The Mysql database uses the CONCAT function to execute SQL injection queries _mysql

Source: Internet
Author: User
Tags sql injection

SQL injection statements sometimes use the substitution query technology, that is, let the original query statements can not find the results of errors, and let the query to build their own execution, and the implementation of the results instead of the original query query results displayed.

For example: The original query statement is

Copy Code code as follows:

Select Username,email,content from test_table where User_id=uid;

Where the UID is entered by the user. The normal display result will appear the user name, the user mailbox, the user message content. However, if the UID filter is lax, we can construct the following SQL statement to obtain any data table information.
Copy Code code as follows:

Uid=-1 Union Select Username, password,content from test_talbe where user_id= administrator id;

The actual implementation is
Copy Code code as follows:

Select Username,email,content from test_table where user_id=-1 Union select username, password,content from Test_talbe whe Re user_id= admin ID;

Where the normal user emai is displayed, it becomes the password to display the administrator.

However, often things are not so simple, the first to find vulnerabilities, and then construct such statements to consider the type of each field, so that the int or samllint type of field display varchar is obviously inappropriate. This is the last thing to say.

If the problem SQL statement has only one or two fields to do, we want to know a lot of things, one or two fields are too few, far from meeting our needs. Then we can use the concat function.

The CONCAT function would have been such a select CONCAT (' My ', ' S ', ' QL '), and the result was ' MySQL '. Which is the connecting effect. We use it to serve us,

Copy Code code as follows:

Uid=-1 Union Select Username, concat (password,sex,address,telephone), content from Test_talbe where user_id= administrator id;

This statement actually inquires six fields, but when displayed, the Password,sex,address,telephone and other fields together, displayed in the original should show the email place.

Better way: Divide the separator between:

Copy Code code as follows:

Uid=-1 Union Select Username, concat (password,0x3a,sex,0x3a,address,0x3a,telephone), content from Test_talbe where user _id= Administrator ID;

Where 0x3a is ":" in the 16 form.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.