MySQL injects small tips-continuous updates

　

Learning Web security for several years, the most contact is SQL injection, has been the most unfamiliar is also SQL injection. In owasp, the SQL injection hazard is absolutely Top1. Took a little time to study the next type of MySQL injection.

Tips in this article will continue to be updated, first of all these days to talk about the

Here bloggers are injected with the type of numeric type to explain, the same character type, here is not in allocations.

Our environment: phpstudy+mysql+php

Our test code is as follows:

　　　　　　　　　　

<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8 "/&GT;&LT;?PHP$id=$_get[' ID '];//accepts the value of a get pass-through parameter name x and assigns a value to the variable ID$conn=mysql_connect(' 127.0.0.1 ', ' root ', ' root ');//connect to MySQL databasemysql_select_db(' Shop ',$conn);//Select the test database name under the $conn connection request$sql= "SELECT *" From product where pid=$id";//defining SQL statements and combining variable IDs$result=mysql_query($sql);//executes the SQL statement and returns to the variable result while($row=Mysql_fetch_array($result)){//iterate through the array data and displayEcho"ID:".$row[' PID ']. </br> "; Echo"PName:".$row[' PName ']. " </br> "; Echo"Info:".$row[' Pdesc ']. " </br> "; }  Mysql_close($conn);//To close a database connectionEcho"; Echo"Sql="; Echo $sql;?>

Here the SQL statement directly into the query, no filtering, so there is SQL injection.

SQL Injection testing process I understand that, from the perspective of security testing does not affect the enterprise, not from the point of penetration testing.

The process is as follows:

　　　　Determine database type---> SQL injection probe for database type to determine if SQL injection is present---> Simple injection proves database name/version number etc---> Submit security vulnerability

　　　　　　　In the actual combat test, you need to judge the database type and then targeted injection. This article is based on the MySQL database as an example then there is no need to waste time.

We all know that SQL injection, if it is a numeric type, we will generally try to

　　　　　　　　　　

Simple testing with and 1=1 and and 1=2.

However, with the rapid development of security, it is very rare to encounter the SQL injection which is easily judged by and 1=1 and 1=2, and most of them have filtering. Then we need to do a simple probe of the pattern of tips to see if there is SQL injection.

Find the vulnerability you succeeded 70%, write the loophole proof you perfected the back of the 30%, so found that SQL injection this link is very important.

Take a numeric type as an example

What statements in MySQL injection can be used in place of and 1=1 and and 1=2?

Let's start with the IF.

Syntax: Select if (EXPR1,EXPR2,EXPR3)

Explanation: When Expr1 is true, EXPR2 is executed, and vice versa Expr3

In MySQL we know that 0 =false and null=true, not 0 of the numbers represent true

So we can judge that:

　　　　　　　　　　　　

In this way to determine whether there is SQL injection, continue to derive, how can we play?

　　　　　　

The use of the IF our portfolio will become diverse, and here are some examples.

There are two basic poses for the blind in MySQL

1.and Sleep (3)

2.and BENCHMARK (10000000,encode (' hello ', ' Mom ')

If there is an injection, both statements will have a delay

　　　　　　　　　　　　　　

In front of the IF, with the sleep (3) delay as an example, the Benmark delay is not explained in the same vein.

　　　　　　　　

Blind testing can be done in this way, and then the if continues to persist:

What is the statement in MySQL and almost mean? Like?

Use like to judge:

　　　　　　

What happens if we change the order?

　　　　　　

What if I filter and what? How do we make SQL injection judgments?

　　　　

Using Xor,xor usage Details: 79515643

This judgment is equivalent to and 1=1 and and 1=2

Because don't want the article content too wordy, first introduce several relations point

1.and and like usage are similar

2.or and XOR usage are similar

And,like,or and XOR are all operators, so you can switch freely, so in the following article, for example: And if (1,1,0) can also like if the same can also be XOR if (), or if

Is that the SQL statement is a little bit different.

　　　　　　　　

Continue down:

And/or/xor/like can be used for us, what about between? It turns out it's okay.

Demo under:

Using between to make blind bets

Fall into the loop delay ... This delay time is very long ...

　　　　　　　　

This also can judge SQL injection, then how can you play?

　　　　　　

Make a SQL injection decision like this:

I'm a little tired from writing here. Go ahead.

Let's start with MySQL if ...

MySQL small number does not mean false how else can we play?

　　　　　　　　　　

Try to bypass certain restrictions by doing this:

All right, that's a little lame. One more to introduce the <> in MYQL

The injection can also be judged by a simple demonstration

　　　　　　

So before said can and, can like, can xor, can be or SQL injection judgment, is to cite examples too many.

XOR is a bit more complex, with XOR as an example ...

　　　　

Writing an article seriously is really tiring.

What else can we do if we filter the IF? Well, we still have relatives [fancy it?]

Syntax: Ifnull (EXPR1,EXPR2)

Explanation: If EXPR1 is not null or EXPR1, if EXPR1 is null is EXPR2

Under the simple demo:

　　　　　　

Or an XOR as an example to illustrate, or like not to say

　　　　

What if ifnull also filter? There are also good friends to help:

Syntax: Nullif (EXPR1,EXPR2)

Explanation: If EXPR1 equals EXPR2 returns null if EXPR1 is not equal to EXPR2 return EXPR1

Take XOR as an example

　　　　　　

You can then test the blinds.

　　

Change to 1 to try.

　　

Write so much first, and then continue to write ...

　　　　　　　　

　　　　　　　　

　

　　　　　　

　　　　　　　　　　　　

　　　　　　　　　　　　

　　　　

　　　　

　　　　

MySQL injects small tips-continuous updates