For injection, error hints are extremely important. The so-called error tip refers to the correct page and the results of different feedback, the master is very important to this point, which is critical to the accurate evaluation of the injection point. This question discusses several kinds of mistakes and the principles that he produces, hoping to help readers.
There are three main types of error hints, logical and grammatical, and script run errors.
One: Logic error
The simple example is 1=1 1=2 these two, 1=1 and 1=2 page different principle is what? Take $sql = "SELECT * from news where Id=$_get[id]" for example.
The result set produced by SELECT * from news where id=1 and 1=2 is null, and then when the program is worth it, the null value is removed and cannot be displayed. Of course, some programs found that the SQL execution result set is empty, immediately jump, the effect does not show the birds. It is noteworthy that some databases, such as Oracle PostgreSQL, are characterized by the appearance of character null on the page when the result set is empty. If you use an OR condition, such as
SELECT * FROM news where id=1 or 1=1
Contrary to the results of and 1=2, his result set is very large. If the SQL statement is the case, plus the program is looping through the result set (some of the programming habits) then all the results will be taken out, and the result may be slow and easy to appear on Oracle, which has a large amount of data. What happens in this case, the general program takes out the first result in the result set, it's probably not the id=1 news anymore, and that's why it's a little bit odd that sometimes or 1=1 pages change.
In the final analysis, the result set is different, flexible mastery is the key, this is not a simple experience problem.
Two: Grammatical errors
Syntax errors are familiar, such as injection error hints for SQL Server,pgsql,sybase, because using its features to get information quickly. A syntax error can result in a SQL error that interrupts script execution. However, if the script or server settings mask error, the program will continue to execute, but the result set does not exist, even null is not counted, the feedback to the attacker is likely to be empty of the result set, in fact, this is the result of the script processing. Oracle Pgsql, of course, behaves null.
Third: Run the error Needless to say, the typical use of MySQL injection benchmark let the script run timeout to get the physical path, and the use of timeouts to obtain different representations for blind injection.
Four: The combination of logic error and grammatical error.
When the representations are extremely inconspicuous, the use of functions such as IFF to distinguish between right and wrong can sometimes become a lifeline. Because syntax errors and logical error representations are most likely to be different.
IFF (1=1,1, ' no ') this produces a result 1 note is a number, and IFF (1=2,1, ' no ') this will produce ' no ' is a character. So
Id=1 and 1=iff (1=1,1 ' no ') are necessarily true, and id=1 and 1=iff (1=2,1, ' no ') will have syntax errors due to different types. But unfortunately it seems to support the IFF function of the database is not much, hehe.
Now we talk about the principle of the result set in the injection.
One: Start with ' or ' = '
This is the primary course of learning SQL injection, landing holes. I briefly analyze from the SQL result set.
$sql = "SELECT top 1 * from admin where username= ' $username ' and password=md5 (' $password ')";
Obviously, the addition of ' or ' = ' causes the SQL statement to return a record, which makes the validation pass.
Second: Now look at the SQL in the verification
$sql = "SELECT top 1 * from admin where username= ' $username '";
The result set is not empty and is validated against the user-submitted password MD5 value based on the password value in the extracted recordset. In this way, you suddenly find that ' or ' = ' The failure of the bird, but the background is clearly injected, this is the verification method. Following up on this verification process, ' or ' = ' does produce a result set (the first row in the admin table) but unfortunately, later passwords do not pass and validation cannot succeed.
The idea is simple, there are cases on the Internet, I am the principle, using the Union to produce the desired result set. For example, ' and (1=2) union select top 1 username, ' 123456 MD5 value ', id from admin where username= ' admin
This produces the admin record information, but the value in that location of the password in the recordset is replaced with the MD5 value of 123456, which validates and inherits his rights using admin 123456.
What's more, the "xxx" approach to blind sniper, which is very "excessive" bird. However, in sql2000 Sybase these strict requirements type matching database, this can not shake "admin login", because the execution of a syntax error, the result set is null. In addition, the previous ewebeditor injected a vulnerability to upload a horse is also the union operation result set to achieve the goal of the classic case.