Simple SQL injection Heuristics

dvwa--Simple SQL Injection Small note

Recently, I started to touch SQL injection, today to record some recent gains and some knowledge of SQL injection.

It is mainly based on DVWA, an open source platform for practice.

Don't say much nonsense and start solving problems.

Start with a simple SQL injection Level:low

Select SQL Injection After login

At first see a normal interface, enter the ID to query. We can do a simple test first.

Input 1 and 1=1 and 1 or 1=1 find the results of the search are the same.

So we guessed that the type of judgment might be a string (later through the source can be seen, the fact is also true)

Input 1 ' and ' 1 ' = ' 1 and 1 ' or ' 1 ' = ' 1 found different results

The latter can output all records in the current table

Next we decide that there are several columns in the table, which are generally judged by the order by

We try 1 ' ORDER by AA ,1 ' ORDER by 4# ... Finally, the order by 2 o'clock is true, so you can tell that the table has only two columns

In general Level:low will not filter many keywords or no filter keywords, so we directly with the 1 ' union select 1,2# See if we can jointly query

To find a successful federated query, we will change 1 and 2 to User () and database (), and1 ' Union Select User (), db () #, to get the database name and username.

We can successfully get the database name is DVWA, and the currently logged on user is root

And then we'll find a way to get the table name in Dvwa, with 1 ' Union SELECT 1,GROUP_CONCAT (table_name) from Information_schema.tables where table_schema= Database () # to get a long field consisting of a table name

In this query statement, because each record needs to output two fields, we used a select one to occupy a field, followed by the Group_concat function to synthesize all the table names after the long field output.

Then we look at the table information_schema.tables, and you can see that he contains the TABLE_NAME column for all the table names, and Table_schema columns to hold all the tables corresponding to the database name.

The final result is

We can get the DVWA database contains the guestbook table and the Users table. And this platform wants us to get all the user names and passwords in the database, so we can find a way to view the users table.

With 1 ' union select 1,GROUP_CONCAT (column_name) from Information_schema.columns where table_name= ' users ' #

Unlike the previous sentence, the group_concat merge is column_name, the search table is information_schema.columns, and the condition of the judgment is table_name=xxx

So we get all the column names in the Users table, it's not hard to know what each column name means, so we'll just look at the user and password.

With 1 ' union select User,password from users#

That is to get all the user names and passwords.

The first one is here for the time being, because if it's too long, I don't think so.

With this simple experiment, we can master some basic SQL injection statements.

Like order by lookup, Union Select Union Query, Group_concat (column_name) function merges fields, and Information_schema.tables and Information_ Schema.columns Two tables contain all the table and column names, as well as the simplest database () and user ().

Skilled SQL statements are a great help for SQL injection.

Simple SQL injection Heuristics