The last time I saw an article on having 1 = 1 and group by injection on the internet, I was dizzy. To understand its fundamental principles, I learned a little about the database, I flipped through the materials, but some materials could not be found. So I started to think about it as a genius... Oh, shit, bleeding, shit ). I found an injection point and practiced it myself. By the way, I also summarized it.
First, describe the central idea of this injection: No matter what method is used, it is to find a way to make the SQL program wrong during compilation. (You may not know what it means at the beginning. I will explain it clearly below. You will understand it with this idea, and you will be impressed with it. After learning it, it will be quite memorable)
Also, the having 1 = 1 and group by conditions are that the website will return an error message, which is the so-called explicit error mode.
Why do we need to make SQL programs wrong during compilation? Everyone knows that (those who have learned the program). Generally, compilation software must run a program and be compiled before it can run. Why. Because the computer does not know any code, but only knows 0 and 1, but if we use 0 and 1 for programming, it is really troublesome for the wife, so there is a compilation software, for example, c/c ++ and vb convert our code to 0 1 for execution by computers. For example, our injection statement select * from admin
We all know this sentence, but the computer doesn't know it. We need to first convert it to 0 1 through our database program (or like a hexadecimal system, I don't know what it looks like, and I don't need to know it, haha! But the reason is like this.) It is executed by the cpu. Therefore, before executing a piece of code, the Compilation Program will compile the code. When the software is compiling, it will detect the syntax errors of your code, it will return an error, prompting you where the error is, where the error is, and how detailed it is. Why? For the convenience of programmers to correct the code, this is used by us. Compiling software can check for syntax errors, but cannot detect logical errors. (For details about program logic errors and syntax errors, check them online)
Well, the group by and having 1 = 1 are the syntax rules.
Group by clause
The group by clause specifies the grouping conditions for query results. The syntax is as follows:
GROUP
Group_by_expression
Parameters are described as follows:
Group_by_expression: Specifies the grouping condition group_by_expression. Generally, group_by_expression is a column name.
When using group by, the number of column names after the group by statement must be the same as the number of column names before the group by statement. Note that there are several columns before the group by statement, you do not need to use columns other than Aggregate functions.
For example:
Aggregate functions are not used:
Select column name 1, column name 2,... from admin where id> 0 group by column name 1, column name 2 ,...
The number of Columns after group by must be the same as that before.
Use Aggregate functions:
Select column name 1, sum (column name 2) from admin where id> 0 group by column name 1
Sum (column name 2) can be used here.
Oh, when it comes to aggregate functions, I will insert some content
Aggregate functions include sum, avg, max, min, and count.
Having clause
The HAVING clause specifies the grouping search conditions. HAVING clauses are usually used with group by clauses.
Having is similar to where in its usage, that is, the restriction condition when a query is added. The difference is that it applies to different objects. The WHERE clause acts on tables and views, and the HAVING clause acts on groups. What do you mean?
For example
Select * from admin where id = 1
A condition id = 1 is added here.
The same is true for having.
Query the Department numbers whose salaries are no less than 6000 for multiple employees:
Select id, count (*) from employee where wage> = 6000 group by id having count (*)> 1
It doesn't matter if you don't understand it here. It doesn't matter much in the future. You 'd better understand it. Well, it's also a bit of knowledge.
Why can I use having 1 = 1 to create a table. The key is that the HAVING clause in the original text is usually used with the group by clause.
Having must be used together with group by. If it is not used together, a syntax error may occur, and a syntax error may occur, so our compilation software will have an error prompt, when an injection point exists (this injection point should be an mssql point, but access should not), the general statement is
Select column name 1, column name 2, column name 3 from table name where id = xxx
When having 1 = 1 is added to the end, the statement becomes
Select column name 1, column name 2, column name 3 from table name where id = xxx having 1 = 1
When the program is compiled, it finds no group
An error will pop up, prompting you where the error is
All column names are exclusive here, but generally only one column of error information can be displayed on the webpage, so we need to use group by to remove the display (reduce a syntax error ), to display the next error.
Here, an error message of admin. id is missing. And so on, we can expose all the columns.
Here, many of them are self-perceived, and some may be incorrect. I hope you can correct them more.
Supplement: SELECT username, userid, password FROM [User] where userid> 20 group by userid, username, password
SELECT max (username), userid FROM [User] where userid> 20 group by userid
SELECT username, userid, password FROM [User] where userid> 20 group by userid