For injection, error hints are extremely important. The so-called error tip refers to the correct page and the results of different feedback, the master is very important to this point, which is critical to the accurate evaluation of the injection point. This question discusses several kinds of mistakes and the principles that he produces, hoping to help readers.
error prompts are mainly logical and grammatical errors, as well as script run error three categories.
One: Logic error
Simple example is 1=1 1=2 these two, 1=1 and 1=2 page different principle is what? Take $sql = "SELECT * from news where Id=$_get[id]" for example.
SELECT * FROM news where id=1 and 1=2 produce a result set of NULL, and then when the program is worth it, the null value is removed and cannot be displayed. Of course, some programs found that the SQL execution result set is empty, immediately jump, the effect does not show the birds. It is noteworthy that some databases, such as Oracle PostgreSQL, are characterized by the appearance of character null on the page when the result set is empty. If you use an OR condition, such as
SELECT * FROM news where id=1 or 1=1
and 1=2 had the opposite effect, and his result set was huge. If the SQL statement is the case, plus the program is looping through the result set (some of the programming habits) then all the results will be taken out, and the result may be slow and easy to appear on Oracle, which has a large amount of data. What happens in this case, the general program takes out the first result in the result set, it's probably not the id=1 news anymore, and that's why it's a little bit odd that sometimes or 1=1 pages change.
in the final analysis, is the result of different sets of results, flexible mastery is the key, this is not a simple experience problem.
II: Grammatical errors
Syntax errors are familiar, such as injection error hints for SQL Server,pgsql,sybase, because using its features to get information quickly. A syntax error can result in a SQL error that interrupts script execution. However, if the script or server settings mask error, the program will continue to execute, but the result set does not exist, even null is not counted, the feedback to the attacker is likely to be empty of the result set, in fact, this is the result of the script processing. Oracle Pgsql, of course, behaves null.
III: Running errors Needless to say, the typical use of MySQL injection benchmark let the script run timeout to get the physical path, and use timeouts to obtain different representations for blind injection.
Four: The combination of logical errors and grammatical errors.
when the representation is extremely inconspicuous, the use of functions such as IFF to distinguish between right and wrong can sometimes become a lifeline. Because syntax errors and logical error representations are most likely to be different.
iff (1=1,1, ' no ') this produces Results 1 attention is number, and IFF (1=2,1, ' no ') this produces ' no ' is a character. So
id=1 and 1=iff (1=1,1 ' no ') are necessarily true, and id=1 and 1=iff (1=2,1, ' no ') will have syntax errors due to different types. But unfortunately it seems to support the IFF function of the database is not much, hehe.
now tells the principle of the use of the result set in injection.
one: Starting from ' or ' = '
This is the primary course of learning SQL injection, landing holes. I briefly analyze from the SQL result set.
$sql = "SELECT top 1 * from admin where username= ' $username ' and password=md5 (' $password ')";
Obviously, the addition of ' or ' = ' causes the SQL statement to return a record, which makes the validation pass.
Second: Look at the current validation of the SQL
$sql = "SELECT top 1 * from admin where username= ' $username '";
The
result set is not NULL to validate against a user-submitted password MD5 value based on the password value in the extracted recordset. In this way, you suddenly find that ' or ' = ' The failure of the bird, but the background is clearly injected, this is the verification method. Following up on this verification process, ' or ' = ' does produce a result set (the first row in the admin table) but unfortunately, later passwords do not pass and validation cannot succeed.
idea is very simple, there are cases on the Internet, I am the principle, using the Union to produce the desired result set. For example, ' and (1=2) union select top 1 username, ' 123456 is MD5 value ', id from admin where username= ' admin
this produces the admin record information, but the value in that location of the password in the recordset is replaced with the MD5 value of 123456, which validates and inherits his rights using admin 123456.
even all use ' xxx ' method to blind sniper, this is very "excessive" bird. However, in sql2000 Sybase these strict requirements type matching database, this can not shake "admin login", because the execution of a syntax error, the result set is null. In addition, the previous ewebeditor injected a vulnerability to upload a horse is also the union operation result set to achieve the goal of the classic case.