2, we will find that the returned results are all errors in figure 6, 7.
Figure 7
All are errors of the same type. We don't need to worry about it. We will continue to use a number to replace the following NULL. This is still the case when we replace the number "4, but when I replace the fifth NULL with "5", the expected result is displayed, URL:
● Http://www.kumhobuslines.co.kr/custom/Noti_02.asp? Id = 366% 20and % 201 = 2% 20 union % 20all % 20 select %, 3, 4, 5, null ●
8.
Figure 8
In this case, a very strange UNION injection is completed.
In addition, if the number of fields is only one, we do not have to worry about the type. Of course, we must also use union all. We can directly query it, for example:
● Http://www.webdonline.com/fr/services/forums/inscription.asp? Id = 77% 20and % 201 = 2% 20 union % 20all % 20 select % 20 @ version ●
Expected result 9 is displayed.
Figure 9
In short, union injection should be flexible and should be constantly changed based on errors. The above is a small Summary of union injection. I hope it will be useful to you.
