Summary of SQL Injection penetration technology

Author: Ice and blood [EST]
My brother who has been to my EvilOctal Weblog knows that there was one on my schedule a long time ago.
Summary union queries in injection
 

However, because the course is too busy and has no time to complete, today's Injection is almost the same as tomorrow. The vulnerabilities on major sites in the industry are also fixed. In this situation, I want to write a summary of the union in injection. the query will be hacked...

Well, not much nonsense. Let's make an auxiliary summary for the red and temporary SQL Injection attack techniques. Summary all SQL query statements. This article summarizes all SQL statements. This article is based on MSSQL. This article is intended to facilitate the majority of learners. you just need to add the author to your favorites :)

The query statement is the core operation of the database. In the past year, the SQL Injection attacks, large and small, have also become indelible. The format is as follows:
SELECT [ALL | DISTINCT] <target column expression> [, <target column expression>]...
FROM <Table name or view Name> [, <Table name or view Name>]
[WHERE <conditional expression>]
[Group by <column name 1> [HAVING <conditional expression>]
[Order by <column name 2> [ASC | DESC];
Oh, are you dizzy? It doesn't matter if ICE blood is used to explain it to you...
The entire SELECT statement above indicates that
Find the qualified tuples FROM the basic table or view specified by the FROM clause based on the conditional expression of the WHERE clause, and then SELECT the attribute values in the tuples according to the target column expression in the select clause to form the result table. If a GROUP clause exists the results are grouped by the value of <column name 1>. The tuples with the same attribute column values are grouped into a group.
If a GROUP contains a HAVING phrase, only the GROUP that meets the specified condition is output. If an ORDER clause exists, the result expression must be sorted in ascending or descending ORDER based on the values of <column name 2>.
It doesn't matter if you look at it in an abstract way. For example, suppose the database of the evil babbling article system is as follows:
User table: EST_User (uid, name, pwd, group)
Uid is the user number of the Article system staff; name is the user name of the article system staff; pwd is the password column of the corresponding user name; group is the group of the Article System Staff
Table of articles: EST_Art (aid, aname, abody, atips, uid)
Aid is the number of an article when it is entered; aname is the column for storing the article title; abdy is the column for storing the article body; atips is the classification of the article

Now we will use it to explain how to use the query statement, but the time is limited. Let's take an example to illustrate the opposite.

Single Table query
1. select several columns in the table.
1. query the user name and group of all staff in the specified column.
SELECT name, group FROM EST_User;
2. query the detailed records of all staff in all columns
SELECT * FORM EST_User;
The above sentence is often seen in some source code as equivalent to SELECT uid, name, pwd, group FROM EST_User;
2. select several tuples In the table
This is just a simple summary. I don't want to talk about it. Unfortunately, it's a pity that sometimes we can't do without it. I'm also depressed. Let's take a look.
1. query the tuples that meet the conditions.
Here we will mainly talk about comparing the size and determining the range...
(1) Compare the size
Let's take a small example to see the SELECT name, uid FROM EST_User WHERE uid <10; it means to query the user names and user numbers of all Article system staff whose user numbers are smaller than 10. Of course, you can use SELECT name, uid FROM EST_User where not uid> = 10;
(2) determine the scope
Let's query the username user numbers and groups in the user data table of the document system between 5 and 10 (including 5 and 10). You can create the following statement:
SELECT name, uid, group FROM EST_User WHERE uid BETWEEN 5 AND 10;
So how do we mean not between 5 and 10? Well, you only need to use not between. Here, the ice and blood are NOT described in detail...
(3) multiple conditions
Logical operators and or can be used to connect multiple query conditions. In addition, the priority of AND is higher than OR, but you can use parentheses to change the priority.
Let's give an example... we want to query the usernames of all users under 10 in the bamboo group. How should we construct this statement? I am confused about what I wrote... the structure is as follows:
SELECT name FROM EST_User WHERE group = Moderators AND uid <10; you'll find out more about OR. I'm dizzy...

Nested Query
In SQL, a SELECT-FROM-SELECT statement is called a query block, and a query block is nested in the WHERE clause of another query block or in the condition of HAVING phrase. injection is a bit useful, so let's talk about it here...
For example:
SELECT name
FROM EST_User
WHERE uid IN
SELECT uid
FROM EST_Art
WHERE aid = 8;
In this case, let's take a look at the SELECT name FROM EST_User WHERE uid =; this statement means to query the name of the user whose uid column value is equal to a specified value in the EST_User table.
SELECT uid FROM EST_Art WHERE aid = 8; that is to say, the uid of the submitter who queries the article where aid is equal to 8 in the EST_Art table sends the uid to the upper-level query to complete the nested query process...
A word query with an EXISTS Predicate
In fact, there are also several types of this class, but why do I only talk about EXISTS? Because it uses a lot of magazines, and a considerable number of GGDD uses injection, they like to use it. In fact, it is not even said about queries, not queries, as long as you have learned the database well and want to know How to query it. how can I check whether lcx is a big brother? It's like he's learning... he's starting to peat P again-_-|

EXISTS indicates that the quantizer e exists. (In fact, it is not the reverse E of E. However, if it is not found yet, it will be replaced by a fake) A word query with an EXISTS predicate does not return any data and only generates a logical truth value of true or false.
This is why the injection molecules are loyal to it...
Query the names of all Tech staff who have published atips articles.
SELECT name FROM EST_User where exists (SELECT * FROM EST_Art WHERE uid = EST_User.uid AND atips = Tech );
If the EXISTS keyword is used, if the inner-layer query result is not null, the outer WHERE clause returns the true value. Otherwise, the false value is returned. The expressions in the target column of the subquery derived from EXISTS are generally used. * because this query only returns the true and false values. it makes no sense to use the column name...

Set Query
Finally, let's talk about the legendary union query, which has never been enough To sum up. This time we brought it together. Even here, the ice and blood are all about to faint. Haha, it's a pleasure to write an article to sum up your academic experience. is it like walking in a path full of flowers? Haha, let's take a look at xiaolu! Which of the following has been introduced: P
In fact, the set query is not only union, but here we only talk about union. Why? Hacking is used a lot.
Here is an example.
If we want to query the users in the bamboo group and the users whose user numbers are not greater than 8, we will query the union of these users and how to construct statements.
SELECT * FROM EST_User WHERE group = Moderators union select * FROM EST_User WHERE uid <= 8;
Haha, isn't it difficult? It depends on how you actually use it...

Well, this small summary has come to an end. I hope that the learners who read this article will be inspired by a little bit of ice and blood. I am also very pleased to know that :)
If there are any mistakes in the article, it must be avoided. I hope that the experts will give a hand to poke me and welcome me to our website, which is evil, babbling in China... ask the Forum address? I don't want to talk about it. I have a fate to find it myself... you 've come back to you :)