Impact and utilization of SQL query result set on Injection

There are three types of error prompts: logical errors, syntax errors, and script running errors.

I. logic errors

A simple example is 1 = 1 1 = 2. What are the different principles of 1 = 1 and 1 = 2? Take $ SQL = "select * from news where id = $ _ GET [id]" as an example.

The result set generated by select * from news where id = 1 and 1 = 2 is NULL. When the program obtains the value, a NULL value is output and cannot be displayed. Of course, if some programs find that the SQL Execution result set is empty, they will jump immediately and the effect will not be explicit. It is worth noting that, for example, if the result set of Oracle Postgresql is empty, the character type null is displayed on the page. This is a feature. If the or condition is used, for example

Select * from news where id = 1 or 1 = 1

The result is the opposite of the result set with and 1 = 2. The result set is very large. If the SQL statement is like this, and the program reads the result set cyclically (some bad practices in programming), all the results will be taken out, and the results may run slowly, which is easy to appear in Oracle, where the data volume is huge. What will happen in this example? Generally, if a program extracts the first result in the result set, it is probably not the news with id = 1, this is why some dishes sometimes change or 1 = 1 page.

In the final analysis, it is caused by different result sets. Flexible control is the key. This is not just an empirical problem.

Ii. syntax errors

Syntax errors are familiar. For example, injection error prompts for SQL server, PgSQL, and Sybase are all important, because the information can be obtained quickly by using its features. Syntax errors may result in SQL errors that Interrupt script execution. However, if the script or server settings are blocked incorrectly, the program continues to be executed, but the result set does not exist, even NULL is not enough. It is probably because the result set is empty. In fact, this is the processing result of the script. Of course, Oracle PgSQL is null.

3. Run errors. A typical example is to use MySQL to inject benchmark to obtain the physical path for script running timeout and use timeout to obtain different representations for blind injection.

4. Combination of logical errors and syntax errors.

When the characterization is very insignificant, using functions like iff to distinguish whether they are correct is sometimes a life-saving means. Because syntax errors and logical errors indicate different characters in most cases.

Iff (1 =, 'no') will produce result 1. Note that it is a number, while iff (1 =, 'no') will generate 'no' as a character. So

Id = 1 and 1 = iff (1 = 'no') is true, and id = 1 and 1 = iff (1 =, 'no ') syntax errors may occur due to different types. Unfortunately, there are not many databases that support iff functions.

Now let's talk about the principle of using result sets in injection.

1. Start with 'or ''='

This is a basic course for studying SQL injection and logon vulnerabilities. I will analyze the SQL result set briefly.

$ SQL = "select top 1 * from admin where username = '$ username' and password = md5 (' $ password ')";

Obviously, the addition of 'or ''=' causes the SQL statement to return a record, so that the verification passes.

Ii. Check the SQL statement in the current verification.

$ SQL = "select top 1 * from admin where username = '$ username '";

If the result set is not empty, the password value in the extracted record set is compared with the MD5 value of the password submitted by the user for verification. In this way, you suddenly find that the strategy of 'or' = 'fails, but there is clearly injection in the background, which is caused by the verification method. Following up on this verification process, 'or' = 'does produce a result set (the first line in the admin table), but unfortunately, the password comparison later cannot pass, verification fails.

The idea is very simple. There are cases on the Internet. I focus on the principle and use union to generate the desired result set. For example, 'and (1 = 2) union select top 1 username, 'md5 123456 ', id from admin where username = 'admin

In this way, the admin record information is generated, but the value of the password location in the record set is replaced with the md5 value of 123456. In this way, the admin 123456 is used for verification and inherits his rights.

Even more, we use the 'xxx' method to blind the hacker, which is too much. However, for databases that strictly require type matching, sql2000 sybase cannot shake the "administrator login" because a syntax error occurs during execution and the result set is NULL. In addition, the previous ewebeditor injection vulnerability to upload Trojans is also a classic case of the union operation result set to achieve the goal.