The effect of SQL query result set on injection and its utilization

Source: Internet
Author: User
Tags md5 mysql injection sql error sql injection sybase first row

There are three main types of error hints, logical and grammatical, and script run errors.





One: Logic error





Simple example is 1=1 1=2 these two, 1=1 and 1=2 page different principle is what? Take $sql = "SELECT * from news where Id=$_get[id]" for example.





SELECT * FROM news where id=1 and 1=2 produce a result set of NULL, and then when the program is worth it, the null value is removed and cannot be displayed. Of course, some programs found that the SQL execution result set is empty, immediately jump, the effect does not show the birds. It is noteworthy that some databases, such as Oracle PostgreSQL, are characterized by the appearance of character null on the page when the result set is empty. If you use an OR condition, such as





SELECT * FROM news where id=1 or 1=1





and 1=2 had the opposite effect, and his result set was huge. If the SQL statement is the case, plus the program is looping through the result set (some of the programming habits) then all the results will be taken out, and the result may be slow and easy to appear on Oracle, which has a large amount of data. What happens in this case, the general program takes out the first result in the result set, it's probably not the id=1 news anymore, and that's why it's a little bit odd that sometimes or 1=1 pages change.





in the final analysis, is the result of different sets of results, flexible mastery is the key, this is not a simple experience problem.





II: Grammatical errors





syntax errors are familiar, such as injection error hints for SQL Server,pgsql,sybase, because using its features to get information quickly. A syntax error can result in a SQL error that interrupts script execution. However, if the script or server settings mask error, the program will continue to execute, but the result set does not exist, even null is not counted, the feedback to the attacker is likely to be empty of the result set, in fact, this is the result of the script processing. Oracle Pgsql, of course, behaves null.





Third: Run the error Needless to say, the typical use of MySQL injection benchmark let the script run timeout to get the physical path, and the use of timeouts to obtain different representations for blind injection.





Four: The combination of logical errors and grammatical errors.





when the representation is extremely inconspicuous, the use of functions such as IFF to distinguish between right and wrong can sometimes become a lifeline. Because syntax errors and logical error representations are most likely to be different.





iff (1=1,1, ' no ') this produces Results 1 attention is number, and IFF (1=2,1, ' no ') this produces ' no ' is a character. So





id=1 and 1=iff (1=1,1 ' no ') are necessarily true, and id=1 and 1=iff (1=2,1, ' no ') will have syntax errors due to different types. But unfortunately it seems to support the IFF function of the database is not much, hehe.





now tells the principle of the use of the result set in injection.





one: Starting from ' or ' = '





This is the primary course of learning SQL injection, landing holes. I briefly analyze from the SQL result set.





$sql = "SELECT top 1 * from admin where username= ' $username ' and password=md5 (' $password ')";





Obviously, the addition of ' or ' = ' causes the SQL statement to return a record, which makes the validation pass.





II: Now look at the SQL
in the validation




$sql = "SELECT top 1 * from admin where username= ' $username '";





The result set is not empty and is validated against the user-submitted password MD5 value based on the password value in the extracted recordset. In this way, you suddenly find that ' or ' = ' The failure of the bird, but the background is clearly injected, this is the verification method. Following up on this verification process, ' or ' = ' does produce a result set (the first row in the admin table) but unfortunately, later passwords do not pass and validation cannot succeed.





idea is very simple, there are cases on the Internet, I am the principle, using the Union to produce the desired result set. For example, ' and (1=2) union select top 1 username, ' 123456 is MD5 value ', id from admin where username= ' admin





this produces the admin record information, but the value in that location of the password in the recordset is replaced with the MD5 value of 123456, which validates and inherits his rights using admin 123456.





even all use ' xxx ' method to blind sniper, this is very "excessive" bird. However, in sql2000 Sybase these strict requirements type matching database, this can not shake "admin login", because the execution of a syntax error, the result set is null. In addition, the previous ewebeditor injected a vulnerability to upload a horse is also the union operation result set to achieve the goal of the classic case.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.